Security & Compliance

Compliance & Regulatory Framework

AGen MD is designed with healthcare compliance in mind. This page outlines our approach to regulatory standards, security practices, and the shared responsibility model for healthcare compliance.

Last Updated: March 28, 2026

Critical Compliance Disclaimer

AGEN MD IS A TECHNOLOGY PLATFORM PROVIDER. AGen MD does not provide legal, regulatory, or compliance advice. The information on this page is provided for informational purposes only and does not constitute a guarantee of compliance with any specific law, regulation, or standard.

SHARED RESPONSIBILITY MODEL: Healthcare compliance is a shared responsibility between AGen MD (as the technology provider) and the Client (as the healthcare entity). AGen MD provides a platform with compliance-capable features and configurations. However, each Client is solely responsible for ensuring that their specific use of the Platform complies with all applicable federal, state, and local laws and regulations in their jurisdiction(s) of operation.

AGen MD strongly recommends that all Clients consult with qualified healthcare attorneys, compliance officers, and regulatory consultants to ensure their operations meet all applicable legal and regulatory requirements. Descriptions of the Platform as "compliance-capable," "compliance-ready," or similar language indicate that the Platform includes features that may assist with compliance efforts, but do not constitute a representation or warranty of actual compliance.

AGEN MD, ITS MEMBERS, PARTNERS, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUBSIDIARIES, AND AFFILIATES SHALL NOT BE LIABLE FOR ANY REGULATORY VIOLATIONS, FINES, PENALTIES, SANCTIONS, OR OTHER CONSEQUENCES ARISING FROM A CLIENT'S FAILURE TO COMPLY WITH APPLICABLE LAWS AND REGULATIONS, REGARDLESS OF WHETHER THE PLATFORM WAS USED IN CONNECTION WITH SUCH NON-COMPLIANCE.

Regulatory Framework

Healthcare Compliance Capabilities

Our platform is designed with features and configurations that support compliance with key healthcare regulations. The following outlines our approach to each regulatory domain.

HIPAA & HITECH

Platform features designed to support Health Insurance Portability and Accountability Act compliance for covered entities and business associates.

  • Business Associate Agreements (BAA) available
  • Administrative, technical, and physical safeguards
  • Encryption of ePHI in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls (RBAC) with least privilege
  • Comprehensive audit logging of all PHI access
  • Breach notification procedures and incident response
  • Workforce training documentation support
  • Minimum necessary standard enforcement tools

State Telemedicine Laws

Features supporting compliance with varying state telemedicine regulations, licensure requirements, and practice standards.

  • Multi-state provider credentialing support
  • State-specific consent form templates
  • Prescribing restriction awareness tools
  • Interstate Medical Licensure Compact support
  • Patient location verification capabilities
  • State-specific documentation requirements
  • Informed consent management workflows
  • Telehealth-specific encounter documentation

Pharmacy Regulations

Features supporting compliance with federal and state pharmacy laws, controlled substance regulations, and dispensing requirements.

  • DEA compliance-capable e-prescribing
  • State Board of Pharmacy regulation support
  • Controlled substance tracking and reporting
  • Drug utilization review (DUR) integration
  • PDMP (Prescription Drug Monitoring Program) connectivity
  • 340B program compliance support tools
  • Pharmacy benefit manager (PBM) integration
  • State-specific dispensing requirement tracking

Anti-Kickback & Stark Law

Platform design considerations to support compliance with federal fraud and abuse laws governing healthcare referrals and financial relationships.

  • Fair Market Value (FMV) documentation support
  • Referral tracking and transparency tools
  • Financial relationship documentation
  • Safe harbor compliance guidance resources
  • Compensation arrangement tracking
  • Audit trail for referral patterns
  • Network arrangement documentation
  • Compliance program integration support

Data Interoperability Standards

Support for healthcare data exchange standards enabling secure and standardized information sharing across systems.

  • FHIR R4 capable API integrations
  • HL7 v2 message support
  • CDA (Clinical Document Architecture) support
  • X12 EDI transaction support
  • NCPDP standards for pharmacy data
  • ICD-10, CPT, SNOMED CT coding support
  • Direct messaging protocol support
  • ONC Cures Act information blocking prevention

Quality & Accreditation

Features supporting healthcare quality measurement, reporting, and accreditation requirements.

  • CMS quality measure reporting tools
  • HEDIS measure tracking capabilities
  • MIPS/APM reporting support
  • Clinical quality measure (CQM) dashboards
  • Patient safety event reporting
  • Peer review documentation support
  • Credentialing and privileging workflows
  • Continuous quality improvement tracking
Security Infrastructure

Enterprise-Grade Security Architecture

Our multi-layered security approach is designed to protect healthcare data at every level of the technology stack.

