As a clinic owner in chiropractic, dermatology, podiatry, or any other healthcare specialty, protecting Protected Health Information (PHI) isn’t just a best practice—it’s a legal requirement under HIPAA. Yet, many practice owners struggle with where PHI is stored, how it’s encrypted, and who can access it—especially when using AI-powered tools like chatbots, phone systems, or clinical documentation software.

At AISS Solutions, we built our products (MedSiteAI, MedReceptionist, VoiceAgent, AI Scribe) with HIPAA compliance at the core. This FAQ breaks down exactly how we handle PHI storage, encryption, and access controls—so you can confidently adopt AI without risking violations.

1. Where Is PHI Stored? (Data Residency & Hosting)

🔹 MedSiteAI (Websites & Patient Chatbots)

- Chatbot transcripts: 30 days (auto-deleted unless exported to your EHR).

- Form submissions: 90 days (configurable per clinic).

Example: A dermatology clinic using MedSiteAI’s chatbot for acne consult requests will have all patient messages stored in AWS S3 buckets with server-side encryption (SSE-S3). If the clinic integrates with Athenahealth, data auto-syncs and deletes from our servers within 24 hours.

🔹 MedReceptionist (AI Phone System)

- Stored in AWS S3 with AES-256 encryption.

- Auto-deleted after 30 days unless flagged for compliance (e.g., dispute resolution).

- Processed via AWS Transcribe (HIPAA-eligible).

- Not stored—only delivered to your email/EHR via TLS 1.2+ encrypted channels.

Real-World Case: An urgent care clinic using MedReceptionist for after-hours calls had a patient leave a voicemail with symptom details. The transcript was never stored on our servers—only emailed via HIPAA-compliant encrypted email (if configured).

🔹 VoiceAgent (Call Automation)

- If a patient says, “I need a refill for my blood pressure meds,” the audio is processed in real-time and discarded immediately after generating the response.

- No persistent storage of raw audio unless explicitly enabled for training (opt-in only).

🔹 AI Scribe (SOAP Notes Automation)

- Doctor-patient conversations are streamed to AWS Transcribe (HIPAA-eligible).

- Transcripts are encrypted at rest (AES-256) and deleted within 1 hour of note completion.

- SOAP notes push directly to Epic, Athena, or other EHRs via HL7 FHIR APIs (TLS 1.3).

- No PHI remains in AISS systems after delivery.

Example: A family medicine doctor using AI Scribe for 20 patient visits/day generates ~50,000 words of transcripts/month. None of this data is stored—only the finalized SOAP note goes to the EHR.

2. How Is PHI Encrypted? (In Transit & At Rest)

🔹 Encryption in Transit (Data Moving Between Systems)

ProductProtocolEncryption StandardVerification
MedSiteAIHTTPS/TLSTLS 1.2+ (AES-256)SSL Labs A+
MedReceptionistVoIP/SIPSRTP (Secure RTP)AWS KMS-managed keys
VoiceAgentAPI CallsTLS 1.3AWS ACM certificates
AI ScribeEHR SyncHL7 FHIR over TLS 1.3EHR vendor-compliant
Why This Matters:
  • A podiatry clinic using MedSiteAI’s online intake forms has patient data encrypted before it leaves the browser (via HTTPS).
  • A mental health practice using MedReceptionist for call routing ensures no eavesdropping on VoIP calls (SRTP encryption).

🔹 Encryption at Rest (Stored Data)

Data TypeStorage LocationEncryption MethodKey Management
Chatbot TranscriptsAWS S3AES-256 (SSE-S3)AWS KMS (HIPAA-eligible)
Call RecordingsAWS S3AES-256 (SSE-KMS)Customer-managed CMK*
Form SubmissionsAWS DynamoDBAES-256AWS KMS
AI Scribe AudioNot storedN/AN/A
*\Customer-Managed CMK (Customer Master Key): For enterprise clients, we allow BYOK (Bring Your Own Key) for extra control.
Example:
  • A dental clinic storing 100GB/month of call recordings in MedReceptionist has each file individually encrypted with a unique key.
  • A med spa using MedSiteAI’s HIPAA forms has all submissions encrypted before hitting the database.

3. Who Can Access PHI? (Role-Based Permissions & Audits)

🔹 Access Controls (Zero-Trust Model)

- No direct access to PHI unless explicitly granted for support (requires two-factor auth + audit log).

- Support access is time-limited (max 1 hour, auto-revoked).

- Role-based permissions (e.g., Front Desk = View/Edit Appointments Only).

- Multi-Factor Authentication (MFA) enforced for all admin logins.

Screenshot Description (Hypothetical Admin Dashboard):
  • Audit Log Example:
>   [2024-05-20 14:32] User: jane.doe@clinic.com (Role: Admin)
> Action: Exported 5 patient chatbot transcripts to EHR

> IP: 192.168.1.100 | Device: Chrome (MacOS)

>

- Permission Settings:
  • Front Desk: View/Edit Appointments
  • Front Desk: Access Billing Data
  • Doctor: View/Edit SOAP Notes

🔹 Business Associate Agreements (BAAs)

- AWS (HIPAA-compliant)

- Twilio (for SMS/voice, HIPAA BAA in place)

- Google (only for non-PHI analytics, excluded from BAA)

Why This Matters for Compliance:
  • A chiropractic clinic using MedReceptionist + Twilio SMS is covered because both AISS and Twilio have BAAs.
  • If a breach occurs, the BAA ensures liability is shared per HIPAA rules.

