HIPAA Agents ("we," "our," "us") is a clinical automation platform that connects to electronic health record (EHR) systems via FHIR APIs. We are committed to protecting the privacy and security of all data processed through our platform. This policy describes how we collect, use, and safeguard information.
Our Core Commitment:
No protected health information (PHI) is stored in our cloud infrastructure. All patient-identifiable data is processed through a PHI sanitization layer that strips identifiers before data reaches our application logic. Audio recorded through our dictation feature is transcribed on-device and never transmitted to external servers.
Clinical Data via FHIR API: When a healthcare practice connects their EHR to HIPAA Agents, our system accesses clinical data (encounters, conditions, procedures, observations) through the FHIR R4 API. This data is immediately processed through our PHI Sanitizer, which replaces all patient-identifiable information with one-way hashed tokens before any application logic executes. The original identifiers are never stored, logged, or accessible to our agents.
Audio and Dictation: Our clinical dictation feature records audio on the provider's device. Transcription is performed locally using on-device speech recognition. Audio files are never uploaded to our servers, never stored beyond the active session, and are deleted immediately after transcription. Only the de-identified, structured text output is transmitted to our servers for note formatting.
Practice Account Information: When a practice signs up, we collect business information including practice name, contact email, EHR type, and location details. This is standard account information, not PHI.
Aggregated Analytics: We generate analytics from de-identified, aggregated data such as encounter counts, review response rates, and operational metrics. These analytics contain no patient-identifiable information.
We do not collect, store, or have access to: patient names, dates of birth, Social Security numbers, addresses, photographs, insurance member IDs, or any other direct patient identifiers. Our PHI Sanitizer is architecturally designed to prevent this data from reaching our application layer.
Clinical Automation: Tokenized encounter data is used to trigger automated workflows including review solicitation, appointment recovery, denial prevention alerts, and documentation quality checks.
SMS Communications: When our agents send patient communications (review requests, appointment reminders), the patient's phone number is resolved from the EHR by the PHI Sanitizer and passed directly to our HIPAA-compliant SMS provider (Twilio, operating under a Business Associate Agreement). The phone number is never exposed to our agent logic and is purged immediately after transmission.
Note Structuring: De-identified transcript text is processed by our AI models to structure clinical notes, suggest diagnostic codes, and identify documentation gaps. No patient-identifiable information is included in these API calls.
All data in transit is encrypted using TLS 1.2 or higher. Our FHIR API connections use JWT-based authentication with RSA-384 signing. Access tokens are short-lived and automatically rotated. Our infrastructure operates on encrypted, access-controlled servers. AI processing is performed through Amazon Web Services (AWS) Bedrock, operating under a signed AWS Business Associate Agreement (BAA) with HIPAA-eligible services. All system access, data processing events, FHIR data queries, and AI processing calls are logged to AWS CloudWatch with structured audit entries retained for seven years in compliance with HIPAA requirements. Audit entries include timestamps, source identification, action performed, resources accessed, and outcome status. We maintain audit logs of all system access and data processing activities.
We use the following third-party services in our platform:
Twilio — SMS delivery, operating under a signed Business Associate Agreement (BAA). Phone numbers are transmitted directly from our PHI Sanitizer to Twilio and are not stored by our application.
Amazon Web Services (AWS Bedrock) — Clinical note structuring and AI intelligence layer, operating under a signed Business Associate Agreement (BAA). Transcript text is processed through AWS Bedrock's HIPAA-eligible AI services. All processing occurs within BAA-covered infrastructure with encryption in transit and at rest. AWS CloudWatch is used for HIPAA-compliant audit logging with seven-year retention.
Practice Fusion FHIR API — EHR data access, authenticated via OAuth 2.0 and JWT. Data is accessed in real-time and not replicated or stored beyond the active processing session.
We do not retain PHI. Tokenized encounter data used for deduplication (ensuring we don't contact the same patient twice) is stored as irreversible one-way hashes that cannot be linked back to individual patients. Practice account information and aggregated analytics are retained for the duration of the subscription. Upon cancellation, all practice data is deleted within 30 days.
HIPAA Agents is designed to operate as a Business Associate under HIPAA. We enter into Business Associate Agreements (BAAs) with covered entity clients as required. Our AI processing infrastructure operates under a signed AWS Business Associate Agreement, ensuring all clinical data processing occurs within HIPAA-eligible services. Our architecture is specifically designed to minimize PHI exposure, with on-device audio transcription, encrypted data transmission, and comprehensive audit logging that exceeds the minimum requirements of the HIPAA Security Rule.
Healthcare practices using our platform may request a full accounting of data processing activities, request deletion of all practice data, revoke FHIR API access at any time through their EHR admin panel, and request a copy of our BAA. Individual patients with questions about how their data is handled should contact their healthcare provider directly, as HIPAA Agents does not maintain a direct relationship with patients.
We may update this privacy policy from time to time. Material changes will be communicated to active subscribers via email at least 30 days before taking effect. The effective date at the top of this page reflects the most recent revision.
HIPAA Agents
Privacy Inquiries: privacy@hipaa-agents.com
General Inquiries: hello@hipaa-agents.com
Website: https://hipaa-agents.com