HIPAA Compliance · Enterprise Plan

Built to handle protected health information.

A HIPAA-compliant AI receptionist for healthcare practices. Encrypted PHI handling, signed BAA, and audit logs that satisfy your privacy officer.

Enterprise plan required. HIPAA features and BAA execution are exclusive to Enterprise. Contact us →

What we do

HIPAA controls, in plain English.

Five capabilities that make iSada a defensible choice for handling Protected Health Information.

01 · Business Associate Agreement

Signed BAA, executed by counsel.

Under HIPAA, any vendor handling PHI on your behalf must execute a Business Associate Agreement. We provide a BAA reviewed by healthcare counsel, signed before any PHI flows through the platform. The BAA defines roles, breach notification timelines, subcontractor obligations, and termination terms.

  • Standard BAA available immediately on Enterprise
  • Custom BAA terms negotiable
  • Subcontractor flow-down clauses included
BAA — iSada Inc. Status: Available on request
02 · PHI Handling

Minimum necessary, never trained on.

PHI is processed only to deliver the AI receptionist function and never used to train models.

  • Minimum-necessary standard applied
  • No PHI in third-party model training
  • De-identified analytics only
  • Customer-controlled retention
03 · Encryption & Data Security

AES-256 at rest. TLS 1.3 in transit.

Every byte of PHI is encrypted using FIPS 140-2 validated algorithms, with annual key rotation.

at_rest = AES-256-GCM
in_transit = TLS 1.3
key_mgmt = AWS KMS
key_rotation = 365 days
db_encrypted = true
04 · Access Controls

RBAC, MFA, and audit trails.

Only authorized people access PHI, and every access is logged.

  • Role-based access control (owner, admin, agent, viewer)
  • Multi-factor authentication required for admins
  • SAML SSO support for healthcare orgs
  • Auto-logout after configurable idle timeout
05 · Audit Logging

Tamper-resistant logs, retained 6+ years.

HIPAA requires a 6-year audit trail of all access to PHI. We maintain immutable, append-only logs with automated alerts on suspicious patterns (off-hours access, mass exports, repeated failed logins).

Time (UTC)
User
Event
Result
14:02:18
dr.chen
view_transcript · call_8421
OK
14:03:51
recep.li
export_pdf · pat_id_2204
OK
14:14:07
unknown
login_attempt · ip 41.x.x.x
DENY
Healthcare verticals

Industries we serve under HIPAA.

iSada is deployed across regulated healthcare practices throughout North America. If your specialty isn't listed, we likely still cover it.

Dental Clinics

Appointment booking, recall calls, after-hours coverage with full PHI safeguards.

Medspas

Consultation scheduling, treatment intake, and HIPAA-compliant follow-ups.

Veterinary Practices

Pet patient intake handled with the same controls as human PHI.

Therapists & Counselors

Mental-health intake calls with strict access controls and zero PHI in training.

Specialty Clinics

Cardiology, dermatology, fertility — specialty-aware intake scripts.

Wellness Centers

Chiropractic, acupuncture, holistic practices with healthcare-grade controls.

Need a BAA? Let's talk.

15-minute consultation with our healthcare team. We send the BAA the same day.

Talk to our healthcare team Read our security page