Effective Date: May 10, 2026 | Last Updated: May 10, 2026 | Self-Attestation Version: v1.0
1. Our HIPAA Posture
BookLine AI operates as a Business Associate when we receive, store, or transmit Protected Health Information (PHI) on behalf of a HIPAA-covered entity. For dental practices, medical clinics, and other healthcare customers, we self-attest compliance with the technical, administrative, and physical safeguards required by the HIPAA Security Rule (45 CFR §§ 164.308–164.314).
This self-attestation is supported by the contractual safeguards in our Business Associate Agreement (BAA), which we sign with every healthcare customer before go-live. Independent SOC 2 Type II assessment is on our 2026 roadmap.
What "HIPAA self-attestation" means. No vendor is "HIPAA-certified" — HIPAA does not issue certifications. Compliance is demonstrated through documented controls, signed BAAs, and breach-notification readiness. The controls below are our written attestation of how we meet the Security Rule for PHI we process on your behalf.
2. Technical Safeguards (§ 164.312)
Access Controls
Role-based access at the ORM layer; PHI-viewing actions (transcripts, recordings, exports) restricted to owner, admin, or org_admin roles in HIPAA mode. Two-factor authentication is enforced for those roles.
Encryption at Rest
AES-256 for call recordings (Cloudflare R2 with server-side encryption), encrypted columns for sensitive credentials, transcripts stored encrypted when HIPAA mode is enabled on the business.
Encryption in Transit
TLS 1.2+ for all portal and API traffic, SRTP for voice media where supported, signed webhooks for caller-ID bridge and Stripe events.
Audit Controls
Append-only audit log for admin actions on business records, subscription changes, BAA acceptance, and PHI exports. Retained for the full BAA term.
Integrity Controls
Database backups taken nightly with 30-day retention; restore-test runbook documented. Webhook deduplication prevents double-processing of inbound provider events.
Transmission Security
PHI is never included in outbound email bodies under HIPAA mode — only a portal link is sent. SMS opt-in/opt-out tracked per caller.
3. Administrative Safeguards (§ 164.308)
- Security Officer: BookLine AI designates a Security Officer responsible for HIPAA policy. Contact: [email protected].
- Workforce Training: All BookLine AI staff with access to PHI complete HIPAA Privacy & Security awareness training annually.
- Access Authorization: Production database and admin-portal access are granted on a least-privilege basis and reviewed quarterly.
- Subcontractor Management: All Subcontractors who create, receive, maintain, or transmit PHI on our behalf (Vapi, Telnyx, Cloudflare R2, Postgres-hosted infrastructure) are bound by downstream Business Associate Agreements.
- Risk Assessment: Annual security risk assessment and remediation tracking.
- Incident Response: Documented breach-notification runbook with a 60-day notification commitment from discovery (HIPAA §164.410).
4. Physical Safeguards (§ 164.310)
BookLine AI does not operate physical data centers. All PHI is processed on cloud infrastructure with the following physical-safeguard providers:
- Application hosting: Co-located VPS at a SOC 2 Type II data center (US-East). Physical access controlled by biometric + badge with full audit trail.
- Object storage: Cloudflare R2 — SOC 2 Type II, ISO 27001.
- Voice infrastructure: Vapi (AWS-backed, SOC 2 Type II) and Telnyx (SOC 2 Type II, HITRUST CSF self-assessed).
5. PHI We May Process
Depending on how your AI receptionist is configured, BookLine AI may process the following categories of PHI on your behalf:
- Caller name, date of birth, address, and phone number
- Reason for call (chief complaint, symptom description)
- Appointment dates, times, and reasons
- Insurance carrier and member ID (when disclosed by caller)
- Voice recordings and transcripts of patient conversations
We do not process payment-card data (handled directly by Stripe under PCI-DSS), nor do we use PHI to train AI models — voice and text models are operated by Vapi under their own BAA, and BookLine AI explicitly disables training opt-in for HIPAA-mode customers.
6. HIPAA Compliance Mode — What Changes
When a business is set to HIPAA compliance mode in the portal, the following behaviors are enforced:
- Recording consent flag must be obtained before storing call audio
- Transcript storage encrypted at the column level
- Email summaries omit transcript content — recipients receive a portal link only
- Retention floor of 6 years (2,190 days) on call logs and transcripts; soft-delete only, no purge before minimum
- PHI masking in application logs (caller names, phone numbers redacted)
- 2FA required for users with owner/admin role
- Data-export role gated to owner/admin only
7. Your Responsibilities as a Covered Entity
- Maintain an executed BAA with BookLine AI before sending PHI through the platform
- Configure your business to HIPAA compliance mode in the portal before go-live
- Limit BookLine AI portal access to authorized workforce members
- Inform callers that calls may be recorded, where required by state law
- Report suspected security incidents to [email protected] within 5 business days
8. Breach Notification
In the event of a confirmed breach of unsecured PHI, BookLine AI will notify the affected Covered Entity within 60 days of discovery, per § 164.410. Our notification will include:
- A description of what happened, including the date of the breach and the date of discovery
- The types of unsecured PHI involved
- Steps individuals should take to protect themselves
- What BookLine AI is doing to investigate, mitigate, and prevent recurrence
9. Request a BAA
We sign a BAA with every healthcare customer as part of onboarding. You can review our standard template before signing, or have your legal team propose redlines. Most BAAs are countersigned within 2 business days.
10. Contact
BookLine AI — Security & Compliance
Email: [email protected]
Privacy: [email protected]
Phone: (866) 823-0175