HIPAA & Healthcare Data Notice

Our Approach to Healthcare Data

Agentifiq takes the privacy and security of healthcare information seriously. We have designed our platform with healthcare use cases in mind, recognizing that many of our customers operate in regulated industries where the handling of patient information is subject to strict federal and state requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and associated regulations including the HITECH Act and the HIPAA Omnibus Rule.

This notice describes how Agentifiq approaches HIPAA compliance, the roles and responsibilities of Agentifiq and healthcare tenants under HIPAA, the technical safeguards we have implemented, and the obligations that healthcare tenants must fulfill before and during their use of the platform with patient data.

This notice does not constitute legal advice. Healthcare organizations should consult with qualified legal counsel to assess their specific HIPAA compliance obligations and to confirm that their use of Agentifiq's platform is consistent with their HIPAA compliance program.

What We Are: Business Associate Status

Under HIPAA, the relationship between technology vendors and healthcare organizations is governed by the distinction between Covered Entities and Business Associates:

Covered Entities

Covered Entities under HIPAA include healthcare providers that transmit health information electronically (such as physician practices, hospitals, and clinics), health plans, and healthcare clearinghouses. If your organization is a Covered Entity, you have primary responsibility for HIPAA compliance in your operations and for any Business Associate relationships you enter into.

Agentifiq as Business Associate

Agentifiq is a Business Associate under HIPAA when it creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity in the course of providing its services. When you deploy Agentifiq's AI Receptionist for a healthcare practice, and patient information is communicated during AI Receptionist calls or SMS interactions, Agentifiq may encounter PHI in the course of providing the service.

Agentifiq is not itself a Covered Entity. We are a technology platform provider. We do not have independent obligations to patients as a healthcare provider or health plan. Our HIPAA obligations arise from our role as a Business Associate and are defined by the Business Associate Agreement (BAA) we execute with each healthcare tenant.

Business Associate Agreement (BAA) Availability

Business Associate Agreements are available to healthcare customers on the following subscription plans:

• Professional Plan: BAA available upon request. Agentifiq's standard BAA will be provided and is executable without modification for standard deployment configurations.
• Enterprise Plan: BAA available, with option to negotiate terms where required by your organization's legal counsel. Allow additional lead time for custom BAA review.
• Starter Plan: BAA is not available on the Starter plan. Healthcare organizations handling PHI must upgrade to Professional or Enterprise before deploying the AI Receptionist with patient data.

To initiate the BAA process, contact our legal team at legal@agentifiq.com with the subject line "BAA Request." Please include your organization name, subscription plan, and a brief description of your intended use case. We will respond within 3 business days.

The BAA must be fully executed (signed by authorized representatives of both Agentifiq and your organization) before any patient data is processed through the platform. Executing a BAA is a prerequisite, not a concurrent step.

Subcontractors and Downstream Business Associates

Agentifiq may engage subcontractors who provide services that involve access to PHI on our behalf (such as cloud infrastructure providers and telecommunications carriers). We enter into Business Associate Agreements with all such subcontractors as required by the HIPAA Omnibus Rule. A list of our current HIPAA subcontractors is available upon request from healthcare customers who have executed a BAA with us.

How We Handle PHI

Agentifiq's design philosophy for healthcare data is to process PHI transiently and minimize its persistence, while providing tenants with configurable retention options to meet their operational needs.

Transient Processing

During a call handled by the AI Receptionist, speech is transcribed in real time using secure, encrypted connections. The AI processes the transcript to understand caller intent, respond appropriately, and take actions such as scheduling appointments. This processing occurs transiently — the raw audio stream is not stored by Agentifiq unless logging is explicitly enabled by the tenant in their platform settings.

Call Summaries and Transcripts

After a call concludes, the AI Receptionist generates a post-call summary that may include information communicated during the call. If a patient communicated health-related information during the call (such as a symptom, a medication name, or a reason for an appointment), that information may appear in the call summary. Call summaries are stored in the tenant's Agentifiq environment and are subject to the data retention configuration set by the tenant.

Default data retention for call summaries and transcripts is 90 days. Healthcare tenants may configure this to a shorter period, including 0 days (immediate deletion), through the platform's data retention settings or by contacting our support team. Tenants requiring immediate deletion of PHI after processing can configure the AI Receptionist to suppress post-call summary storage.

No Use of PHI for AI Training

Agentifiq does not use Protected Health Information encountered during the operation of the platform to train, fine-tune, or otherwise improve AI or machine learning models. This commitment is absolute and is reflected in our BAA. Aggregate, de-identified usage statistics that do not contain PHI may be used for product improvement purposes.

EHR Integration

Agentifiq's AI Receptionist does not access Electronic Health Record (EHR) systems by default. EHR integration is only available when explicitly configured by a healthcare tenant through an MCP (Model Context Protocol) adapter or other authorized integration. Where EHR integration is configured, the tenant is responsible for ensuring that the integration is authorized under their EHR vendor agreement, that appropriate access controls and audit logging are in place, and that patient consent for AI-assisted EHR access is obtained where required.

Technical Safeguards

Agentifiq has implemented the following technical safeguards to protect PHI in accordance with the HIPAA Security Rule:

Encryption

• In transit: All data transmitted between end users, the Agentifiq platform, and our infrastructure is encrypted using TLS 1.3. Older protocol versions (TLS 1.0, TLS 1.1, SSL) are disabled.
• At rest: Data stored in Agentifiq's databases and file storage systems is encrypted using AES-256. Encryption keys are managed using a dedicated key management service with automatic rotation.
• Voice channels: Call audio transmitted between telephony carriers and our AI processing infrastructure is encrypted using SRTP (Secure Real-time Transport Protocol) where supported by the carrier.

