Built for healthcare. From day one.
Every line of PracticeIQ is built around the assumption that PHI is the most sensitive thing your practice handles. HIPAA-ready architecture, BAA signable on every paid plan, audit-logged end-to-end.
Administrative, physical, and technical safeguards designed to 45 C.F.R. §§ 164.308, 164.310, 164.312.
We sign a Business Associate Agreement with every Covered Entity customer. Template available on request.
AES-256 on every database. TLS 1.2+ enforced via HSTS on every endpoint. No PHI in URL parameters.
Every PHI access logged with actor, action, resource, timestamp, and result — retained 6 years per § 164.316(b)(2)(i).
RLS enabled on every PHI table. Anonymous keys cannot read PHI. Service-role keys never touch the client.
HMAC-verified inbound from Twilio, Vapi, and Stripe. Internal-token auth on every privileged endpoint.
What we actually do.
- Designated Security Officer + HIPAA Privacy Officer
- Workforce confidentiality agreements + annual HIPAA training
- Documented incident response runbook
- Annual risk assessment of every system handling PHI
- PHI hosted on HIPAA-eligible cloud only (Supabase, Vercel, Twilio, Vapi, Resend)
- BAA signed with every subprocessor
- No on-premise PHI storage
- Workstation full-disk encryption (FileVault / BitLocker), 5-min auto-lock, MFA
- Unique user identification on every authenticated API call
- Automatic session expiry after 30 minutes
- AES-256 encryption at rest, TLS 1.2+ in transit
- HMAC-SHA1 webhook verification (Twilio), custom-secret verification (Vapi)
- Internal-token auth on every PHI-touching endpoint
- Rate limiting on public endpoints to block abuse
Every vendor that touches PHI.
Listed publicly. BAA signed. Customers notified 30 days before any change.
| Subprocessor | Purpose | BAA | Region |
|---|---|---|---|
| Vapi | Voice AI orchestration | Signed | US |
| Twilio | SMS + voice (PSTN) | Signed | US |
| Google Vertex AI | LLM inference (fallback) | Signed | US |
| OpenAI | LLM inference (primary) | Requested 2026-04-20 | US |
| Anthropic | LLM inference (reasoning) | Requested 2026-04-20 | US |
| Supabase | Database, auth (pilot) | Team-tier upgrade at customer #1 | US East |
| AWS | Migration target (by 2026-05-04) | BAA via AWS Artifact | US East |
| Vercel | Current hosting (migrating off) | Not BAA-eligible on Pro — migrating to AWS 2026-05-04 | Global |
| AWS SES | Transactional email (planned) | BAA via AWS Artifact on migration | US |
| Resend | Retired (being replaced by AWS SES) | Not BAA-eligible — retired from PHI paths | — |
| Stripe | Billing (no PHI) | N/A — no PHI | US |
Full subprocessor list also at practiceiq.ai/legal/subprocessors. BAA-pending vendors do not receive PHI until their BAA is executed — during the gap, PHI traffic routes exclusively through vendors with signed BAAs (Vapi, Twilio, Google Vertex). AWS migration scheduled weekend of 2026-05-04 eliminates the Vercel gap.
If something goes wrong.
Automated alerts + Security Officer paged
Credentials rotated, attack vector isolated
Audit log walked, scope + root cause documented
Covered Entity notified per § 164.410(c)
Code fix shipped, post-mortem published
Breach notification to affected Covered Entities within 30 calendar days of discovery, per BAA § 4.4. For breaches affecting 500+ individuals, HHS Secretary notified within 60 days.
Where we are.
Customers requiring SOC 2 or HITRUST documentation today can request our current security questionnaire response.
Need our BAA before you sign?
Email christian@practiceiq.techand we'll send the template within one business day. Real signature follows real contract.