Encryption & Data Protection

  • TLS 1.2+ encryption for all data in transit with perfect forward secrecy
  • AES-256 encryption for all data at rest, including database fields, file storage, and backups
  • Encryption key management with regular key rotation schedules
  • Secure key storage using hardware security modules (HSM) where applicable
  • End-to-end encryption for telehealth video sessions
  • Encrypted backup storage with geographic redundancy

Identity & Access Management

  • Multi-factor authentication (MFA) support for all user accounts
  • Role-based access control (RBAC) with granular permission sets
  • Principle of least privilege enforced across all system components
  • Session management with configurable timeout policies
  • Single Sign-On (SSO) integration capabilities
  • Automated account lockout after failed authentication attempts
  • Password complexity requirements and rotation policies
  • API key management with scoped permissions and expiration

Monitoring & Audit

  • Comprehensive audit logging of all system access and data modifications
  • Real-time security event monitoring and alerting
  • Intrusion detection and prevention systems (IDS/IPS)
  • Automated vulnerability scanning and patch management
  • Log retention policies aligned with regulatory requirements
  • Tamper-evident audit trail with cryptographic integrity verification
  • User activity monitoring with anomaly detection
  • Regular penetration testing by qualified third-party assessors

Infrastructure Security

  • Cloud infrastructure hosted in SOC 2 Type II certified data centers
  • Network segmentation and micro-segmentation for workload isolation
  • Web Application Firewall (WAF) protection against common attack vectors
  • DDoS mitigation with automatic traffic scrubbing
  • Container security with image scanning and runtime protection
  • Infrastructure-as-Code with security policy enforcement
  • Automated backup and disaster recovery procedures
  • Geographic redundancy with configurable data residency options

Incident Response

  • Documented incident response plan with defined roles and escalation procedures
  • 24/7 security operations monitoring for critical infrastructure
  • Breach notification procedures compliant with HIPAA, state breach notification laws, and other applicable regulations
  • Post-incident analysis and remediation tracking
  • Regular incident response tabletop exercises and drills
  • Coordination with law enforcement and regulatory agencies as required
  • Client notification within timeframes required by applicable BAAs and regulations
  • Forensic investigation capabilities for security incidents
Shared Responsibility

Compliance Shared Responsibility Model

Healthcare compliance requires collaboration between AGen MD as the technology provider and our clients as the healthcare entities. Below is a clear delineation of responsibilities.

AGen MD Responsibilities

  • Maintain platform security infrastructure and safeguards
  • Provide encryption for data in transit and at rest
  • Implement and maintain access control mechanisms
  • Maintain comprehensive audit logging capabilities
  • Execute Business Associate Agreements with clients
  • Conduct regular security assessments and penetration testing
  • Maintain incident response and breach notification procedures
  • Provide platform features that support regulatory compliance
  • Maintain data backup and disaster recovery capabilities
  • Train AGen MD workforce on security and privacy obligations
  • Manage subcontractor compliance with BAA requirements
  • Provide platform documentation and compliance resources

Client Responsibilities

  • Maintain all required professional licenses and credentials
  • Comply with all applicable healthcare laws and regulations
  • Implement appropriate internal policies and procedures
  • Train workforce on HIPAA, privacy, and security requirements
  • Obtain patient consent as required by applicable law
  • Configure platform access controls appropriate to your organization
  • Maintain adequate malpractice and liability insurance
  • Report suspected security incidents to AGen MD promptly
  • Ensure accuracy and completeness of clinical documentation
  • Comply with Anti-Kickback Statute and Stark Law requirements
  • Maintain compliance with state-specific telemedicine laws
  • Conduct own legal review of regulatory obligations
  • Maintain DEA registration and controlled substance compliance
  • Ensure compliance with state pharmacy board requirements
  • Implement quality assurance and peer review programs
Industry-Specific

Compliance by Business Type

Different healthcare entities face unique regulatory requirements. Below are compliance considerations specific to each business type we serve.

Providers & Provider Networks

  • State medical board licensure requirements and verification
  • HIPAA Privacy and Security Rule compliance as Covered Entities
  • Clinical documentation standards (CMS, Joint Commission, NCQA)
  • Informed consent requirements (general and telehealth-specific)
  • Prescribing regulations including e-prescribing mandates
  • Anti-Kickback Statute and Stark Law compliance for referral arrangements
  • MIPS/APM quality reporting requirements
  • Credentialing and privileging standards (NCQA, Joint Commission)
  • Medical records retention requirements (varies by state, typically 6-10 years for adults, longer for minors)
  • Malpractice insurance requirements and risk management
  • Network adequacy standards for provider networks
  • Fair Market Value documentation for all compensation arrangements

Telehealth Operators

  • Multi-state licensure compliance (Interstate Medical Licensure Compact)
  • State-specific telemedicine practice standards and restrictions
  • LegitScript certification requirements for online healthcare
  • Ryan Haight Act compliance for online prescribing of controlled substances
  • Patient-provider relationship establishment requirements by state
  • Telehealth-specific informed consent requirements
  • Audio/video recording consent laws (varies by state)
  • Prescribing limitations for telehealth encounters by state
  • Medical Director oversight and supervision requirements
  • Management Services Organization (MSO) regulatory compliance
  • Cross-state data privacy and breach notification requirements
  • Telehealth parity and reimbursement regulations

