HIPAA Compliance

ChiroDesk AI implements comprehensive safeguards designed to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Technical Safeguards

Controls that protect electronic Protected Health Information (ePHI) through technology.

lock Encryption

  • At rest: AES-256 encryption for all stored ePHI, including databases, backups, and logs
  • In transit: TLS 1.3 for all data transmitted between systems, APIs, and end users
  • Voice calls: Encrypted end-to-end using AES-256
  • Text messages: Transmitted over encrypted channels, not standard SMS
  • EHR connections: Encrypted API connections with mutual authentication

manage_accounts Access Controls

  • Role-based access control (RBAC): users only access the data necessary for their role
  • Unique user identification for all system users
  • Multi-factor authentication (MFA) required for all access
  • Automatic session timeouts
  • Access revocation within one hour of personnel changes

monitoring Audit Controls

  • Comprehensive audit logging of all access to ePHI: who, when, and what
  • Automated monitoring and alerting for suspicious activity
  • Regular review of audit logs by the security team
  • Audit log retention for a minimum of 6 years per HIPAA requirements

verified Integrity Controls

  • Mechanisms to confirm ePHI has not been altered or destroyed without authorization
  • Automated data backup with integrity verification
  • Disaster recovery procedures tested regularly

Administrative Safeguards

Policies and procedures that manage the selection, development, and implementation of security measures.

person Security Officer

A designated Security Officer is responsible for developing, implementing, and maintaining our HIPAA security program.

assessment Risk Analysis

Independent third-party risk assessments are conducted annually to identify vulnerabilities and threats to ePHI. Documented remediation plans address all identified risks.

school Workforce Training

All employees receive HIPAA security awareness training upon hire and annually thereafter. Training content is informed by our risk assessment findings.

emergency Incident Response

Documented incident response procedures for detecting, responding to, and reporting security incidents. Breach notification to affected practices within 24 hours of discovery.

backup Contingency Planning

Data backup, disaster recovery, and emergency mode operation plans are documented and tested regularly to ensure continuity of service.

handshake Business Associate Management

We maintain Business Associate Agreements with all subcontractors and vendors who access or process ePHI on our behalf. Subcontractors are evaluated for HIPAA compliance before engagement.

Physical Safeguards

Measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

domain Data Center Security

  • All data hosted in U.S.-based, SOC 2 Type II certified data centers
  • 24/7 physical security with biometric access controls
  • Redundant power, cooling, and network connectivity
  • Video surveillance and intrusion detection systems

devices Device & Media Controls

  • Encrypted workstations for all employees who access ePHI
  • Secure hardware disposal with documented destruction procedures
  • Technology asset inventory maintained and updated regularly

AI-Specific Protections

  • Minimum necessary access. The AI only processes the minimum patient information required for scheduling, not full medical history.
  • No model training on PHI. Patient data is never used to train, fine-tune, or improve AI models.
  • Multi-tenant isolation. Each practice’s data is completely isolated. There is no data sharing between practices.
  • AI does not provide medical advice. The system handles scheduling logistics only.
  • Full auditability. Every AI interaction is logged and available for practice review.

Staying Current

We actively monitor changes to HIPAA regulations, including the proposed 2026 HIPAA Security Rule updates requiring mandatory encryption, universal MFA, and shortened breach notification timelines. Our security program is continuously updated to meet or exceed current requirements.

Contact

For HIPAA compliance questions or to request documentation:

HIPAA Security Officer: security@chirodesk.ai