Designed to Support HIPAA Compliance from Day One

AWS HIPAA-eligible infrastructure, executed BAAs, TLS 1.3/AES-256 encryption, zero-retention AI policies, and audit-ready logging. Your compliance team can sign off without hesitation.

HIPAA-Compliant Architecture

Important: HIPAA Compliance

ClaireMed is designed to support HIPAA compliance with infrastructure, vendor governance, and operational controls that meet OCR requirements. HIPAA compliance depends on both technology (what we provide) and operational controls (how you deploy it). ClaireMed provides HIPAA-compliant architecture; your compliance team verifies operational controls before pilot.

AWS HIPAA-Eligible Services

ClaireMed infrastructure uses only AWS covered services under executed AWS Business Associate Agreement (BAA):

Storage

S3: Call recordings, transcripts, audit logs (encrypted at rest)

Database

RDS: Customer data, configuration (encrypted at rest)

Compute

Lambda/ECS in VPC: Isolated, encrypted network

Encryption

KMS: Key management for all encryption

Audit Logging

CloudTrail: AWS API activity, access logs

Monitoring

CloudWatch: Metrics, logs, alerts

Executed Business Associate Agreements (BAAs)

ClaireMed has executed BAAs with all subprocessors that handle PHI:

Subprocessor	Service	BAA Status
AWS	Infrastructure	✓ Executed
Twilio Security Edition	Telephony	✓ Executed
ElevenLabs	Text-to-Speech (TTS)	✓ Executed
Deepgram	Speech-to-Text (STT)	✓ Executed
OpenAI/Anthropic	LLM (Conversational AI)	✓ Executed

Encryption at Rest and in Transit

🔐

Data at Rest

All storage (S3, RDS) encrypted with AES-256 using AWS KMS. Patient data, call recordings, transcripts, and configuration are encrypted by default.

🔒

Data in Transit

TLS 1.3 for all network traffic. API calls, database connections, and telephony sessions use encrypted channels. No plaintext PHI on the wire.

Zero-Retention AI Policies

AI vendors (OpenAI, Anthropic, ElevenLabs, Deepgram) do not train models on ClaireMed data and do not retain inputs/outputs.

LLM (OpenAI/Anthropic)

Zero data retention policies. API inputs/outputs are not used for training or stored by the vendor.

Speech AI (ElevenLabs/Deepgram)

No audio retention. Inputs are processed and discarded immediately after synthesis/transcription.

Immutable Audit Logging

Every call generates an audit trail with immutable logs stored in S3 Object Lock (WORM mode) for 7 years.

📋

Audit Log Contents

Call start/end timestamps, caller ID, agent transfers, detected intents, patient-provided information (appointment changes, billing questions), and final disposition (transferred to human, voicemail, completed by AI).

Business Associate Agreement (BAA) Process

ClaireMed executes a BAA with each medical practice customer.

Request BAA

Contact sales or send request to legal@clairemed.io

Review & Sign

Standard BAA template, typically 5-7 days

Pilot Deployment

Technical onboarding with BAA in place

Go-Live

Production rollout with compliance sign-off