Compliance

HIPAA Statement

Clinvoyant operates as a HIPAA Business Associate and builds its platforms around the protection of patient health information.

Business Associate, not Covered Entity

Clinvoyant Incorporated is a HIPAA Business Associate. We process protected health information (PHI) only on behalf of, and under written agreement with, the healthcare organizations (Covered Entities) that use our platforms. This page is a public summary of our Business Associate commitments; it is not a Notice of Privacy Practices, which is issued by each provider organization.

Business Associate Agreements

Before any PHI is processed, Clinvoyant executes a Business Associate Agreement (BAA) with the customer that defines permitted uses and disclosures, the minimum-necessary standard, safeguard obligations, breach-notification duties, and the handling of PHI on termination. To request a BAA, contact compliance@clinvoyant.com.

Safeguards

Our HIPAA program implements administrative, physical, and technical safeguards, including:

  • Encryption of PHI in transit (TLS 1.2+) and at rest.
  • Minimum necessary & PHI minimization — access is limited to the minimum data required for a role, and direct identifiers (names, addresses, phone numbers, medical record numbers, dates of birth, and similar) are removed before data reaches our AI models.
  • Access controls — role-based access enforced on the server, with facility- and department-level scoping and single sign-on.
  • Audit logging — immutable, exportable audit records of system and user activity.
  • Workforce controls — background screening, security training, and least-privilege access.

Architectural privacy by design

Our platforms use a structurally separated, two-pass AI pipeline: the model that generates clinician-facing narrative never receives raw patient data — only validated, minimized structured output. This is an architectural guarantee, not only a policy.

Individual rights

Because Clinvoyant acts as a Business Associate and does not have a direct relationship with patients, requests by individuals to exercise their HIPAA rights are directed to and fulfilled by the Covered Entity. Clinvoyant supports each Covered Entity in honoring those rights — access, amendment, accounting of disclosures, and agreed restrictions — as required by the applicable BAA.

Breach notification

Where a reportable breach of unsecured PHI occurs, Clinvoyant notifies the affected Covered Entity without unreasonable delay and within the timeframe specified in the applicable BAA, consistent with the HIPAA Breach Notification Rule.

Compliance documentation

PHI is hosted in the United States on Microsoft Azure, and AI inference is performed within Microsoft Azure under Microsoft’s Business Associate Agreement. Our full HIPAA program documentation, SOC 2 materials, subprocessor list, and security questionnaire responses are available to qualified parties through our Trust Center.

Contact

Clinvoyant Incorporated is headquartered in Lewisville, Texas, United States. HIPAA, BAA, and security inquiries: compliance@clinvoyant.com