HIPAA Compliance

Our Commitment

Healthcare Agent processes protected health information (PHI) on behalf of healthcare clinics. We take this responsibility seriously. HIPAA compliance is not a checkbox for us — it shapes our architecture, our operational processes, and our product decisions.

We act as a Business Associate under HIPAA. The clinics that use Healthcare Agent are Covered Entities (or Business Associates of Covered Entities). We process PHI only as directed by our customers and only for the purposes described in our Business Associate Agreement.

Business Associate Agreement

A signed Business Associate Agreement (BAA) is required before any PHI flows through Healthcare Agent. We will not activate EHR integrations, enable patient-facing features, or allow PHI to be transmitted until a BAA is executed.

Our BAA covers:

• Permitted uses and disclosures of PHI
• Safeguards we implement to protect PHI
• Breach notification obligations
• Requirements for sub-contractors (sub-processors) who handle PHI
• Return or destruction of PHI upon termination
• Compliance with the HIPAA Security Rule and Privacy Rule

If you need a copy of our BAA template, contact us at hipaa@healthcareagent.com.

PHI We Process

Through the normal operation of the Service, Healthcare Agent may receive, create, maintain, or transmit the following types of PHI:

• Patient identifiers: Name, date of birth, phone number, email address
• Scheduling data: Appointment dates, times, provider assignments, appointment types
• Insurance information: Insurance carrier, policy number, group number, verification results
• Intake data: Responses to intake forms, reason for visit, medical history as provided through intake workflows
• Conversation content: Messages exchanged between patients and the AI assistant, which may contain health-related information

We apply the minimum necessary standard — we only access, use, and request the specific PHI needed to perform the function requested by the clinic. Our policy engine enforces boundaries on what information the AI assistant can access and share.

Safeguards

Administrative safeguards

• Security officer: A designated security officer responsible for HIPAA compliance will be appointed prior to launch
• Workforce training: All team members with access to PHI will receive HIPAA training upon onboarding and annually thereafter
• Access management: PHI access is granted on a need-to-know basis and will be reviewed regularly
• Risk analysis: We will conduct periodic risk assessments to identify and address threats to PHI, beginning prior to launch
• Policies and procedures: We are developing documented policies for data handling, incident response, access control, and workforce conduct that will be in place prior to launch
• Sanctions: Sanctions will be enforced against workforce members who violate HIPAA policies

Physical safeguards

• Data center security: Our infrastructure is hosted on Aptible, which operates within AWS data centers that maintain SOC 2, ISO 27001, and HITRUST certifications with 24/7 physical security, biometric access controls, and environmental monitoring
• Workstation security: Team member devices with PHI access will be required to use full-disk encryption, screen lock policies, and remote wipe capability
• Device and media controls: PHI is not stored on removable media. All storage is within our encrypted cloud infrastructure

Technical safeguards

• Access control: Unique user identification, role-based permissions, automatic session timeout, and emergency access procedures
• Audit controls: Immutable logging of all PHI access and system activity (see Audit Trail section below)
• Integrity controls: Mechanisms to protect PHI from improper alteration or destruction
• Transmission security: TLS 1.2+ encryption for all data in transit
• Encryption: AES-256 encryption for data at rest, AES-256-GCM for stored credentials
• Authentication: Industry-standard password hashing, secure session management

Patient Verification

Before any PHI is shared through the patient-facing chat widget, Healthcare Agent verifies the patient's identity using a one-time password (OTP). The verification process works as follows:

1. The patient provides identifying information (such as name and date of birth)
2. Healthcare Agent matches this information against the clinic's EHR records
3. A one-time verification code is sent to the phone number or email address on file in the EHR
4. The patient enters the code in the chat widget
5. Only after successful verification does the assistant access or share PHI

This verification step is enforced by our deterministic policy engine. It cannot be bypassed or disabled by the AI model. Failed verification attempts are logged and rate-limited.

