HIPAA Compliance

Our Commitment to HIPAA Compliance

At Vizzi Voice, we understand the critical importance of protecting patient health information. As a provider of AI-powered voice assistant services for healthcare practices, we are committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and all related regulations.

This document outlines our HIPAA compliance program, security measures, and how we protect Protected Health Information (PHI) entrusted to us by our healthcare provider clients.

HIPAA Compliance Overview

Business Associate Status

Vizzi Voice operates as a Business Associate under HIPAA. This means we:

• Process PHI on behalf of covered entities (healthcare providers)
• Enter into Business Associate Agreements (BAAs) with all clients
• Implement appropriate safeguards to protect PHI
• Comply with all applicable HIPAA Privacy and Security Rules
• Report breaches and security incidents as required

Applicable HIPAA Rules

Our compliance program addresses all major HIPAA rules:

• Privacy Rule: Protects the privacy of individually identifiable health information
• Security Rule: Sets standards for protecting electronic PHI (ePHI)
• Breach Notification Rule: Requires notification of breaches of unsecured PHI
• Enforcement Rule: Provides standards for enforcement of HIPAA rules

Technical Safeguards

We implement comprehensive technical safeguards to protect ePHI in accordance with the HIPAA Security Rule:

Access Controls

• Unique User Identification: Each user has a unique username and authentication credentials
• Emergency Access Procedures: Established procedures for obtaining ePHI during emergencies
• Automatic Logoff: Systems automatically log off users after periods of inactivity
• Encryption and Decryption: All ePHI is encrypted both in transit and at rest

Audit Controls

• Comprehensive logging of all access to and modifications of ePHI
• Regular review of audit logs for suspicious activity
• Retention of audit logs for at least 6 years
• Automated alerts for potential security incidents

Integrity Controls

• Mechanisms to authenticate ePHI and ensure it has not been altered or destroyed
• Regular integrity checks and validation
• Version control and change tracking
• Backup and disaster recovery procedures

Transmission Security

• TLS 1.3 encryption for all data transmissions
• End-to-end encryption for voice communications
• Secure API endpoints with authentication
• Network segmentation and firewalls

Physical Safeguards

Our infrastructure and data centers implement robust physical security measures:

Facility Access Controls

• 24/7 security personnel and video surveillance
• Biometric access controls and badge systems
• Visitor logs and escort requirements
• Restricted access to areas containing ePHI

Workstation and Device Security

• Physical locks and security cables on workstations
• Privacy screens to prevent unauthorized viewing
• Clean desk policies for sensitive documents
• Secure disposal of hardware and media

Media Controls

• Inventory and tracking of all media containing ePHI
• Secure disposal and destruction procedures
• Data sanitization before equipment reuse or disposal
• Backup media stored in secure, climate-controlled facilities

Administrative Safeguards

We maintain comprehensive administrative safeguards to ensure ongoing HIPAA compliance:

Security Management Process

• Risk Analysis: Annual comprehensive risk assessments of all systems handling ePHI
• Risk Management: Implementation of security measures to reduce identified risks
• Sanction Policy: Procedures to address workforce member violations
• Information System Activity Review: Regular review of system activity and security logs

Workforce Security

• Background checks for all employees with access to ePHI
• Role-based access controls and least privilege principles
• Immediate termination of access upon employee departure
• Regular access reviews and recertification

Training and Awareness

• Mandatory HIPAA training for all workforce members upon hire
• Annual refresher training and updates on policy changes
• Security awareness campaigns and phishing simulations
• Role-specific training for employees handling ePHI

Contingency Planning

• Data backup plans with regular testing
• Disaster recovery procedures with defined RTOs and RPOs
• Emergency mode operation plans
• Regular disaster recovery drills and tabletop exercises

Business Associate Management

• Written contracts with all subcontractors who may access ePHI
• Due diligence and security assessments of vendors
• Regular monitoring of Business Associate compliance
• Incident response coordination procedures

Privacy Protections

We implement comprehensive privacy protections in accordance with the HIPAA Privacy Rule:

Minimum Necessary Standard

• Access to PHI is limited to the minimum necessary to accomplish intended purposes
• Role-based access controls enforce minimum necessary access
• Regular reviews to ensure access remains appropriate

Use and Disclosure Limitations

• PHI is used and disclosed only as authorized by our Business Associate Agreement
• No marketing or sale of PHI without authorization
• Accounting of disclosures as required by HIPAA
• Procedures for handling requests from individuals

Individual Rights Support

We support our clients in facilitating individual rights under HIPAA:

• Right to Access: Procedures to provide individuals access to their PHI
• Right to Amendment: Process for individuals to request amendments to their PHI
• Right to Accounting: Systems to track disclosures and provide accountings
• Right to Restriction: Ability to restrict certain uses and disclosures

