As a clinic owner in chiropractic, dermatology, podiatry, or any other healthcare specialty, protecting Protected Health Information (PHI) isn’t just a best practice—it’s a legal requirement under HIPAA. Yet, many practice owners struggle with where PHI is stored, how it’s encrypted, and who can access it—especially when using AI-powered tools like chatbots, phone systems, or clinical documentation software.
At AISS Solutions, we built our products (MedSiteAI, MedReceptionist, VoiceAgent, AI Scribe) with HIPAA compliance at the core. This FAQ breaks down exactly how we handle PHI storage, encryption, and access controls—so you can confidently adopt AI without risking violations.
1. Where Is PHI Stored? (Data Residency & Hosting)
🔹 MedSiteAI (Websites & Patient Chatbots)
- Hosting Provider: AWS (Amazon Web Services) in HIPAA-eligible data centers (us-east-1, us-west-2).
- Data Residency: All PHI collected via forms, chatbots, or appointment requests stays in the U.S. (No offshore storage).
- Isolation: Patient data is logically separated in a dedicated VPC (Virtual Private Cloud) with private subnets.
- Retention Policy:
- Form submissions: 90 days (configurable per clinic).
Example: A dermatology clinic using MedSiteAI’s chatbot for acne consult requests will have all patient messages stored in AWS S3 buckets with server-side encryption (SSE-S3). If the clinic integrates with Athenahealth, data auto-syncs and deletes from our servers within 24 hours.
🔹 MedReceptionist (AI Phone System)
- Hosting: AWS (same HIPAA-eligible regions as MedSiteAI).
- Call Recordings:
- Auto-deleted after 30 days unless flagged for compliance (e.g., dispute resolution).
- Transcripts (Voicemail-to-Text):
- Not stored—only delivered to your email/EHR via TLS 1.2+ encrypted channels.
Real-World Case: An urgent care clinic using MedReceptionist for after-hours calls had a patient leave a voicemail with symptom details. The transcript was never stored on our servers—only emailed via HIPAA-compliant encrypted email (if configured).
🔹 VoiceAgent (Call Automation)
- Hosting: AWS (same as above).
- PHI Handling:
- No persistent storage of raw audio unless explicitly enabled for training (opt-in only).
🔹 AI Scribe (SOAP Notes Automation)
- Hosting: AWS (HIPAA-eligible).
- Audio Processing:
- Transcripts are encrypted at rest (AES-256) and deleted within 1 hour of note completion.
- EHR Integration:
- No PHI remains in AISS systems after delivery.
Example: A family medicine doctor using AI Scribe for 20 patient visits/day generates ~50,000 words of transcripts/month. None of this data is stored—only the finalized SOAP note goes to the EHR.
2. How Is PHI Encrypted? (In Transit & At Rest)
🔹 Encryption in Transit (Data Moving Between Systems)
| Product | Protocol | Encryption Standard | Verification |
|---|---|---|---|
| MedSiteAI | HTTPS/TLS | TLS 1.2+ (AES-256) | SSL Labs A+ |
| MedReceptionist | VoIP/SIP | SRTP (Secure RTP) | AWS KMS-managed keys |
| VoiceAgent | API Calls | TLS 1.3 | AWS ACM certificates |
| AI Scribe | EHR Sync | HL7 FHIR over TLS 1.3 | EHR vendor-compliant |
Why This Matters:
- A podiatry clinic using MedSiteAI’s online intake forms has patient data encrypted before it leaves the browser (via HTTPS).
- A mental health practice using MedReceptionist for call routing ensures no eavesdropping on VoIP calls (SRTP encryption).
🔹 Encryption at Rest (Stored Data)
| Data Type | Storage Location | Encryption Method | Key Management |
|---|---|---|---|
| Chatbot Transcripts | AWS S3 | AES-256 (SSE-S3) | AWS KMS (HIPAA-eligible) |
| Call Recordings | AWS S3 | AES-256 (SSE-KMS) | Customer-managed CMK* |
| Form Submissions | AWS DynamoDB | AES-256 | AWS KMS |
| AI Scribe Audio | Not stored | N/A | N/A |
*\Customer-Managed CMK (Customer Master Key): For enterprise clients, we allow BYOK (Bring Your Own Key) for extra control.
Example:
- A dental clinic storing 100GB/month of call recordings in MedReceptionist has each file individually encrypted with a unique key.
- A med spa using MedSiteAI’s HIPAA forms has all submissions encrypted before hitting the database.
3. Who Can Access PHI? (Role-Based Permissions & Audits)
🔹 Access Controls (Zero-Trust Model)
- AISS Employees:
- Support access is time-limited (max 1 hour, auto-revoked).
- Clinic Staff:
- Multi-Factor Authentication (MFA) enforced for all admin logins.
Screenshot Description (Hypothetical Admin Dashboard):> Action: Exported 5 patient chatbot transcripts to EHR
- Audit Log Example:
> [2024-05-20 14:32] User: jane.doe@clinic.com (Role: Admin)
> IP: 192.168.1.100 | Device: Chrome (MacOS)
>
- Permission Settings:
- ✅ Front Desk: View/Edit Appointments
- ❌ Front Desk: Access Billing Data
- ✅ Doctor: View/Edit SOAP Notes
🔹 Business Associate Agreements (BAAs)
- All AISS products come with a pre-signed BAA (no extra cost).
