HIPAA Compliance Policy

Last updated: March 21, 2026

HIPAA Certified

PatientCopilot® is HIPAA compliant and certified by HIPAAOne. We implement rigorous administrative, physical, and technical safeguards to protect all patient health information.

Our Commitment to HIPAA Compliance

PatientCopilot® is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and all applicable federal and state regulations.

As an AI-powered patient engagement platform serving healthcare practices, we recognize the critical importance of safeguarding patient data. This policy outlines how we collect, use, store, and protect PHI within our platform.

Protected Health Information (PHI)

PHI includes any individually identifiable health information that is created, received, maintained, or transmitted electronically. This includes but is not limited to:

  • Patient names, addresses, and contact information
  • Appointment dates and scheduling information
  • Communication records (text messages, emails, chat transcripts)
  • Health-related information shared during patient communications
  • Insurance and billing information
  • Any other data that can be used to identify an individual patient

Data Encryption & Security

We employ industry-leading security measures to protect PHI:

  • Encryption in Transit: All data transmitted between users, our servers, and third-party integrations is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: All stored PHI is encrypted using AES-256 encryption.
  • Access Controls: Role-based access controls (RBAC) ensure that only authorized personnel can access PHI. Multi-factor authentication (MFA) is required for all administrative access.
  • Audit Logging: All access to PHI is logged and monitored. Audit trails are maintained for a minimum of six years as required by HIPAA.
  • Infrastructure Security: Our infrastructure is hosted in SOC 2 Type II certified data centers with physical security, redundancy, and disaster recovery capabilities.

Business Associate Agreements (BAA)

PatientCopilot® enters into Business Associate Agreements (BAAs) with all healthcare practice customers who use our platform to handle PHI. The BAA establishes the permitted and required uses and disclosures of PHI and obligates us to:

  • Use or disclose PHI only as permitted by the agreement or as required by law
  • Implement appropriate safeguards to prevent unauthorized use or disclosure
  • Report any security incidents or breaches promptly
  • Ensure that any subcontractors who access PHI agree to the same restrictions
  • Make PHI available to individuals upon request, as required by HIPAA
  • Return or destroy PHI at the termination of the agreement

AI and Automated Communications

PatientCopilot® uses artificial intelligence to automate patient communications, including appointment scheduling, follow-ups, review requests, and general inquiries. In the context of HIPAA compliance:

  • AI-generated communications are designed to minimize the disclosure of PHI
  • Automated messages do not include specific health conditions, diagnoses, or treatment details unless explicitly configured by the healthcare practice
  • All AI communication logs are encrypted and stored in compliance with HIPAA requirements
  • Healthcare practices retain full control over what information the AI can access and communicate

Compliance Certification

PatientCopilot® maintains HIPAA compliance certification through HIPAAOne, an independent third-party compliance organization. Our certification includes:

  • Annual risk assessments and vulnerability scans
  • Employee training on HIPAA policies and procedures
  • Documented policies for breach notification, incident response, and disaster recovery
  • Regular audits of administrative, physical, and technical safeguards

Breach Notification

In the event of a breach of unsecured PHI, PatientCopilot® will:

  • Notify affected healthcare practice customers without unreasonable delay, and no later than 60 days after discovery of the breach
  • Provide details about the nature of the breach, the types of information involved, and steps being taken to mitigate harm
  • Cooperate with the healthcare practice in notifying affected individuals and the Department of Health and Human Services (HHS) as required by law
  • Document the breach and maintain records for a minimum of six years

Patient Rights

Under HIPAA, patients have specific rights regarding their PHI. PatientCopilot® supports healthcare practices in fulfilling these rights:

  • Right to Access: Patients may request access to their PHI maintained by the platform.
  • Right to Amendment: Patients may request corrections to their PHI.
  • Right to an Accounting of Disclosures: Patients may request a record of how their PHI has been shared.
  • Right to Request Restrictions: Patients may request restrictions on how their PHI is used or disclosed.
  • Right to Confidential Communications: Patients may request that communications be sent to an alternative address or by an alternative method.

Employee Training

All PatientCopilot® employees and contractors with access to PHI receive comprehensive HIPAA training upon hire and annually thereafter. Training covers:

  • HIPAA Privacy and Security Rules
  • Proper handling and disposal of PHI
  • Incident reporting procedures
  • Social engineering and phishing awareness

Data Retention and Disposal

PHI is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law. When PHI is no longer needed, it is securely destroyed using NIST-approved sanitization methods.

Contact Us

If you have questions about our HIPAA compliance practices, please contact our Privacy Officer: