Back to Home

HIPAA Compliance

Last updated: February 23, 2026

HelperCraft.ai is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. This page outlines the measures we take to ensure compliance.

1. Our Role

When HelperCraft.ai processes patient communications on behalf of a medical or dental practice, we act as a Business Associate as defined by HIPAA. We execute a Business Associate Agreement (BAA) with each client practice before accessing any PHI.

2. Administrative Safeguards

  • Designated privacy and security officers responsible for HIPAA compliance
  • Workforce training on HIPAA requirements and PHI handling procedures
  • Documented policies and procedures for PHI access, use, and disclosure
  • Regular risk assessments to identify and mitigate vulnerabilities
  • Incident response procedures for potential breaches, including the required notification timelines

3. Technical Safeguards

  • Encryption in transit — All data is transmitted over TLS 1.2+ encrypted connections
  • Encryption at rest — PHI is encrypted using AES-256 encryption when stored
  • Access controls — Role-based access with multi-factor authentication for all systems handling PHI
  • Audit logging — Comprehensive logs of all PHI access and modifications
  • Automatic session termination — Inactive sessions are automatically terminated

4. Physical Safeguards

HelperCraft.ai infrastructure is deployed on HIPAA-eligible cloud services that maintain SOC 2 Type II, ISO 27001, and PCI DSS compliance across their data centers. We do not maintain physical servers. All patient data processing occurs within a fully HIPAA-compliant cloud environment with enterprise-grade physical security, and all services in the processing chain are covered under Business Associate Agreements.

5. AI Processing and PHI

When our AI systems process patient communications:

  • PHI is processed in memory and not stored beyond what is necessary to complete the requested operation
  • AI models are accessed through HIPAA-eligible services under Business Associate Agreements that prohibit the use of input data for model training
  • Patient data is never used to train, fine-tune, or improve general-purpose AI models
  • All AI-generated drafts are subject to human review by authorized practice staff before being sent to patients

6. Minimum Necessary Standard

We adhere to the HIPAA Minimum Necessary Standard. Our systems are designed to access, use, and disclose only the minimum amount of PHI required to fulfill the specific service being provided. Practice-level configurations control what data each AI system can access.

7. Business Associate Agreements

We require a signed BAA with every client practice before processing any PHI. Our BAAs cover:

  • Permitted uses and disclosures of PHI
  • Safeguards we implement to prevent unauthorized use or disclosure
  • Breach notification requirements and timelines
  • Data return and destruction obligations upon termination
  • Subcontractor compliance requirements

8. Breach Notification

In the event of a breach of unsecured PHI, we will:

  • Notify the affected client practice without unreasonable delay and no later than 60 days after discovery
  • Provide all information required for the practice to fulfill its notification obligations to affected individuals and HHS
  • Cooperate fully with any investigation and remediation efforts

9. Subcontractors

All subcontractors and third-party service providers who may access PHI on our behalf are required to enter into BAAs and maintain equivalent security standards. Current subprocessors include:

  • HIPAA-eligible cloud infrastructure providers (covered under BAAs)
  • HIPAA-eligible AI model services (with agreements prohibiting training on input data)
  • Email and calendar integration services

A detailed list of subprocessors is available upon request as part of the BAA process.

10. Your Rights

As a covered entity, your practice retains all obligations to patients regarding their rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their PHI. We will assist you in fulfilling these obligations upon request.

11. Contact

For questions about our HIPAA compliance practices or to request a copy of our BAA, contact us at compliance@helpercraft.ai.