Compliance /hipaa

HIPAA & PHIPA Compliant AI Receptionist

Skrypt Health is built for healthcare from the ground up. Every practice customer gets a signed Business Associate Agreement, all patient data is encrypted in transit and at rest, and our AI accesses only the minimum data required to complete each workflow.

Book a demo → Ask a compliance question

Compliance at a glance

What every Skrypt Health customer gets.

Business Associate Agreement (BAA)

We sign a BAA with every practice customer before going live. The BAA covers all Skrypt Health services and is available for review during your onboarding call.

Encryption in transit and at rest

All data exchanged between Skrypt Health and your practice — call content, patient demographics, appointment details — is encrypted using TLS 1.3 in transit and AES-256 at rest.

Minimum necessary access

Skrypt Health reads and writes only the specific fields required to complete each workflow. The AI does not store protected health information beyond active workflow context.

PHIPA compliance for Canadian practices

Canadian dental, veterinary, and medical practices are covered under PHIPA (Ontario) and equivalent provincial legislation. Data residency options available for Canadian customers.

No training on patient data

Patient data collected through Skrypt Health is never used to train AI models. Your patients' information is used solely to execute the workflows you configure.

Audit logs and access controls

Every AI action — calls answered, appointments booked, data accessed — is logged in your Client Hub Portal with timestamp, workflow type, and outcome. Role-based access controls restrict portal access to authorized staff.

Clinical guardrails

The AI never gives medical advice.

Skrypt Health is a front-office operations platform, not a clinical decision support tool. The AI answers scheduling, intake, insurance, and administrative questions. It does not diagnose, recommend treatments, advise on medications, or interpret clinical information.

Urgent cases escalated immediately

Calls with clinical urgency indicators — severe pain, trauma, difficulty breathing — are immediately transferred to a staff member or on-call line. The AI does not attempt to triage these cases.

Prescription questions go to your team

Medication, prescription, and clinical protocol questions are routed directly to your licensed staff. Skrypt Health collects the question and caller details, then escalates — it does not attempt to answer clinical questions.

Configurable escalation thresholds

You control what the AI handles and what it transfers. Escalation triggers are configured during onboarding and can be adjusted at any time through your Client Hub Portal.

FAQ

Common compliance questions.

Do you sign a Business Associate Agreement?

Yes — a signed BAA is a requirement before any Skrypt Health deployment at a healthcare practice. We provide the BAA document during onboarding, and it covers all services within the Skrypt Health platform including the AI voice agent, Client Hub Portal, SMS workflows, and PMS integration layer. The BAA is available for legal review before you commit to going live.

Where is patient data stored?

Active workflow data is processed in secure cloud infrastructure with SOC 2 Type II certified providers. For Canadian practices requiring PHIPA-compliant data residency, we offer Canadian data residency on request. Call recordings, if enabled, are stored encrypted and accessible only through your Client Hub Portal by authorized staff. Retention periods are configurable and align with your practice's data retention policy.

Is Skrypt Health suitable for practices subject to PIPEDA or provincial health privacy laws?

Yes. Skrypt Health's data handling practices are designed to comply with PIPEDA, PHIPA (Ontario), HIA (Alberta), and equivalent provincial health privacy legislation across Canada. Our BAA for Canadian practices reflects these specific obligations. We recommend that your privacy officer review the BAA and data processing addendum prior to deployment — we provide these documents proactively during onboarding.

What happens in the event of a data breach?

Skrypt Health maintains an incident response plan that meets HIPAA Breach Notification Rule requirements. In the event of a breach involving protected health information, we notify affected practice customers within the timeframes required by applicable law, provide a full incident report, and cooperate with any regulatory investigation. Our BAA specifies these obligations in detail.