HIPAA Compliance

PhoneSteward understands that healthcare providers, dental practices, and related organisations must comply with the Health Insurance Portability and Accountability Act (HIPAA). We have built our platform and trained our team to meet the stringent requirements of HIPAA, ensuring your patients' Protected Health Information (PHI) is handled with the utmost care.

• We act as a Business Associate under HIPAA when handling PHI on behalf of Covered Entities.
• All healthcare accounts are provisioned with HIPAA-compliant configurations by default.
• Our compliance programme is reviewed and updated annually by our Chief Information Security Officer.

We recognise the sensitivity of PHI and have specific protocols for its handling:

• What constitutes PHI — any individually identifiable health information transmitted or maintained by PhoneSteward, including patient names, phone numbers, appointment details, and medical information disclosed during calls.
• Minimum necessary standard — our receptionists are trained to collect only the minimum information necessary to fulfil the purpose of the call (scheduling, message relay, triage).
• No PHI in unencrypted channels — we never send PHI via standard email or SMS. All PHI is delivered through our encrypted dashboard or HIPAA-compliant integrations.

We execute a Business Associate Agreement (BAA) with every healthcare client:

• A signed BAA is required before we begin handling any PHI on your behalf.
• Our BAA outlines the permitted uses and disclosures of PHI, safeguards we maintain, and breach notification procedures.
• We also maintain BAAs with all of our sub-contractors and service providers who may access PHI (cloud hosting, transcription services, etc.).
• BAA templates are available upon request, or we can work with your legal team on custom agreements.

We maintain comprehensive administrative controls to protect PHI:

• Security Officer — a designated HIPAA Security Officer oversees all compliance activities.
• Workforce training — all receptionists and staff complete HIPAA training upon hire and annually thereafter, with additional training for healthcare-specific accounts.
• Access management — role-based access controls ensure only authorised personnel can access PHI. Access is reviewed quarterly.
• Sanction policy — employees who violate HIPAA policies face disciplinary action up to and including termination.
• Risk assessments — we conduct comprehensive risk assessments annually, and following any significant change to our systems or processes.
• Incident response plan — documented procedures for identifying, containing, and reporting security incidents involving PHI.

Physical access to systems containing PHI is strictly controlled:

• Secure facilities — our offices and data centres use keycard access, CCTV monitoring, and visitor logs.
• Workstation security — all workstations used to access PHI have automatic screen locks, encrypted storage, and endpoint protection.
• Device controls — removable media is prohibited on systems that access PHI. All company devices are remotely wipeable.
• Clean desk policy — no PHI is stored in physical form. All call notes are digital and encrypted.

Our technical infrastructure is designed to protect PHI at every layer:

• Encryption — all PHI is encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys are managed through AWS KMS with annual rotation.
• Access controls — multi-factor authentication required for all systems accessing PHI. Session timeouts enforce re-authentication.
• Audit logging — all access to PHI is logged with timestamps, user identity, and action performed. Logs are retained for 6 years and monitored for anomalies.
• Automatic logoff — dashboard sessions time out after 15 minutes of inactivity for HIPAA accounts.
• Integrity controls — checksums and version controls ensure PHI is not improperly altered or destroyed.
• Network security — PHI systems are isolated in dedicated VPCs with strict security group rules and intrusion detection.

Our receptionists follow healthcare-specific protocols:

• HIPAA-trained agents — only receptionists who have completed healthcare-specific training handle calls for medical accounts.
• Verification protocols — caller identity is verified before disclosing any appointment or health information.
• Emergency escalation — urgent medical calls are escalated immediately per your practice's emergency protocols.
• Appointment scheduling — appointments are booked through HIPAA-compliant integrations with your practice management system.
• Message delivery — messages containing PHI are delivered only through encrypted channels (dashboard, HIPAA-compliant EHR integrations).

In the unlikely event of a data breach involving PHI, we follow strict notification procedures:

• We will notify you of any breach of unsecured PHI within 24 hours of discovery — well within the HIPAA-required 60-day window.
• Notification includes: a description of the breach, types of PHI involved, steps taken to mitigate harm, and recommended actions.
• We cooperate fully with your breach investigation and response activities.
• We maintain cyber liability insurance that covers costs associated with breach response, including notification and credit monitoring for affected individuals.

We subject ourselves to regular independent assessments:

• SOC 2 Type II — annual audit covering security, availability, and confidentiality controls.
• HIPAA compliance assessment — annual third-party assessment against all HIPAA Security Rule requirements.
• Penetration testing — quarterly penetration tests conducted by independent security firms.
• Vulnerability scanning — continuous automated scanning of all systems with remediation SLAs (critical: 24 hours, high: 7 days).
• Audit reports and certifications are available to customers under NDA upon request.

HIPAA compliance is a shared responsibility. As a Covered Entity, you are responsible for:

• Executing a BAA with PhoneSteward before we handle PHI on your behalf.
• Providing accurate call handling instructions that comply with HIPAA requirements.
• Configuring your account settings appropriately (retention periods, access controls, etc.).
• Notifying us of any changes to your HIPAA compliance requirements or policies.
• Ensuring your own systems and practices comply with HIPAA when receiving data from PhoneSteward.