Pharmacies & Pharmacy Networks

  • State Board of Pharmacy licensure and permit requirements
  • DEA registration and controlled substance management
  • PDMP (Prescription Drug Monitoring Program) reporting obligations
  • Drug Utilization Review (DUR) requirements
  • USP <795>, <797>, and <800> compounding standards (if applicable)
  • 340B Drug Pricing Program compliance (for eligible entities)
  • DSCSA (Drug Supply Chain Security Act) track and trace requirements
  • Patient counseling requirements by state
  • Pharmacy benefit manager (PBM) contract compliance
  • NCPDP standards for pharmacy data exchange
  • State-specific dispensing and labeling requirements
  • Pharmacy technician supervision ratio requirements by state
  • Controlled substance inventory and recordkeeping requirements
  • Medicare Part D and Medicaid pharmacy program requirements
Legal Disclaimers

Additional Compliance Disclaimers

No Legal or Compliance Advice

Nothing on this page or anywhere on the AGen MD platform, website, documentation, or communications constitutes legal, regulatory, compliance, medical, or professional advice. The information provided is for general informational purposes only. AGen MD is not a law firm, accounting firm, or compliance consulting firm. All compliance decisions should be made in consultation with qualified legal counsel and compliance professionals who are familiar with the specific laws and regulations applicable to your organization, jurisdiction, and practice area.

Third-Party Partner Compliance

Any partners, referral partners, network partners, pharmacy partners, laboratory partners, technology partners, or other affiliated entities referenced on the AGen MD platform or in AGen MD communications are independent third-party companies not owned, controlled, or operated by AGen MD. Any claims regarding compliance certifications, regulatory approvals, or quality standards made by these third parties are their sole responsibility. AGen MD does not verify, endorse, or guarantee the compliance status of any third-party partner. All due diligence regarding the compliance and regulatory status of these or any other companies should be conducted solely by the party engaging with them.

Regulatory Changes

Healthcare regulations are subject to frequent changes at the federal, state, and local levels. While AGen MD endeavors to keep its platform features current with regulatory requirements, AGen MD does not guarantee that the Platform will be updated immediately in response to every regulatory change. Clients are responsible for monitoring regulatory changes applicable to their operations and for ensuring that their use of the Platform remains compliant with current requirements. AGen MD shall not be liable for any non-compliance resulting from regulatory changes that have not yet been reflected in the Platform.

Indemnification for Compliance Failures

BY USING THE AGEN MD PLATFORM, YOU AGREE TO INDEMNIFY, DEFEND, AND HOLD HARMLESS AGEN MD, ITS PARENT COMPANIES, SUBSIDIARIES, AFFILIATES, MEMBERS, MANAGERS, OFFICERS, DIRECTORS, EMPLOYEES, CONTRACTORS, AGENTS, PARTNERS, LICENSORS, SUCCESSORS, AND ASSIGNS FROM AND AGAINST ANY AND ALL CLAIMS, DEMANDS, LOSSES, DAMAGES, LIABILITIES, FINES, PENALTIES, SANCTIONS, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES) ARISING OUT OF OR RELATING TO: (A) YOUR FAILURE TO COMPLY WITH ANY APPLICABLE LAW, REGULATION, OR STANDARD; (B) ANY REGULATORY INVESTIGATION, AUDIT, OR ENFORCEMENT ACTION RELATED TO YOUR OPERATIONS; (C) ANY PATIENT COMPLAINT, MALPRACTICE CLAIM, OR PROFESSIONAL LIABILITY CLAIM; (D) ANY DATA BREACH OR SECURITY INCIDENT CAUSED BY YOUR ACTS OR OMISSIONS; AND (E) ANY OTHER COMPLIANCE FAILURE ATTRIBUTABLE TO YOUR USE OF THE PLATFORM OR YOUR OPERATIONS.

Business Associate Agreement Requirement

If you are a Covered Entity or Business Associate under HIPAA and intend to use the AGen MD Platform to create, receive, maintain, or transmit Protected Health Information (PHI), you must execute a Business Associate Agreement (BAA) with AGen MD before transmitting any PHI through the Platform. Use of the Platform for PHI without an executed BAA is prohibited and may constitute a HIPAA violation for which you bear sole responsibility. To request a BAA, please contact our compliance team at [email protected].

Compliance Questions?

Our compliance team is available to discuss your specific regulatory requirements and how the AGen MD platform can support your compliance efforts.

AGen MD LLC — Compliance Office

A Wyoming Limited Liability Company

1603 Capitol Ave Ste 415

Num 370389

Cheyenne, WY 82001

Phone: (929) 992-6841

General Compliance Inquiries: [email protected]

HIPAA Privacy Officer: [email protected]

Security Incident Reporting: [email protected]

BAA Requests: [email protected]

Website: www.agenmd.com

Also review our Terms of Service and Privacy Policy for complete legal information.

Cookie Preferences

We use cookies to enhance your experience, analyze site traffic, and serve personalized content. By clicking "Accept All," you consent to our use of cookies as described in our Privacy Policy. You may customize your preferences or reject non-essential cookies below.

This site complies with GDPR, CCPA, and HIPAA cookie requirements. Your preferences are stored locally and can be changed at any time. View our Privacy Policy and Terms of Service for more information.