HIPAA Compliance

Our Certifications

Built on a secure foundation

Our infrastructure and processes are designed to meet the rigorous standards required by healthcare providers operating under HIPAA.

SOC 2 Type II Infrastructure

Hosted on AWS, which maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications.

AES-256 Encryption at Rest

All stored data including call recordings, transcripts, and PHI is encrypted using AES-256.

TLS 1.2+ in Transit

All data transmitted between your systems, callers, and PalmRoute is encrypted in transit.

Role-Based Access Controls

Access to PHI is restricted to authorized personnel only, with full audit logging of all access events.

Business Associate Agreement

We execute a HIPAA-compliant BAA with every healthcare provider client upon request.

Annual Security Audits

Independent third-party penetration testing and security audits performed annually.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes national standards for the protection of individuals' medical records and other individually identifiable health information. It applies to:

Covered Entities: Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
Business Associates: Service providers (like PalmRoute) that handle Protected Health Information (PHI) on behalf of covered entities.

HIPAA sets requirements for administrative, physical, and technical safeguards to protect the privacy and security of PHI. The HITECH Act strengthened HIPAA enforcement and extended certain obligations to business associates.

If you are a covered entity (e.g., medical practice, dental office, physical therapist, mental health provider) using PalmRoute to handle patient calls or appointment data, HIPAA applies to our relationship — and you need a BAA before processing PHI through our platform.

What Counts as Protected Health Information (PHI)

PHI is any individually identifiable health information — transmitted or maintained in any form — that relates to:

The past, present, or future physical or mental health condition of an individual.
The provision of healthcare to an individual.
The past, present, or future payment for healthcare services.

This includes 18 specific identifiers when combined with health information, such as:

Names, addresses, phone numbers, email addresses
Dates (birth, admission, discharge, appointment)
Social Security numbers, account numbers, medical record numbers
Device identifiers, IP addresses, biometric identifiers
Full-face photographs or comparable images
Any other unique identifying number or code

When patients call your practice through PalmRoute's AI assistant and share appointment requests, symptoms, or any health-related information, that data may constitute PHI and must be handled in accordance with HIPAA.

PalmRoute's Role as a Business Associate

When you use PalmRoute to handle calls for a healthcare practice, PalmRoute acts as a Business Associate under HIPAA. This means:

We create, receive, maintain, or transmit PHI on your behalf.
We are contractually and legally obligated to protect that PHI to HIPAA standards.
We must execute a Business Associate Agreement (BAA) with you before processing PHI.
We are directly liable for HIPAA violations related to our handling of PHI.

PalmRoute will not use or disclose PHI except as permitted by the BAA and as required by law. We will not sell PHI or use it for marketing or advertising purposes.

Business Associate Agreement (BAA)

A Business Associate Agreement is a legally required contract between a covered entity and its business associate. Our BAA covers:

Permitted and required uses and disclosures of PHI by PalmRoute.
PalmRoute's obligations to implement appropriate safeguards.
Requirements to report any breach or improper use of PHI.
Provisions ensuring sub-processors also comply with HIPAA.
Obligations upon termination of the agreement.

How to get a BAA:
Email us at hipaa@palmroute.com with subject line "BAA Request" and include your practice name, contact information, and NPI number. We will send you a pre-signed BAA within 2 business days. No fees are charged for BAA execution.

Our BAA template is available upon request and is consistent with the DHHS model BAA provisions. You may propose modifications, and we will work with you to reach an agreement appropriate for your practice.

Technical & Administrative Security Safeguards

Technical Safeguards

Encryption at Rest

All PHI stored using AES-256 encryption. Encryption keys are managed separately from encrypted data.

Encryption in Transit

All communications secured with TLS 1.2 or higher. HSTS enforced on all web endpoints.

Access Controls

Role-based access controls, multi-factor authentication required for all internal staff, principle of least privilege enforced.

Audit Logging

All access to PHI is logged with user identity, timestamp, and action. Logs are retained for 6 years.

