EKAVI CARE
Join
from ekavi · on trust last edited may 2026

On trust.

Two questions matter on call one: what protects the patient's data, and what proves it. Below is the answer to both — and the artefacts your auditor and counsel will ask for.

§01

Built for the 2026 HIPAA Security Rule.

The May 2026 final rule converts every former "addressable" safeguard into a mandatory control: MFA, encryption at rest, encryption in transit, audit logging, network segmentation, penetration testing, and — most operationally — annual written verification that those controls are in place.

Ekavi delivers your verification packet on a fixed cadence: every January 15, signed and dated, sent to the practice manager and the compliance contact you nominate. The packet contains:

  • SOC 2 Type II report (current attestation)
  • Encryption inventory (at rest, in transit, key custody)
  • Access control policy and SSO posture
  • Audit log retention proof and sample export
  • Penetration test summary (current calendar year)
  • Network segmentation diagram
  • Sub-processor list with effective dates
  • Incident response plan and most recent table-top result

Request the sample verification packet →

§02

A BAA written for AI.

Standard BAA templates were drafted before AI vendors existed. Ours is rewritten for the questions your counsel will actually ask:

  • Training. PHI does not train our models. No exceptions.
  • Retention. Ninety days default. Configurable to seven days on request.
  • Sub-processors. Named, listed, and changeable with thirty days' written notice.
  • Breach notification. Twenty-four hours.
  • Termination. Clean offboarding with a 90-day data export window.
  • Cure period. Thirty days for material breach. After, full export and deletion.

Request the sample BAA →

§03

Audit log on every action.

Every Ekavi action — read, draft, send, retry, decline — is recorded the moment it happens. Each row carries:

  • Action and outcome
  • Operator (Ekavi or a named human) and confidence score
  • Model and prompt fingerprint
  • PHI fields touched
  • Timestamp (UTC, with practice timezone offset)
  • Trace ID linking to the source EHR event

Retention: seven years. Export: CSV or signed PDF. Read access: every user, scoped by RBAC.

2026-05-05T14:02:11Z  draft.appeal       conf=0.91  patient=hernandez_m  ehr=athena  trace=evt-9112334
2026-05-05T14:02:14Z  send.appeal        conf=0.91  payer=uhc           result=queued trace=evt-9112334
2026-05-05T14:48:22Z  recover.payer      conf=1.00  payer=uhc           result=approved auth=UHC-PA-9912034

§04

HTI-1 algorithm transparency.

ONC's enforcement discretion ends March 1, 2026. Any certified health IT touching decisions that affect care must publish how its predictive tools work. Ekavi sits at that line — admin AI that affects care timing.

What we publish:

  • One model card per task (PA drafting, denial appeal, eligibility, follow-up)
  • The confidence threshold per task, with the failure modes we know about
  • A reason citation on every drafted action ("Drafted from UHC denial CO-197 on May 1.")
  • Quarterly performance report — accuracy, drift, escalation rate, denial recovery rate

§05

Section 1557 — administrative-only.

Ekavi does not make clinical decisions. Patient care decisions remain with the physician. Our scope is administrative: prior auths, denials, eligibility, scheduling, follow-up.

Practice-side artefacts are included with onboarding: a written AI-use policy, staff training templates, the audit log every Section 1557 audit asks for, and the patient disclosure copy you can paste into your forms or NPP.

§06

Hosting & sub-processors.

  • Compute & storage. AWS us-east region, dedicated VPC, encrypted at rest with customer-managed keys.
  • Database. Postgres + pgvector, HIPAA-eligible, encryption-at-rest with KMS.
  • Model providers. Anthropic and OpenAI on the zero-retention API tier with BAA signed. PHI is redacted before any prompt leaves the VPC.
  • Email. Resend (transactional only — application form replies). No PHI in transit.
  • Sub-processor changes. Thirty days' written notice; the BAA permits termination if you object.

§07

Incident response.

  • Twenty-four hour breach notification (HIPAA-aligned).
  • Seventy-two hour cyber-incident reporting (CIRCIA-aligned, expected June 2026).
  • Public status page at status.ekavi.care.
  • Post-incident review shared with affected practices within ten business days.

§08

Data export & offboarding.

You can leave at any time. The 90-day export window is automatic, no charge, and includes:

  • All PHI we processed, in CSV + JSONL
  • The full audit log, in CSV + signed PDF
  • All drafted documents (appeals, PAs, eligibility decisions) as PDF
  • A written deletion certification with the cryptographic-erase timestamp

Counsel can write to trust@ekavi.care. We reply within one business day.

— Ekavi.

Filed.

From Ekavi · about analytics

We'd like to see if anyone is reading. No ads, no selling, no AI training. May we turn on analytics?

Either way, nothing is sold or shared. Read the privacy note