Access Controls

• Role-based access control (RBAC) is enforced throughout the platform. Healthcare tenant administrators can configure granular permissions to restrict access to call logs, patient interaction summaries, and other sensitive data to only those staff members who require it.
• All access to tenant data by Agentifiq personnel requires multi-factor authentication and is logged. Agentifiq staff access to healthcare tenant data is limited to personnel with a legitimate operational need and is governed by our internal access control policy.
• Automatic session timeout is enforced for all authenticated users. Sessions expire after a configurable period of inactivity (default: 20 minutes).
• API access requires authenticated credentials and is rate-limited. All API calls are logged with timestamps, source IP addresses, and action details.

Audit Logging

Agentifiq maintains comprehensive audit logs of all access to and modifications of PHI-containing records within the platform. Audit logs record: the identity of the user or system accessing data, the time and date of access, the type of operation performed, and the data accessed. Audit logs are retained for a minimum of 6 years in accordance with HIPAA requirements and are available to healthcare tenants upon request.

Availability and Business Continuity

• Agentifiq's platform is hosted on enterprise-grade cloud infrastructure with redundant, geographically distributed architecture.
• We maintain documented backup and disaster recovery procedures. Data backups occur at least daily and are tested quarterly.
• Our target uptime for production environments is 99.9% on an annual basis, excluding scheduled maintenance.

Limitations

Healthcare customers must be aware of the following important limitations of Agentifiq's platform:

• No clinical judgment: The AI Receptionist cannot and does not assess the clinical significance of symptoms, interpret diagnostic results, or make recommendations about treatment. All clinical judgment must remain with licensed healthcare professionals.
• No emergency response: While the AI Receptionist is configured to transfer emergency calls, it is not equipped to provide emergency medical guidance or to dispatch emergency services. Healthcare organizations must maintain protocols for handling medical emergencies that are independent of and supplemental to the AI Receptionist's emergency transfer behavior.
• Carrier delays: SMS appointment reminders sent through the platform are subject to carrier network conditions and are not guaranteed to be delivered at a specific time. Appointment reminders must not be the sole mechanism for communicating critical clinical information to patients.
• Transcription accuracy: AI transcription achieves high accuracy under normal conditions but may be less accurate when callers speak softly, have strong accents, use clinical terminology, or call from environments with background noise. Call summaries should be reviewed by staff for accuracy rather than treated as verbatim records.
• No legal record keeping substitute: Call summaries and transcripts generated by Agentifiq are not legal medical records and should not be treated as a substitute for documentation in your organization's EHR or medical record system.

Your Responsibilities as a Healthcare Client

Healthcare organizations that use Agentifiq's platform bear significant compliance responsibilities under HIPAA and applicable state law. The following is a non-exhaustive summary of your key obligations:

Patient Disclosure

• You must disclose to patients that an AI-powered system may handle their calls and communications with your practice. This disclosure should be included in your patient intake forms, website privacy notice, and the AI Receptionist greeting.
• Agentifiq provides configurable greeting text that can include AI disclosure. You are responsible for ensuring the greeting used in your deployment includes a disclosure that is accurate, clear, and compliant with applicable state disclosure requirements.
• Where state law requires patient consent before an AI system handles healthcare communications, you are responsible for obtaining and documenting that consent.

Emergency Protocols

• You must establish and maintain written protocols for handling medical emergencies that specify how staff should respond when the AI Receptionist transfers an emergency call, including who is responsible for follow-up and how emergency situations are escalated.
• These protocols must be communicated to all staff who may receive transferred emergency calls and reviewed at least annually.
• You must test the AI Receptionist's emergency transfer behavior periodically to confirm it is functioning as expected.

Data Retention Configuration

• You are responsible for configuring Agentifiq's data retention settings in a manner consistent with your HIPAA compliance program, state medical records retention laws, and your organization's data retention policy.
• Default retention of 90 days may be insufficient or excessive depending on your specific requirements. Review and configure retention settings before processing patient data.
• When a patient exercises their HIPAA right to access or to request deletion of their information held by your practice, you must coordinate with Agentifiq to fulfill that request with respect to data held in our platform. Submit access and deletion requests to legal@agentifiq.com with documentation of the patient's verified request.

Staff Training

• Staff who use the Agentifiq admin dashboard to review call logs, manage contacts, or access patient interaction summaries must receive appropriate HIPAA training, including training specific to the use of cloud-based tools for healthcare administration.
• You must maintain records of staff HIPAA training as required by the HIPAA Security Rule.

Workforce Access Management

• You must promptly deactivate Agentifiq platform access for staff members who leave your organization or whose roles change such that they no longer require access.
• Each staff member must use their own individually assigned account. Sharing login credentials is prohibited and constitutes a security violation.

Incident Response

Agentifiq will notify affected healthcare tenants within 72 hours of discovering a security incident or breach that involves or may involve PHI. Upon receiving such notification, you are responsible for conducting your own breach risk assessment under HIPAA's Breach Notification Rule to determine whether notification to affected individuals, the Department of Health and Human Services (HHS), and potentially the media is required.

To report a suspected security incident involving your healthcare deployment of Agentifiq, contact us immediately at legal@agentifiq.com with the subject line "Security Incident Report." Our security team will respond within 4 hours during business hours.

Contact

For questions about HIPAA compliance, BAA requests, data subject access requests, security incident reports, or any other healthcare data matter, contact us:

BAA requests, security incident reports, and data subject requests should be sent directly to legal@agentifiq.com with a descriptive subject line. General support questions can be directed to support@agentifiq.com.