HIPAA Compliance

1. Overview

ProtoVoice is committed to protecting the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This page outlines our HIPAA compliance program and the safeguards we implement to protect healthcare data.

2. Who This Applies To

HIPAA compliance requirements apply to healthcare providers (covered entities) and their business associates who handle PHI. When you use ProtoVoice to process calls that may contain PHI—such as appointment scheduling, prescription refills, or patient inquiries—ProtoVoice acts as a Business Associate under HIPAA. A Business Associate Agreement (BAA) must be executed before any PHI is processed through our platform.

3. Business Associate Agreement (BAA)

• ProtoVoice provides a comprehensive Business Associate Agreement to all healthcare customers
• The BAA outlines our obligations for protecting PHI and defines permitted uses and disclosures
• BAAs must be signed before processing any PHI through our platform
• To request a BAA, contact our compliance team at compliance@protovoice.ai
• Enterprise customers may request custom BAA terms subject to review

4. Administrative Safeguards

• Designated Privacy and Security Officers responsible for HIPAA compliance
• Comprehensive workforce security policies and procedures
• Regular HIPAA training for all employees with access to PHI
• Background checks for employees handling sensitive data
• Incident response procedures for potential breaches
• Regular risk assessments and security audits
• Documentation and policy management systems
• Vendor management program for subcontractors

5. Physical Safeguards

• Data centers with 24/7 physical security and surveillance
• Biometric access controls for facility entry
• Environmental controls (fire suppression, climate control)
• Secure workstation policies for remote and on-site employees
• Proper disposal procedures for hardware containing PHI
• Geographic redundancy across multiple secure facilities

6. Technical Safeguards

• End-to-end encryption for all PHI in transit (TLS 1.3)
• AES-256 encryption for PHI at rest
• Unique user identification and authentication
• Role-based access controls (RBAC)
• Automatic session timeout and logout
• Comprehensive audit logging of all PHI access
• Intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing
• Secure API authentication (OAuth 2.0, API keys)

7. PHI Data Handling

• Call recordings containing PHI are encrypted immediately upon capture
• Transcripts are processed in isolated, secure environments
• PHI is never used for AI model training without explicit de-identification
• Data retention periods are configurable to meet your compliance requirements
• Secure deletion procedures ensure complete removal of PHI when requested
• Data segregation ensures your PHI is isolated from other customers

8. Breach Notification

In the event of a security incident involving PHI, ProtoVoice will notify affected covered entities within 24 hours of discovery, as required by HIPAA and our Business Associate Agreements. We maintain detailed incident response procedures and will cooperate fully with any required investigations or notifications to the Department of Health and Human Services (HHS) and affected individuals.

9. Subcontractors and Third Parties

Any subcontractors or third parties who may have access to PHI on our behalf are required to sign Business Associate Agreements and demonstrate HIPAA compliance. We maintain a vendor management program that includes security assessments, contractual protections, and ongoing monitoring of our subcontractors.

10. Supporting Patient Rights

• Access: We support your ability to provide patients access to their PHI
• Amendment: Tools to update or amend PHI as requested
• Accounting of Disclosures: Audit logs track all PHI access and disclosures
• Restrictions: Configurable access controls to honor patient restrictions
• Confidential Communications: Secure messaging and communication channels

11. Audits and Compliance Verification

• Annual third-party security audits and assessments
• SOC 2 Type II certification covering security controls
• Regular internal compliance reviews
• Penetration testing by qualified security firms
• Audit reports available to customers under NDA upon request

12. Getting Started with HIPAA Compliance

• 1. Contact our team at compliance@protovoice.ai to discuss your requirements
• 2. Execute a Business Associate Agreement (BAA) with ProtoVoice
• 3. Configure your account with appropriate security settings
• 4. Train your staff on proper handling of PHI through ProtoVoice
• 5. Enable audit logging and configure data retention policies
• 6. Review and document your use case for compliance records

13. Contact Our Compliance Team

For questions about HIPAA compliance, to request a Business Associate Agreement, or to report a security concern, contact our Compliance Team at compliance@protovoice.ai or write to: ProtoVoice, Inc., Attn: HIPAA Compliance Officer, 7975 N Hayden Rd STE A210, Scottsdale, Arizona 85258.