Built for regulated facilities from day one.
VynMed was designed for skilled nursing and other HIPAA-covered environments. That means encryption, least-privilege access, tamper-evident records, and an audit trail your compliance team can actually defend.
How we protect resident and patient data
Encrypted in transit & at rest
TLS 1.2+ for every network call. AES-256 for any PHI that touches persistent storage on device or in our managed cloud.
Tamper-evident audit log
Every test, sign-off, and override is written to an append-only log tied to the operator identity and the device clock, so nothing can be quietly altered after the fact.
Least-privilege access
Role-based access for techs, nurses, and administrators. No shared accounts, no "one master password" per cart, and every session is attributable.
HIPAA alignment
Administrative safeguards
Documented security policies, workforce training, sanction policy, and an incident response plan mapped to 45 CFR § 164.308.
Physical safeguards
Device hardening, facility access procedures, and workstation controls for on-site hardware per § 164.310.
Technical safeguards
Unique user IDs, automatic logoff, audit controls, and integrity controls per § 164.312 — built into the product, not bolted on.
Business Associate Agreement
We sign BAAs with every covered entity we work with. Our downstream subprocessors are contractually bound to the same standards.
We don't collect what we don't need
VynMed is designed around the HIPAA "minimum necessary" principle. The device handles the smallest amount of PHI required to generate a defensible result — and that's it. We do not sell, share, or otherwise use resident data for advertising, model training, or secondary research.
Deidentified operational metrics (how many tests, uptime, error rates) help us keep your facility running. Anything tied to an individual stays inside your environment unless you explicitly export it.
If something goes wrong
We maintain a documented incident response plan with defined severity levels, notification timelines, and post-incident review. Security-relevant incidents involving PHI are communicated to affected covered entities well inside the HIPAA breach notification window so your compliance officer can act before any regulator calls.
Suspect something? Email [email protected] with "Security" in the subject line and we'll get a human on it.
Want the full security packet?
We'll send our architecture overview, data flow diagram, subprocessor list, and a draft BAA — the same bundle our design partners use for vendor review.
Request the packet