Breach Notification Procedures

In the event of a breach of unsecured PHI, we follow strict notification procedures:

Breach Assessment

• Immediate investigation of all suspected security incidents
• Risk assessment to determine if incident constitutes a breach
• Documentation of assessment process and findings
• Consultation with legal counsel as appropriate

Notification Timeline

• To Covered Entities: Notification without unreasonable delay and no later than 60 days
• To Individuals: Support for client notification to affected individuals
• To HHS: Notification to Secretary of HHS as required
• To Media: Notification to prominent media outlets for breaches affecting 500+ individuals in a jurisdiction

Breach Response

• Immediate containment and mitigation of the breach
• Investigation to determine root cause
• Implementation of corrective actions to prevent recurrence
• Documentation of all breach response activities

Compliance Monitoring and Auditing

We maintain an ongoing compliance monitoring program:

Internal Audits

• Quarterly internal security and privacy audits
• Annual comprehensive HIPAA compliance assessments
• Continuous monitoring of security controls
• Regular penetration testing and vulnerability scanning

Third-Party Assessments

• Annual independent security assessments by qualified firms
• SOC 2 Type II attestation reports
• HITRUST CSF certification
• Regular penetration tests by certified ethical hackers

Continuous Improvement

• Regular review and update of policies and procedures
• Incorporation of lessons learned from incidents and audits
• Monitoring of regulatory changes and industry best practices
• Investment in new security technologies and capabilities

Certifications and Attestations

Vizzi Voice maintains industry-recognized security certifications:

• SOC 2 Type II: Annual attestation for security, availability, and confidentiality
• HITRUST CSF Certified: Comprehensive information protection program
• ISO 27001: Information security management system certification
• HIPAA Compliant: Regular assessments and third-party validation

Copies of our current certification reports are available to clients under NDA upon request.

Business Associate Agreement

All clients who use Vizzi Voice to process PHI must execute a Business Associate Agreement (BAA) with us. The BAA outlines:

• Permitted and required uses and disclosures of PHI
• Our obligations to safeguard PHI
• Breach notification requirements
• Individual rights support obligations
• Audit and inspection rights
• Term and termination provisions
• Indemnification and liability provisions

The BAA is provided during the onboarding process and must be executed before we can process any PHI on your behalf.

Client Responsibilities

While we maintain HIPAA-compliant systems and processes, clients also have important responsibilities:

Covered Entity Obligations

• Maintain your own HIPAA compliance program
• Obtain necessary patient authorizations and consents
• Provide accurate information about permitted uses of PHI
• Notify us of any restrictions or special requirements
• Review and verify AI-generated content involving PHI

Account Security

• Maintain confidentiality of login credentials
• Implement strong password policies
• Enable multi-factor authentication
• Promptly report any suspected security incidents
• Conduct regular access reviews of your users

Training and Policies

• Train your staff on HIPAA requirements and your privacy policies
• Implement policies for use of our services
• Maintain oversight of automated processes
• Report any concerns or potential compliance issues

Frequently Asked Questions

Is Vizzi Voice HIPAA compliant?

Yes, Vizzi Voice is fully HIPAA compliant. We implement all required technical, physical, and administrative safeguards, maintain industry certifications, and execute Business Associate Agreements with all clients who process PHI.

Do I need to sign a Business Associate Agreement?

Yes, if you will be using Vizzi Voice to process any PHI, a Business Associate Agreement is required by HIPAA before we can begin processing PHI on your behalf.

How is patient data encrypted?

All patient data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Voice communications use end-to-end encryption. Encryption keys are managed using industry-standard key management practices.

What happens if there is a data breach?

In the event of a breach, we will notify you without unreasonable delay and no later than 60 days from discovery. We will work with you to assess the breach, notify affected individuals as required, and implement corrective actions.

Can I get a copy of your audit reports?

Yes, we provide current SOC 2 reports and other certifications to clients under an NDA. Please contact your account manager or compliance@vizzivoice.com to request reports.

How long do you retain patient data?

We retain PHI for 6 years from the date of creation or last use, as required by HIPAA. Retention periods for specific data types are outlined in our data retention policy, which is available upon request.

Compliance Resources

For more information about HIPAA and healthcare privacy:

• HHS HIPAA Portal
• HIPAA Security Rule
• HIPAA Privacy Rule
• Breach Notification Rule

Contact Our Compliance Team

If you have questions about our HIPAA compliance program or need to report a potential security incident:

• Email: compliance@vizzivoice.com
• Security Incidents: security@vizzivoice.com
• Phone: 1-800-VIZZI-00 (select option 3 for compliance)
• Mail: Vizzi Voice, Compliance Department, [Address]

Our compliance team is available Monday through Friday, 9 AM to 5 PM ET. For urgent security matters, we maintain a 24/7 security hotline.