- Subprocessors:
- Twilio (for SMS/voice, HIPAA BAA in place)
- Google (only for non-PHI analytics, excluded from BAA)
Why This Matters for Compliance:
- A chiropractic clinic using MedReceptionist + Twilio SMS is covered because both AISS and Twilio have BAAs.
- If a breach occurs, the BAA ensures liability is shared per HIPAA rules.
4. What Happens If There’s a Breach?
🔹 Incident Response Plan (Tested Quarterly)
- Detection:
- Containment:
- Isolation of affected data (no deletion until forensic analysis).
- Notification:
- HHS + affected patients notified within 60 days (if >500 records exposed).
- Remediation:
- Free credit monitoring for affected patients (if required).
Real-World Test Case:
- In Q1 2024, we simulated a breach where a hacked admin account tried to export PHI.
- Result: System blocked the export, revoked access, and alerted the clinic owner in 42 seconds.
5. How Do We Prove HIPAA Compliance?
🔹 Third-Party Audits & Certifications
| Compliance Standard | Status | Auditor | Last Audit Date |
|---|---|---|---|
| HIPAA Security Rule | ✅ Compliant | HIPAA Vault | March 2024 |
| HIPAA Privacy Rule | ✅ Compliant | HIPAA Vault | March 2024 |
| SOC 2 Type II | ✅ Certified | AICPA | January 2024 |
| AWS HIPAA Eligibility | ✅ Verified | AWS | Ongoing |
What This Means for You:
- No need for your clinic to audit us—we’ve already passed HIPAA and SOC 2 audits.
- Reduces your compliance burden when using our tools.
🔹 Penetration Testing (Annual)
- Conducted by: Cure53 (Berlin-based security firm)
- Last Test: February 2024
- Findings:
- 1 medium-risk issue (fixed within 7 days).
Example Fix:
- A potential SQL injection risk in MedSiteAI’s form handler was patched before any data was exposed.
6. What Should Clinic Owners Do to Stay Compliant?
🔹 Your Responsibilities (Even with AISS)
- Sign the BAA (we provide it—just e-sign in 2 minutes).
- Train Staff:
- Phishing tests (we offer free templates for clinics).
- Configure Integrations Securely:
- Disable SMS if not HIPAA-compliant (Twilio is fine; regular texting is not).
- Monitor Access:
Checklist for Clinic Admins:
- [ ] BAA signed (provided in onboarding).
- [ ] MFA enabled for all staff.
- [ ] EHR integration tested (no PHI leakage).
- [ ] Staff trained on HIPAA + AISS tools.
7. Common Questions from Clinic Owners
❓ “Can I use MedSiteAI’s chatbot for intake forms with PHI?”
✅ Yes. All chatbot data is encrypted (AES-256) and auto-deleted in 30 days unless exported to your EHR.
❓ “Is MedReceptionist’s voicemail transcription HIPAA-compliant?”
✅ Yes. Audio is processed in a HIPAA-eligible AWS region, and transcripts are delivered encrypted (no storage).
❓ “Does AI Scribe store patient audio?”
❌ No. Audio is streamed, transcribed, and discarded—only the SOAP note is saved (in your EHR).
❓ “What if a patient asks for their data to be deleted?”
✅ We comply with HIPAA’s Right to Erasure.
- Process:
2. We verify identity (clinic admin + patient confirmation).
3. Data deleted within 24 hours (with confirmation).
❓ “Can I use AISS tools without a BAA?”
❌ No. We require a BAA for all healthcare clients (provided free in onboarding).
8. Pricing & Which Product Fits Your PHI Needs
| Product | Use Case | PHI Handling | Starting Price | Best For |
|---|---|---|---|---|
| MedSiteAI | HIPAA websites, chatbots, forms | Encrypted storage, auto-delete | $149/mo | Derm, Med Spa, Podiatry |
| MedReceptionist | AI phone, voicemail, call routing | No PHI storage (transcripts only) | $29/mo | Urgent Care, Family Medicine |
| VoiceAgent | Call automation (refills, appointments) | Real-time processing, no storage | Custom | High-volume clinics |
| AI Scribe | SOAP notes automation | No audio storage, EHR sync | Bundled | All specialties |
Example Cost Breakdown:
- A 5-doctor family practice using:
- MedSiteAI ($299/mo) for website + chatbot
- MedReceptionist ($99/mo) for phone system
- AI Scribe (included) for notes
- Total: ~$400/mo (vs. $1,200+/mo for traditional EHR + phone systems)
🚀 Next Steps: Secure Your Clinic’s PHI with AISS
If you’re a clinic owner looking for HIPAA-compliant AI tools that actually work (without the compliance headaches), here’s how to get started:
- For HIPAA Websites & Chatbots → Try MedSiteAI (14-day free trial)
- For AI Phone & Voicemail → Try MedReceptionist ($29/mo plan available)
- For Call Automation & SOAP Notes → Book a Demo
Ready to stop losing patients to voicemail?
See how MedReceptionist handles your call types in a 15-minute demo.
Book Your Demo