HIPAA Compliance

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 to protect sensitive patient health information from being disclosed without patient consent or knowledge. HIPAA establishes national standards for the protection of Protected Health Information (PHI).

Why HIPAA Matters for Healthcare Providers

As a healthcare provider, you are legally required to:

• Protect patient privacy: Safeguard all PHI from unauthorized access or disclosure
• Ensure data security: Implement technical, administrative, and physical safeguards
• Work with compliant vendors: Ensure all third-party service providers sign Business Associate Agreements (BAAs)
• Report breaches: Notify patients and HHS within 60 days of discovering a data breach
• Train your workforce: Ensure all staff understand HIPAA requirements and your privacy policies

Our Commitment to HIPAA Compliance

Voxanne AI is committed to full HIPAA compliance. We understand the critical importance of protecting patient health information and have implemented comprehensive security measures across our entire platform. We work exclusively with HIPAA-compliant infrastructure providers and are prepared to sign Business Associate Agreements with all covered entities and healthcare providers.

Definition of PHI

Protected Health Information (PHI) is any individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or its business associates. PHI includes:

How Voxanne AI Handles PHI

Voxanne AI processes and stores the following types of PHI on behalf of healthcare providers:

• Call Recordings & Transcripts: When patients call your practice, their conversations with our AI voice agent may contain PHI such as symptoms, medication questions, or appointment preferences. All recordings and transcripts are encrypted and stored securely.
• Patient Contact Information: We store patient names, phone numbers, email addresses, and appointment details to facilitate scheduling and follow-up communications.
• Appointment Data: We access your Google Calendar to check availability and book appointments. This may include patient names and appointment types (e.g., "Annual Checkup," "Botox Consultation").
• Medical Queries: Patients may ask questions about medical procedures, treatments, or conditions. Our AI responds using your knowledge base but does not provide medical advice.

HIPAA requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect PHI. Voxanne AI adheres to all three categories of safeguards:

Administrative Safeguards

Administrative safeguards are policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect PHI.

• Security Management Process: We conduct annual risk assessments to identify vulnerabilities and implement corrective actions
• Workforce Training: All employees complete HIPAA training upon hire and annually thereafter
• Access Authorization: Role-based access control (RBAC) ensures employees only access PHI necessary for their job functions
• Workforce Clearance: Background checks are conducted for all employees with access to PHI
• Incident Response: We maintain a documented incident response plan for security breaches
• Contingency Planning: Disaster recovery and backup procedures ensure data availability

Physical Safeguards

Physical safeguards protect the physical systems, buildings, and equipment where PHI is stored.

• Data Center Security: Our infrastructure providers (Supabase, Google Cloud) operate SOC 2 Type II certified data centers with 24/7 physical security
• Access Controls: Biometric authentication and keycard access restrict entry to server rooms
• Device Security: All employee laptops are encrypted with BitLocker (Windows) or FileVault (Mac)
• Workstation Security: Automatic screen locks after 5 minutes of inactivity
• Media Disposal: Hard drives are securely wiped or physically destroyed before disposal

Technical Safeguards

Technical safeguards are the technology and policies that protect PHI and control access to it.

• Access Control: Unique user IDs, automatic logoff after 15 minutes, and multi-factor authentication (MFA) for administrative access
• Audit Controls: All access to PHI is logged with immutable audit trails retained for 7 years
• Integrity Controls: Digital signatures and checksums verify data has not been altered
• Transmission Security: TLS 1.3 encryption for all data transmitted over networks
• Encryption: AES-256 encryption for all PHI stored at rest (see Section 4)

Encryption is one of the most critical technical safeguards for protecting PHI. Voxanne AI uses industry-leading encryption standards to protect data both at rest and in transit.

Encryption at Rest (Stored Data)

Encryption in Transit (Data Transmission)

End-to-End Encryption for Voice Calls

Phone calls between patients and our AI voice agent are encrypted from end to end:

• Patient to Twilio: PSTN call encrypted by carrier (varies by carrier)
• Twilio to Vapi: SRTP (Secure Real-time Transport Protocol) encryption
• Vapi to AI Model: TLS 1.3 encrypted API calls
• Storage: Call recordings encrypted with AES-256 and stored in compliance with retention policies

Access controls ensure that only authorized individuals can access PHI, and only to the extent necessary for their job functions. Voxanne AI implements multiple layers of access control:

Role-Based Access Control (RBAC)