Backup & Redundancy

Daily encrypted backups stored in geographically separate AWS regions. 99.9% uptime SLA.

Vulnerability Management

Continuous vulnerability scanning, annual penetration testing by independent security firms, rapid patching protocols.

Administrative Safeguards

Designated Privacy & Security Officer: PalmRoute has a designated HIPAA Privacy Officer and Security Officer responsible for compliance oversight.
Employee training: All PalmRoute employees who may access PHI receive HIPAA training at onboarding and annually thereafter.
Risk assessments: We conduct annual HIPAA risk assessments to identify and address potential vulnerabilities.
Sanction policy: Employees who violate HIPAA policies are subject to disciplinary action up to and including termination.
Contingency planning: Documented and tested disaster recovery and business continuity plans.

Physical Safeguards

PalmRoute's infrastructure is hosted in AWS data centers with SOC 2 Type II physical security controls, including biometric access, 24/7 security personnel, and surveillance systems.
Employee workstations used to access PHI are encrypted, managed via MDM, and subject to automatic lock policies.
No PHI is stored on physical media outside of encrypted, managed devices.

Sub-Processors Handling PHI

PalmRoute uses the following sub-processors that may process PHI when you have an active BAA with us. Each sub-processor has executed a HIPAA-compliant BAA with PalmRoute:

Sub-Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting & storage	USA
Twilio	Voice & SMS communications	USA
SendGrid	Transactional email delivery	USA
Stripe	Payment processing (billing only, no PHI)	USA

We will notify you of any changes to our sub-processor list at least 30 days in advance. You may object to any new sub-processor by terminating your subscription within that 30-day window.

Breach Notification

In the event of a breach of unsecured PHI, PalmRoute will:

Notify you promptly — within 60 days of discovering the breach (or sooner as required), or without unreasonable delay if less than 60 days.
Provide a written notice including: the nature of the PHI involved, the individuals affected, the circumstances of the breach, steps taken to mitigate harm, and our remediation actions.
Cooperate with your breach investigation and notification obligations to HHS and affected individuals.
Maintain breach documentation for a minimum of 6 years.

To report a suspected breach or security incident, contact our Security team immediately at security@palmroute.com or call +1 (555) 823-4567.

Supporting Patient Rights

HIPAA grants patients certain rights over their PHI. As your business associate, PalmRoute will support you in honoring these rights:

Right of Access: We can provide exports of call recordings and transcripts involving a specific patient within 30 days of your request.
Right to Amendment: We can update or annotate records in our system at your direction.
Right to Accounting of Disclosures: We maintain logs of all PHI disclosures that we are required to account for under HIPAA.
Right to Restriction: We will honor restrictions on PHI use that you communicate to us in writing.

Patients should direct all privacy requests to your practice directly. We will support you in fulfilling those requests within required timeframes.

Approved Healthcare Use Cases

With an executed BAA, PalmRoute's AI can support your healthcare practice with:

Patient appointment scheduling and rescheduling via inbound calls
Appointment reminder SMS and email (with appropriate patient consent)
Prescription refill request intake routing
Insurance information collection (name, ID number, group number)
General FAQs (hours, location, directions, accepted insurance)
Post-visit satisfaction surveys (with appropriate opt-in)
Staff scheduling and coordination (internal only, no PHI)

Not Recommended Without Legal Review: Using AI to deliver or discuss clinical advice, diagnoses, medication changes, or urgent medical guidance is outside PalmRoute's intended use case and may raise additional regulatory concerns beyond HIPAA. Consult legal counsel before deploying AI for clinical decision support.

Contact Us & Request a BAA

For all HIPAA-related inquiries, BAA requests, breach reports, or compliance questions:

PalmRoute LLC — Privacy & Compliance Officer
Email: hipaa@palmroute.com
Security incidents: security@palmroute.com
Phone: +1 (555) 823-4567
Address: 123 Brickell Avenue, Suite 400, Miami, FL 33131

BAA turnaround: 2 business days from initial request.

Additional HIPAA resources: