HIPAA Compliance
Last Updated: April 8, 2026
OzyOps is designed from the ground up to protect patient health information. We serve healthcare practices including medical clinics, dental offices, and aesthetic clinics with an AI-powered receptionist platform that meets HIPAA Security Rule and Privacy Rule requirements.
On This Page
- 1. Business Associate Agreement
- 2. Encryption and Data Security
- 3. Access Controls
- 4. How We Handle PHI
- 5. HIPAA-Compliant Subprocessors
- 6. EMR Integration Security
- 7. Breach Notification
- 8. Data Retention
- 9. Administrative and Physical Safeguards
- 10. Professional Liability and Cyber Insurance
- 11. Frequently Asked Questions
1. Business Associate Agreement
OzyOps operates as a Business Associate under HIPAA. Every healthcare customer signs a BAA during account setup that governs how we handle Protected Health Information (PHI).
Our BAA covers:
- Permitted uses and disclosures of PHI (call handling, appointment management, prescription capture)
- Required safeguards (administrative, technical, physical)
- Breach notification obligations (24-48 hour timeline)
- Subprocessor management and oversight
- PHI return or destruction upon termination
Your signed BAA is available at any time in your Account Settings within the OzyOps portal.
2. Encryption and Data Security
Data in Transit
- TLS 1.3 (minimum TLS 1.2) for all data transmission
- HTTPS enforced on all API endpoints and web interfaces
- OAuth 2.0 + PKCE for EMR authentication flows
Data at Rest
- AES-256 encryption for all stored PHI — call recordings, transcripts, patient records
- AES-256-GCM encryption for EMR credentials (API keys, OAuth tokens)
- Transparent Data Encryption (TDE) on database storage
- Encrypted backups with integrity verification
3. Access Controls
Mandatory Multi-Factor Authentication
All healthcare portal users must enroll in TOTP-based multi-factor authentication before accessing the dashboard. This is enforced at login — there is no way to bypass MFA on healthcare accounts.
Role-Based Access Control (RBAC)
Three roles control who can see and do what:
| Role | Access Level |
|---|---|
| Owner | Full access — settings, billing, team management, all data |
| Manager | Operational access — calls, pipeline, booking queue, prescriptions |
| Viewer | Read-only access — view calls, reports, and queue. Cannot modify data |
Additional Controls
- Automatic session timeout
- Comprehensive audit logging of all PHI access (6-year retention)
- Principle of least privilege applied across all roles
- Cryptographic signature verification on all webhooks
4. How We Handle PHI
What OzyOps Collects During Calls
- Patient name, phone number, email, date of birth
- Appointment preferences (type, provider, date/time)
- Insurance carrier and self-pay status
- Medication names for prescription refill requests
- Call recordings and AI-generated transcripts
- SMS consent status
What OzyOps Does NOT Access
- Medical charts, clinical notes, or treatment plans
- Lab results or diagnostic data
- Mental health or substance abuse records
- Genetic information
SMS Communications
- Staff notifications are PHI-redacted — they contain no patient names, conditions, or details. Example: "New appointment request. Check your OzyOps dashboard for details."
- Patient-facing messages use HIPAA-safe templates. Example: "Your appointment is confirmed" — never "Your colonoscopy is confirmed."
- All messages include opt-out instructions
5. HIPAA-Compliant Subprocessors
All subprocessors with access to PHI have executed Business Associate Agreements with OzyOps:
| Subprocessor | Function | PHI Access | BAA Status |
|---|---|---|---|
| Retell AI | Conversational AI engine | Voice data, transcripts | BAA Executed |
| Neon | HIPAA-compliant PostgreSQL database | All stored PHI | BAA Executed |
| Twilio | SMS messaging | Phone numbers only (no PHI in messages) | N/A (no PHI) |
| Supabase | Authentication | No PHI (auth only) | N/A |
| Sentry | Error monitoring | Minimal (PHI scrubbed) | DPA Executed |
| Netlify | Application hosting | Transient processing | DPA Executed |
OzyOps will not engage new subprocessors with PHI access without executing appropriate BAAs, verifying HIPAA compliance, and updating our subprocessor list within 30 days.
6. EMR Integration Security
OzyOps connects to your EMR/EHR system to enable appointment management during AI calls. EMR integration security includes:
- Credential encryption: EMR API keys and OAuth tokens are encrypted with AES-256-GCM before storage
- OAuth 2.0 + PKCE: For EMR systems requiring OAuth authentication (athenahealth, Epic, FHIR servers)
- Scheduling data only: OzyOps accesses appointment availability and booking. No clinical records, charts, or medical history
- Automatic token refresh: OAuth tokens are refreshed automatically with mutex protection to prevent race conditions
- Connection monitoring: EMR connection status is visible in your dashboard at all times
Supported EMR Systems
Open Dental, athenahealth, DrChrono, and any system supporting the FHIR R4 standard (including Epic and Cerner/Oracle Health). See our EMR Setup Guide for details.
