"Is it HIPAA compliant?" comes up in nearly every sales call within the first five minutes, and it's usually answered with a one-word "yes" that doesn't tell the practice anything useful. HIPAA isn't a certification a product earns once — it's a set of obligations that depend on what the product actually does with patient data, and who's accountable when something goes wrong.

Here's the version of the question we think practices should actually be asking, and how we answer each part of it.

1. Will you sign a BAA?

This is the real gate. A Business Associate Agreement is the legal instrument that makes a vendor accountable for how it handles protected health information on your behalf. If a vendor won't sign one, no amount of technical security detail matters — you have no contractual recourse.

Skrypt Health signs a BAA with every practice customer before going live, covering the AI voice agent, the Client Hub Portal, SMS workflows, and the PMS integration layer. It's available for legal review before you commit.

2. What happens to the data in transit and at rest?

Every piece of data exchanged between the AI and your practice — call content, patient demographics, appointment details — needs to be encrypted both while it's moving and while it's stored. We use TLS 1.3 in transit and AES-256 at rest, and the underlying infrastructure runs on SOC 2 Type II certified providers.

Compliance isn't a feature you turn on. It's a set of decisions about who can see what, and for how long.
3. Does the AI ever give medical advice?

This is the question that separates a compliant intake tool from a liability. An AI front desk should collect and route information — symptoms reported, urgency signals, callback details — not interpret or advise on them. Clinical judgment stays with your staff and providers, every time, without exception.

4. What about Canadian practices?

HIPAA only covers US practices. Canadian dental, veterinary, and medical practices fall under PHIPA in Ontario and equivalent provincial legislation elsewhere — PIPEDA federally, HIA in Alberta, and so on. The obligations are similar in spirit (consent, minimum-necessary access, breach notification) but the specific requirements and data residency expectations differ by province. We offer Canadian data residency on request and our BAA for Canadian practices reflects these provincial obligations specifically.

5. What happens if there's a breach?

Ask this before you need the answer. A vendor should be able to describe its incident response plan in specific terms: notification timelines, what a full incident report includes, and what cooperation with a regulatory investigation looks like. If the answer is vague, that's the answer.

The short version

"HIPAA compliant" as a marketing phrase means very little on its own. A signed BAA, encryption specifics you can name, a clear boundary around clinical advice, and a documented breach response are the four things worth actually verifying — for us or for anyone else you're evaluating.