ClinicOSClinicOS

HIPAA Compliance

ClinicOS is built with HIPAA-ready defaults to help healthcare providers maintain compliance while using our AI receptionist platform. This page outlines our approach to protecting health information and the safeguards we have in place.

1. Scope

ClinicOS handles appointment metadata, call logs, and clinic operational data. We are designed to minimize PHI exposure by design — we do not store patient medical records, diagnostic information, or insurance claim data. Our platform focuses on the communication and scheduling layer, reducing the surface area of Protected Health Information (PHI) that flows through the system.

2. Business Associate Agreement

ClinicOS offers Business Associate Agreements (BAAs) for customers on Pro and Enterprise plans. Our BAA covers:

  • Use and disclosure limitations — We use PHI only as permitted by the BAA and applicable law.
  • Safeguards — We implement administrative, physical, and technical safeguards to protect PHI.
  • Breach notification — We notify the covered entity of any breach of unsecured PHI.
  • Subcontractor obligations — We ensure our subcontractors who access PHI agree to equivalent protections.
  • Return or destruction — Upon termination, we return or securely destroy all PHI in our possession.

To request a BAA, contact us at compliance@clinic-os.co.

3. Minimum Necessary Standard

In accordance with the HIPAA Minimum Necessary Standard, our AI receptionist collects only the information needed to fulfill its scheduling and communication function:

  • Patient name
  • Phone number
  • Preferred appointment date and time
  • Reason for visit (general category, e.g., "cleaning," "consultation")

The AI receptionist does not collect:

  • Diagnosis codes (ICD-10) or procedure codes (CPT)
  • Insurance ID numbers or policy details
  • Social Security Numbers (SSN)
  • Detailed medical history or treatment records
  • Payment card information (handled by Lemon Squeezy)

4. Security Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls with principle of least privilege
  • Audit logging of all access to PHI-containing records
  • HMAC-SHA256 verification on all inbound webhooks
  • Secrets management via encrypted key storage (never hardcoded)
  • Regular security assessments and vulnerability testing
  • Secure cloud infrastructure with SOC 2 certified providers

5. Breach Notification

In the event of a breach of unsecured PHI, ClinicOS will:

  • Provide written notification within 60 days of discovering the breach to affected covered entities.
  • Include in the notification: the nature of the breach, the types of data involved, steps we have taken to mitigate harm, and steps affected individuals can take to protect themselves.
  • Cooperate with the covered entity in notifying affected individuals and the Department of Health and Human Services (HHS) as required.
  • Provide a dedicated point of contact for breach-related inquiries.

6. Subcontractors & Vendors

The following third-party services are used by ClinicOS, along with their compliance status:

  • ElevenLabs (voice processing) — BAA available
  • Twilio (telephony/SIP routing) — BAA in place
  • Vercel (frontend hosting) — SOC 2 Type II certified
  • Pantheon (backend hosting) — SOC 2 Type II certified
  • Auth0 (authentication) — BAA available, HIPAA-eligible configuration
  • Lemon Squeezy (payment processing) — No PHI access; handles billing data only

All subcontractors with access to PHI are bound by agreements that require equivalent privacy and security protections.

7. Employee Training

All ClinicOS team members with potential access to PHI complete annual HIPAA privacy and security training. Training covers:

  • HIPAA Privacy Rule and Security Rule requirements
  • Recognizing and reporting potential breaches
  • Proper handling and disposal of PHI
  • Role-specific data access responsibilities

New team members complete training within 30 days of onboarding. Training records are maintained for a minimum of 6 years.

8. Audit & Monitoring

ClinicOS maintains ongoing compliance monitoring through:

  • Access logs — All access to systems containing PHI is logged with user identity, timestamp, and action performed.
  • Audit trails — Immutable audit trails for data modifications, deletions, and exports.
  • Regular assessments — Periodic risk assessments to identify and address vulnerabilities.
  • Incident response — Documented incident response procedures with defined roles and escalation paths.

9. Contact

For HIPAA-related inquiries, to request a Business Associate Agreement, or to report a potential security concern, contact our compliance team at compliance@clinic-os.co.

Last updated: February 2026