BAA, day one.
A signed Business Associate Agreement is the first artifact in the engagement. It precedes the contract on technical scope. We sign a counterpart prepared by your legal team or ship ours — both are common; either works.
Until the BAA is signed, no PHI may transit our systems — not even for staging tests. We provision a separate non-PHI sandbox tenant for pre-BAA work.
Zero retention, configured.
Zero-Retention Mode is enabled per-tenant, not per-call. Once enabled, no call audio is retained after processing. Transcripts are ephemeral by default; PHI fields are redacted before any optional storage.
# tenant config retention: audio: "never" transcript: "ephemeral" # in-memory only phi_redaction: "strict" audit_log: "7-year" # redacted baa_id: "BAA-2026-04827"
PHI redaction, tested.
Our PHI redactor covers 47 PII types out of the box, plus a customer-tunable allow/deny list. Before going live we run an internal Red Team test using synthetic PHI in 200 simulated calls. Pass rate must be 100% before HIPAA Mode is unlocked.
PHI redaction test set
- Names · DOB · SSN · MRN · insurance ID
- Provider names · facility names · NPI
- Diagnoses (ICD-10) · procedures (CPT)
- Drug names · dosages
- Email · phone · street address · ZIP
- Vehicle / device IDs that could identify
Audit trail, immutable.
Every access, write and configuration change is logged immutably for seven years. The log is itself redacted — it records that PHI was accessed, not the PHI content. Auditors get read access through a scoped role; nothing else is permitted to read the log raw.
When the auditor comes.
We've shipped audit packages for HHS, Joint Commission and three state-level reviews. The package always contains the same six artefacts; you can pull all of them from the admin console in under ten minutes.
- Signed BAA + addendums
- Risk assessment (annual)
- Access logs (filtered by auditor scope)
- Incident log (zero entries is a good entry)
- PHI redaction test results (latest quarterly)
- Sub-processor list with BAAs in place