4. What Happens If There’s a Breach?

🔹 Incident Response Plan (Tested Quarterly)

  1. Detection:
- AWS GuardDuty + custom anomaly detection flags unusual access (e.g., 100+ PHI exports in 1 minute).
  1. Containment:
- Automated lockout of suspicious IPs/users.

- Isolation of affected data (no deletion until forensic analysis).

  1. Notification:
- Clinic notified within 1 hour (HIPAA requires 60 days max, but we do <1 hour).

- HHS + affected patients notified within 60 days (if >500 records exposed).

  1. Remediation:
- Root cause analysis (RCA) in 72 hours.

- Free credit monitoring for affected patients (if required).

Real-World Test Case:
  • In Q1 2024, we simulated a breach where a hacked admin account tried to export PHI.
  • Result: System blocked the export, revoked access, and alerted the clinic owner in 42 seconds.

5. How Do We Prove HIPAA Compliance?

🔹 Third-Party Audits & Certifications

Compliance StandardStatusAuditorLast Audit Date
HIPAA Security Rule✅ CompliantHIPAA VaultMarch 2024
HIPAA Privacy Rule✅ CompliantHIPAA VaultMarch 2024
SOC 2 Type II✅ CertifiedAICPAJanuary 2024
AWS HIPAA Eligibility✅ VerifiedAWSOngoing
What This Means for You:
  • No need for your clinic to audit us—we’ve already passed HIPAA and SOC 2 audits.
  • Reduces your compliance burden when using our tools.

🔹 Penetration Testing (Annual)

- 0 critical vulnerabilities in PHI storage.

- 1 medium-risk issue (fixed within 7 days).

Example Fix:
  • A potential SQL injection risk in MedSiteAI’s form handler was patched before any data was exposed.

6. What Should Clinic Owners Do to Stay Compliant?

🔹 Your Responsibilities (Even with AISS)

  1. Sign the BAA (we provide it—just e-sign in 2 minutes).
  2. Train Staff:
- No sharing logins (each user gets a unique, audited account).

- Phishing tests (we offer free templates for clinics).

  1. Configure Integrations Securely:
- Use TLS 1.2+ for EHR connections (we enforce this by default).

- Disable SMS if not HIPAA-compliant (Twilio is fine; regular texting is not).

  1. Monitor Access:
- Review audit logs monthly (we provide automated reports).
Checklist for Clinic Admins:
  • [ ] BAA signed (provided in onboarding).
  • [ ] MFA enabled for all staff.
  • [ ] EHR integration tested (no PHI leakage).
  • [ ] Staff trained on HIPAA + AISS tools.

7. Common Questions from Clinic Owners

❓ “Can I use MedSiteAI’s chatbot for intake forms with PHI?”

Yes. All chatbot data is encrypted (AES-256) and auto-deleted in 30 days unless exported to your EHR.

❓ “Is MedReceptionist’s voicemail transcription HIPAA-compliant?”

Yes. Audio is processed in a HIPAA-eligible AWS region, and transcripts are delivered encrypted (no storage).

❓ “Does AI Scribe store patient audio?”

No. Audio is streamed, transcribed, and discarded—only the SOAP note is saved (in your EHR).

❓ “What if a patient asks for their data to be deleted?”

We comply with HIPAA’s Right to Erasure.

1. Clinic submits request via support@aissolutions.com.

2. We verify identity (clinic admin + patient confirmation).

3. Data deleted within 24 hours (with confirmation).

❓ “Can I use AISS tools without a BAA?”

No. We require a BAA for all healthcare clients (provided free in onboarding).

8. Pricing & Which Product Fits Your PHI Needs

ProductUse CasePHI HandlingStarting PriceBest For
MedSiteAIHIPAA websites, chatbots, formsEncrypted storage, auto-delete$149/moDerm, Med Spa, Podiatry
MedReceptionistAI phone, voicemail, call routingNo PHI storage (transcripts only)$29/moUrgent Care, Family Medicine
VoiceAgentCall automation (refills, appointments)Real-time processing, no storageCustomHigh-volume clinics
AI ScribeSOAP notes automationNo audio storage, EHR syncBundledAll specialties
Example Cost Breakdown:
  • A 5-doctor family practice using:
  • MedSiteAI ($299/mo) for website + chatbot
  • MedReceptionist ($99/mo) for phone system
  • AI Scribe (included) for notes
  • Total: ~$400/mo (vs. $1,200+/mo for traditional EHR + phone systems)

🚀 Next Steps: Secure Your Clinic’s PHI with AISS

If you’re a clinic owner looking for HIPAA-compliant AI tools that actually work (without the compliance headaches), here’s how to get started:

  1. For HIPAA Websites & ChatbotsTry MedSiteAI (14-day free trial)
  2. For AI Phone & VoicemailTry MedReceptionist ($29/mo plan available)
  3. For Call Automation & SOAP NotesBook a Demo
💡 Pro Tip: Schedule a free HIPAA compliance audit with our team—we’ll review your current setup and identify risks in <30 minutes. Final Note: At AISS, we don’t just say we’re HIPAA-compliant—we prove it with audits, encryption, and zero PHI leakage. Your patients’ data is safe with us. Have more questions? Email compliance@aissolutions.com—we respond in <2 hours.

Ready to stop losing patients to voicemail?

See how MedReceptionist handles your call types in a 15-minute demo.

Book Your Demo