Tier Availability
- All tiers: EMR connection, patient lookup, manual booking queue
- Essential and above: AI-powered appointment booking during calls
7. Breach Notification
In the event of a suspected or confirmed breach of unsecured PHI:
| Event | Timeline | Details |
|---|---|---|
| Suspected breach | Within 24 hours | OzyOps notifies your practice of the suspected incident |
| Confirmed breach | Within 48 hours | Written report with: date of discovery, PHI involved, individuals affected, mitigation steps |
| Investigation | Ongoing | OzyOps preserves evidence, conducts investigation, provides data for your risk assessment |
If a breach results from OzyOps' failure to comply with the BAA, OzyOps bears the notification costs. Your practice remains responsible for notifying affected individuals and HHS/OCR as required by HIPAA.
8. Data Retention
During Active Subscription
| Data Type | Retention Period |
|---|---|
| Call recordings (healthcare) | 24 months active storage |
| Call transcripts | 24 months |
| Audit logs | 6 years (meets HIPAA minimum) |
| SMS consent records | 3 years after last message (TCPA) |
After Account Termination
- PHI is returned or destroyed within 30 days
- If return or destruction is not feasible, HIPAA protections continue indefinitely
- Call recordings move to encrypted cold storage for the remaining retention period, then are permanently deleted
9. Administrative and Physical Safeguards
Administrative Safeguards
- Designated Security Officer responsible for HIPAA compliance
- Annual workforce HIPAA training
- Background checks for employees with PHI access
- Sanctions policy for violations
- Annual security risk assessment
- Documented incident response procedures
Physical and Infrastructure Safeguards
- Cloud infrastructure hosted in SOC 2 Type II certified data centers
- No local storage of PHI on endpoints
- Separate HIPAA-compliant database for healthcare data (Neon, Scale plan with BAA)
- Non-healthcare data stored separately in a different database
10. Professional Liability and Cyber Insurance
OzyOps carries professional liability and cyber insurance through an A.M. Best A+ rated carrier, effective April 2026.
Errors & Omissions + Cyber Liability
- Coverage: $500,000 per wrongful act / $500,000 aggregate
- Includes: Professional liability (errors/omissions in services), data privacy and network security liability, HIPAA/HITECH violation defense, breach notification and identity protection, ransomware and cyber extortion response, business interruption, and data restoration
- Cyber Breach Coach: No-deductible access to legal counsel for breach response
General Liability
- Coverage: $1,000,000 per occurrence / $2,000,000 aggregate
- Includes: Technology Services Coverage Extension and Blanket Additional Insured by Contract
A Certificate of Insurance is available upon request. Contact support@ozyops.com.
11. Frequently Asked Questions
Do you sign a BAA?
Yes. Every healthcare customer signs a Business Associate Agreement during account setup. It is always available in your account settings.
Where is patient data stored?
Healthcare call data is stored in Neon, a HIPAA-compliant PostgreSQL database with an executed BAA. Healthcare data is stored separately from non-healthcare data. All data is encrypted at rest with AES-256.
Does OzyOps access my patient charts?
No. When connected to your EMR, OzyOps only accesses scheduling data (appointment availability, booking). We never read clinical records, charts, lab results, or medical history.
Is MFA required?
Yes. Multi-factor authentication is mandatory for all users on healthcare accounts. There is no option to disable it.
What happens if there is a data breach?
OzyOps notifies your practice within 24 hours of a suspected breach and provides a written report within 48 hours of a confirmed breach. See Breach Notification above for full details.
Can staff see patient information in SMS messages?
No. Staff SMS notifications are PHI-redacted and contain no patient-identifiable information. Staff must log into the authenticated OzyOps dashboard to view patient details.
What happens to my data if I cancel?
PHI is returned or destroyed within 30 days of account termination. Call recordings are moved to encrypted cold storage for the remaining HIPAA retention period, then permanently deleted.
Do your subprocessors comply with HIPAA?
All subprocessors with PHI access (Retell AI, Neon) have executed BAAs with OzyOps. Subprocessors without PHI access (Twilio for SMS, Supabase for auth) handle no patient data. See Subprocessors for the full list.
Have Compliance Questions?
Our team is available to discuss your practice's specific compliance requirements.