Users are assigned roles based on their responsibilities, and each role has specific permissions:

Multi-Factor Authentication (MFA)

All user accounts with access to PHI are required to use multi-factor authentication:

• Primary Authentication: Username and password (minimum 12 characters, complexity requirements)
• Secondary Authentication: Time-based one-time password (TOTP) via authenticator app (Google Authenticator, Authy, etc.)
• Enforcement: MFA is mandatory for all users; cannot be disabled without administrator approval
• Recovery Codes: Users receive 10 recovery codes for account recovery if they lose their authenticator device

Audit Logging

All access to PHI is logged in immutable audit trails:

• Events Logged: Login/logout, PHI viewing, data modifications, report generation, settings changes
• Information Captured: User ID, timestamp, IP address, action performed, data accessed
• Retention Period: 7 years (HIPAA requirement)
• Access to Logs: Restricted to security administrators and compliance officers
• Monitoring: Automated alerts for suspicious activity (e.g., multiple failed login attempts, unusual data access patterns)

Session Management

To prevent unauthorized access, we enforce strict session management policies:

• Automatic Timeout: Sessions expire after 15 minutes of inactivity
• Session Revocation: Users can view and revoke active sessions from the security settings page
• Force Logout: Administrators can force logout all users in case of security incident
• Concurrent Session Limits: Users can have a maximum of 3 concurrent sessions

Principle of Least Privilege

We adhere to the principle of least privilege: users are granted the minimum level of access necessary to perform their job functions. Access rights are reviewed quarterly and adjusted as roles change.

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity (healthcare provider) and a business associate (service provider like Voxanne AI) that creates, receives, maintains, or transmits PHI on behalf of the covered entity.

The BAA ensures that the business associate:

• Implements appropriate safeguards to protect PHI
• Reports any security incidents or breaches to the covered entity
• Ensures its subcontractors (if any) also comply with HIPAA
• Returns or destroys PHI when the relationship ends
• Allows the covered entity to audit compliance

When is a BAA Required?

A BAA is required whenever a business associate will create, receive, maintain, or transmit PHI on behalf of a covered entity. If you are a healthcare provider (doctor, dentist, chiropractor, therapist, etc.) using Voxanne AI to handle patient calls and appointments, you must have a signed BAA with us.

How to Request a BAA

Our BAA with Infrastructure Providers

As a business associate, we are also required to have BAAs with our subcontractors that handle PHI. Voxanne AI has signed BAAs with the following infrastructure providers:

• Supabase: Database and authentication provider (SOC 2 Type II certified, HIPAA-compliant infrastructure)
• Twilio: Telephony and SMS provider (HIPAA-eligible, BAA available)
• Google Cloud: Infrastructure provider for AI models and storage (HIPAA-compliant, BAA signed)
• Vapi: Voice AI platform (HIPAA-eligible, BAA available)

What is a Data Breach?

Under HIPAA, a breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. Examples include:

• Hacking or ransomware attack resulting in PHI exposure
• Lost or stolen laptop/device containing unencrypted PHI
• Accidental email of PHI to wrong recipient
• Unauthorized employee accessing patient records
• Vendor security incident affecting PHI

Our Breach Response Plan

If we discover a breach of PHI, we follow a comprehensive incident response plan:

Your Responsibilities as a Covered Entity

If we notify you of a breach affecting your patients, you are responsible for:

• Notifying affected individuals without unreasonable delay (and no later than 60 days from discovery)
• Providing notice in writing (first-class mail or email if the individual agreed to electronic notice)
• Reporting the breach to HHS (if affecting 500+ individuals, within 60 days; if fewer than 500, annual report)
• Reporting to media (if breach affects 500+ individuals in your state/jurisdiction)
• Documenting the breach and your response for compliance audits

Contact Us for Security Incidents

HIPAA grants patients specific rights regarding their PHI. As a business associate processing PHI on behalf of healthcare providers, we support these rights:

Voxanne AI and our infrastructure providers maintain industry-leading security certifications:

Ongoing Security Assessments

• Annual Risk Assessments: Comprehensive review of security posture and risk mitigation strategies
• Quarterly Vulnerability Scans: Automated scanning for known vulnerabilities in infrastructure
• Monthly Security Reviews: Review of access logs, incident reports, and security metrics
• Continuous Monitoring: 24/7 security monitoring with automated alerts for anomalous activity

For questions about HIPAA compliance, security measures, or to request a Business Associate Agreement: