EKAVI CARE
Join

On HIPAA.

Two questions matter on call one — are we HIPAA compliant, and how do we know. We are. Below is what we do.

HIPAA Compliant

The short version.

We are HIPAA compliant and we take the work seriously. Patient data is encrypted at rest and in transit. Every login uses two-factor. Every action — ours and your staff's — is recorded. We store only what we need. We sign a BAA written in plain English within twenty-four hours. If you ever leave, you take everything with you in ninety days, no negotiation.

We also held ourselves to the new 2026 HIPAA Security Rule before it was finalized. The rule formalizes what we already built.

What HIPAA actually asks of a vendor like us.

Three categories — administrative (the program), physical (the building), and technical (the software). We carry obligations in all three because patient data flows through Ekavi. Below is each thing the law asks, in plain language, and what we do about it.

How we cover each requirement.

  1. Encryption

    Patient data is encrypted on disk and over the wire. AES-256 at rest, TLS 1.3 in transit. No fallback to weaker settings.

  2. Access control

    Two-factor authentication on every login. Each person on your team sees only what their job needs. Nothing more.

  3. Audit log

    Every action recorded — what was done, when, by whom, with what result. Seven years of retention. Yours to export, in CSV or signed PDF, without a support ticket.

  4. Data we keep to the minimum

    We store only the patient data Ekavi needs to do its job. No silent analytics copy of your patients. No data lake. The default retention is ninety days; you can change it.

  5. Managed AI, US providers, no model training

    When a model reads chart text, the request goes through enterprise-tier US-based AI providers under signed BAAs and a zero-retention agreement. Patient names are replaced with opaque tokens before processing where possible. Your patient data never trains a model. Ever.

  6. Cloud hosting

    Ekavi runs on Google Cloud's HIPAA-eligible infrastructure under a signed BAA. Your practice's data sits behind its own boundary; nothing crosses between practices.

  7. Annual verification

    Once a year, every January, a written compliance packet lands in your inbox — already signed and dated, ready for your auditor. No support ticket. No call.

  8. Workforce training

    Every person on the Ekavi team completes HIPAA training annually. Records are kept and inspectable.

  9. Incident response

    If something fails or is breached, you hear from us within four hours. The note says what we know, what we are doing, and when the next signal will come. No theatre.

  10. Sub-processors, named

    Every third party that touches your data is published. Changes get thirty days' written notice. No surprises.

  11. A clean exit, in writing

    The MSA includes a ninety-day clean export clause. If you decide to leave, your data exports in standard formats, your account closes on a date you choose, and access continues for ninety days after. No surrender to negotiate.

What the 2026 Security Rule changed.

For the first time since 2013, the federal government rewrote the HIPAA Security Rule. The rule formalizes what most serious vendors were already doing — and closes the loopholes the others were hiding behind. The headline: every safeguard is now required, not "addressable."

  • Multi-factor authentication on every interactive login. Required.
  • Encryption at rest and in transit. Required.
  • Annual compliance audit and written report. Required.
  • An asset inventory of every system that touches patient data. Required.
  • Vulnerability scanning on a fixed schedule. Required.
  • Network segmentation between systems. Required.
  • Stricter incident-response and breach-notification timelines. Required.

We were already running to that standard. We re-checked everything against the new rule. We are compliant.

A BAA written for AI.

The Business Associate Agreement is the contract that authorizes Ekavi to handle PHI on your behalf. Most vendor BAAs were written for traditional software; ours is written for AI:

  • Patient data does not train any model. Ever. Not for our model. Not for any.
  • Default retention is ninety days. Configurable.
  • Sub-processors named in the BAA, changeable with thirty days' written notice.
  • Plain language. Signed within twenty-four hours.

What we are not claiming.

There is no government-issued "HIPAA certification." HHS does not certify vendors. When we say we are HIPAA compliant, we mean we have the program in place, we test it regularly, and we are willing to put it in writing — in the BAA, in the verification packet, and in the audit log every action leaves behind.

If your auditor or counsel needs more — the full security architecture, the verification packet, audit-log spec, sub-processor list, incident-response posture — we send it on request. Every practice on Ekavi receives it automatically — every January, on a fixed cadence, signed and dated. The trust page is the public summary; for specific questions, the kind that need a signature, write to trust@ekavi.care.

Last edited May 2026.

From Ekavi · about analytics

We'd like to see if anyone is reading. No ads, no selling, no AI training. May we turn on analytics?

Either way, nothing is sold or shared. Read the privacy note