Skip to main content

HIPAA Compliance

How NephroAssist protects patient information and maintains healthcare compliance.

Last updated: January 21, 2026

NephroAssist is committed to maintaining the highest standards of data protection and HIPAA compliance. Our AI tools are built from the ground up with healthcare security requirements in mind.

Our Commitment to Compliance

As a technology provider serving healthcare practices, we understand the critical importance of protecting patient information. We operate as a Business Associate under HIPAA and maintain appropriate administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).

Business Associate Agreements

We provide Business Associate Agreements (BAAs) to all covered entity clients. Our BAA:

  • Defines our responsibilities as a Business Associate
  • Specifies permitted uses and disclosures of PHI
  • Outlines security obligations and breach notification procedures
  • Addresses subcontractor requirements
  • Establishes termination provisions

To request a BAA, contact us at compliance@nephroassist.com.

Infrastructure Security

NephroAssist services are hosted on AWS HIPAA-eligible infrastructure:

  • Data encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Access controls: Role-based access with multi-factor authentication
  • Network security: Firewalls, intrusion detection, and DDoS protection
  • Physical security: Infrastructure runs on SOC 2 Type II certified AWS data centers
  • Backup and recovery: Regular backups with tested disaster recovery procedures

Product-Specific Compliance

PatientAssist

Our patient chatbot is designed with privacy as a priority:

  • Does not collect, store, or process PHI by default
  • Two-stage PHI detection: Regex patterns and LLM-based detection work together to prevent patients from accidentally sharing sensitive health information in chat
  • Answers general practice questions (locations, hours, insurance) without requiring patient identification
  • Conversations are not linked to patient records
  • No clinical advice or diagnosis is provided

Staff Assist

Our internal knowledge base for practice staff:

  • Contains practice policies and protocols, not individual patient data
  • Access restricted to authenticated practice staff
  • Audit logging of all queries and access
  • Role-based permissions for sensitive operational content

FaxAssist

Our fax processing tool handles PHI and includes enhanced protections:

  • PHI is processed on HIPAA-eligible AWS infrastructure
  • Data is encrypted at all stages of processing
  • Human verification required before data enters practice systems
  • Comprehensive audit trails for all document processing
  • Automatic data retention policies per client requirements
  • Secure deletion upon request or agreement termination

VoiceAssist

Our voicemail transcription and routing tool handles PHI and includes enhanced protections:

  • Voicemail audio and transcriptions processed on HIPAA-eligible AWS infrastructure
  • Two-stage PHI detection: Regex and LLM-based detection scrub sensitive data from routing summaries and notifications
  • Audio files encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Staff review required before any clinical action is taken
  • Comprehensive audit trails for all voicemail processing, routing, and staff actions
  • Automatic data retention policies per client requirements

Administrative Safeguards

We maintain comprehensive administrative controls including:

  • Security Officer: Designated privacy and security officers
  • Workforce training: Annual HIPAA training for all employees
  • Access management: Minimum necessary access principle
  • Incident response: Documented breach response procedures
  • Risk assessments: Regular security risk analyses
  • Vendor management: Due diligence and BAAs with subcontractors

Technical Safeguards

  • Unique user identification: Individual accounts for all users
  • Automatic logoff: Session timeouts for inactive users
  • Audit controls: Logging of system access and activities
  • Integrity controls: Audit hash chain ensures data integrity—every action is cryptographically linked to the previous one, making tampering detectable
  • Transmission security: Encrypted data transmission

Breach Notification

In the event of a security incident involving PHI, we will:

  • Notify affected covered entities without unreasonable delay
  • Provide information necessary for breach reporting
  • Cooperate with investigation and remediation efforts
  • Document incidents and corrective actions

Your Responsibilities

While we maintain robust security measures, HIPAA compliance is a shared responsibility. As a covered entity using our services, you are responsible for:

  • Ensuring your use of our services complies with HIPAA
  • Training your workforce on proper use of our tools
  • Maintaining appropriate access controls for your staff
  • Reporting any suspected security incidents promptly
  • Configuring services according to your compliance requirements

Certifications and Audits

Our security posture is validated through:

  • Infrastructure hosted on SOC 2 Type II certified AWS data centers
  • Regular third-party security assessments
  • Penetration testing
  • Continuous vulnerability scanning

Contact Us

For questions about our HIPAA compliance program or to request a BAA:

Ready to learn more?

Schedule a call with our team to discuss your compliance requirements and how NephroAssist can support your practice.

Contact Us Explore Our Products