Audit Trail

Healthcare Agent maintains a comprehensive, immutable audit trail as required by the HIPAA Security Rule. The audit log records:

• Every access to PHI, including who accessed it, when, and what was accessed
• All patient verification attempts and outcomes
• Administrative actions: configuration changes, user management, policy modifications
• System events: login/logout, authentication failures, permission changes
• AI assistant actions: what data was retrieved from the EHR, what was shared with the patient

Audit logs are append-only and cannot be modified or deleted. They are available to clinic administrators through the admin dashboard and can be exported for compliance reviews. Audit logs are retained for a minimum of 7 years by default, in line with HIPAA recommendations. Retention periods can be configured per clinic if longer retention is required.

Breach Notification

In the event of a breach of unsecured PHI, we follow the HIPAA Breach Notification Rule (45 CFR Parts 164.400-414):

1. Discovery and investigation: Upon discovering a potential breach, we immediately investigate to determine whether PHI was compromised, applying the four-factor risk assessment specified by HHS.
2. Notification to covered entity: We notify affected clinics (as our covered entities) without unreasonable delay, and no later than 60 days after discovery of the breach.
3. Content of notification: Our notification includes a description of the breach, the types of PHI involved, steps individuals should take, what we are doing to investigate and mitigate, and contact information.
4. Cooperation: We cooperate fully with the covered entity's obligations to notify affected individuals and, when applicable, HHS and the media.
5. Documentation: We document all breach-related investigations, risk assessments, and notifications, retaining records for at least 6 years.

Sub-Processors

The following sub-processors may receive, process, or store PHI in the course of providing Healthcare Agent:

Sub-Processor	Purpose	PHI Involved	BAA Status
Aptible	Infrastructure hosting, database, backups	All PHI stored and processed by the Service	BAA will be executed prior to launch
Anthropic (Claude API)	AI language model powering the patient assistant	Conversation content, which may include PHI	BAA will be executed prior to launch
SendGrid	Transactional email (OTP codes, notifications)	Email addresses, verification codes	BAA will be executed prior to launch

BAAs will be executed with all sub-processors that have access to PHI prior to launch. We evaluate sub-processors for HIPAA compliance before engagement and will monitor their compliance on an ongoing basis. We will notify customers before engaging new sub-processors that will handle PHI.

Data Retention

We retain PHI only as long as necessary to provide the Service and meet our legal obligations:

• Active data: PHI is retained in our active systems for the duration of the customer relationship, unless the clinic requests earlier deletion.
• Audit logs: Retained for 7 years by default (configurable per clinic). This aligns with HIPAA's 6-year minimum for policies and procedures, with an additional year as a buffer.
• Backups: Encrypted backups are rotated on a standard schedule. After account termination, backups containing the customer's data are purged within 90 days.
• Post-termination: Upon termination of the BAA, we return or destroy PHI as specified in the agreement. Customers have 30 days to export their data before deletion.

Patient Rights

HIPAA grants patients rights over their health information. Because Healthcare Agent acts as a Business Associate, patient rights requests are handled through the clinic (the Covered Entity):

• Right of access: Patients who wish to access their PHI should contact their clinic directly. We will assist clinics in fulfilling access requests related to data stored in our systems.
• Right to amendment: Patients may request corrections to their PHI through their clinic. Where PHI originated from the clinic's EHR, amendments should be made in the EHR system.
• Right to an accounting of disclosures: We maintain records of disclosures of PHI as required by HIPAA and can provide this information to clinics upon request.
• Right to request restrictions: Patients may request restrictions on certain uses of their PHI through their clinic. We implement restrictions as directed by the clinic.
• Right to request deletion: Patients may request deletion of their data through their clinic. We will delete the patient's data from our active systems upon the clinic's instruction, subject to legal retention requirements.

Minimum Necessary Standard

We adhere to the HIPAA minimum necessary standard in all our operations. This means:

• Our EHR integrations only request the specific data fields needed for the configured workflows (scheduling, insurance verification, intake)
• The AI assistant's access to EHR data is constrained by the clinic's policy configuration — it can only retrieve and share information that the clinic has explicitly permitted
• Internal access to PHI by our team is limited to what is necessary for system maintenance, support, and troubleshooting
• API responses are scoped to return only the data needed for the specific operation

Contact

For questions about our HIPAA compliance practices, to request a copy of our BAA, or to report a potential compliance concern:

HIPAA Compliance
[Company Name]
Email: hipaa@healthcareagent.com