Back to home

HIPAA & BAA

Last updated: March 1, 2026

1. Our Commitment to HIPAA Compliance

PRACTIS Health, Inc. ("Company," "we," "our," or "us") is committed to full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and all applicable implementing regulations. We recognize that as a platform processing Protected Health Information (PHI) on behalf of healthcare providers, we serve as a Business Associate under HIPAA.

Our compliance program is not a checkbox exercise. It is embedded in our engineering practices, operational procedures, and organizational culture. Every employee, contractor, and vendor who may come into contact with PHI is trained, vetted, and bound by contractual obligations.

2. Business Associate Agreement

We execute a Business Associate Agreement (BAA) with every customer before any PHI is processed through the Services. Our BAA establishes:

  • The permitted uses and disclosures of PHI by the Company as a Business Associate.
  • Obligations to implement appropriate administrative, physical, and technical safeguards.
  • Requirements for reporting security incidents and breaches of unsecured PHI.
  • Obligations to ensure that subcontractors agree to the same restrictions and conditions.
  • Procedures for return or destruction of PHI upon termination of the agreement.

To request a copy of our BAA or to execute a BAA for your practice, contact us at [email protected].

3. Administrative Safeguards

  • Designated Officers: We maintain a designated Privacy Officer and Security Officer responsible for the development and implementation of our HIPAA compliance program.
  • Workforce Training: All employees and contractors complete HIPAA training upon onboarding and annually thereafter. Training covers PHI handling, breach identification, and incident reporting.
  • Risk Assessments: We conduct comprehensive risk assessments annually and whenever significant changes are made to our systems or processes.
  • Policies and Procedures: We maintain documented policies and procedures covering all aspects of PHI handling, access control, incident response, and business continuity.
  • Sanctions Policy: Violations of our HIPAA policies are subject to disciplinary action, up to and including termination of employment.

4. Physical Safeguards

  • Data Center Security: All infrastructure is hosted in SOC 2 Type II-certified data centers within the United States with 24/7 physical security, biometric access controls, and environmental monitoring.
  • Workstation Security: All employee workstations are encrypted, require multi-factor authentication, and are subject to remote wipe capabilities.
  • Media Disposal: All storage media containing PHI are securely destroyed using NIST 800-88-compliant methods before disposal.

5. Technical Safeguards

  • Encryption: All PHI is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Encryption keys are managed through AWS KMS with automatic rotation.
  • Access Controls: Role-based access controls (RBAC) ensure that users and employees can only access the minimum PHI necessary for their function. All access is authenticated via multi-factor authentication.
  • Audit Logging: All access to PHI is logged with timestamps, user identity, and action performed. Audit logs are retained for a minimum of six years and are reviewed regularly.
  • Integrity Controls: Automated integrity checks ensure that PHI has not been improperly altered or destroyed. Database backups are encrypted and tested regularly.
  • Transmission Security: All data transmitted between clients, servers, and third-party processors is encrypted using TLS 1.3 with certificate pinning where applicable.

6. AI-Specific Safeguards

Given that our Services utilize artificial intelligence to process clinical data, we implement additional safeguards specific to AI processing:

  • No PHI in Model Training: We do not use customer PHI, clinical data, or audio recordings to train, fine-tune, or improve AI models. Our models are developed using de-identified, synthetic, or publicly available data only.
  • Transient Processing: PHI processed by AI systems is held in memory only for the duration of the processing task and is not persisted to disk outside of encrypted storage.
  • Subprocessor BAAs: All third-party AI processing services (including speech-to-text and language model providers) are bound by Business Associate Agreements and are contractually prohibited from retaining or using PHI.
  • Output Review: All AI-generated clinical content is presented as a draft requiring clinician review and approval before becoming part of the medical record.

7. Breach Notification

In the event of a breach of unsecured PHI, we will:

  • Notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovery of the breach.
  • Provide all information required under 45 CFR ยง 164.410, including identification of affected individuals, description of the breach, and steps taken to mitigate harm.
  • Cooperate with the Covered Entity in fulfilling its notification obligations to affected individuals and the Department of Health and Human Services.
  • Document the breach and all responsive actions in our breach log, which is maintained for a minimum of six years.

8. Subcontractors

We require all subcontractors who may access PHI to execute Business Associate Agreements with terms at least as restrictive as those in our BAA with customers. We conduct due diligence on all subcontractors before engagement and monitor compliance on an ongoing basis.

9. Patient Rights

We support your obligations to honor patient rights under HIPAA, including:

  • Right of Access: We provide tools and data export capabilities to help you fulfill patient requests for access to their PHI.
  • Right to Amendment: Our platform supports the amendment of clinical records at the direction of the treating provider.
  • Right to an Accounting of Disclosures: Our audit logging capabilities support your ability to provide patients with an accounting of disclosures of their PHI.

10. Compliance Verification

We welcome inquiries about our HIPAA compliance program. We can provide:

  • A copy of our BAA for review and execution.
  • Summary of our most recent risk assessment findings (redacted as appropriate).
  • SOC 2 Type II audit report (under NDA).
  • Responses to security questionnaires and vendor assessment forms.

For compliance inquiries, contact us at [email protected].

11. Contact

For questions about our HIPAA compliance program, to request a BAA, or to report a security concern:

PRACTIS Health, Inc.
Privacy Officer: [email protected]
Security Officer: [email protected]
General compliance: [email protected]

2026 PRACTIS. All rights reserved.
Terms of ServicePrivacy PolicyRefund PolicyHIPAA & BAA
Need help?
Ask our AI assistant about pricing, features, or demos.