HIPAA Compliant Chatbot - The Easiest HIPAA-Oriented Website Chatbot

1. Who we are

HIPAA Compliant Chatbot ("we", "us") provides a software platform that lets healthcare practices ("Practices") deploy an AI chat widget on their websites. When a Practice uses our platform to collect health information from its website visitors, we act as a Business Associate of that Practice under HIPAA, and our handling of Protected Health Information (PHI) is governed by the Business Associate Agreement (BAA) we sign with each Practice.

2. Information we collect

From Practices (our customers): account details (name, email, practice name), billing information (processed by Stripe — we do not store card numbers), and configuration data.

From website visitors via the chat widget: chat messages, and any contact or appointment details the visitor chooses to submit (name, email, phone, preferred times, reason for visit). This information may include PHI and is collected on behalf of the Practice, which is the data controller / covered entity.

3. How we protect PHI

PHI is encrypted at rest with AES-256-GCM field-level encryption and in transit with TLS.
Access to PHI is role-restricted and recorded in tamper-resistant audit logs retained for at least 6 years.
Chat transcripts are retained for 2 years and inquiries/appointment requests for 7 years by default, then automatically deleted.
Error tracking is scrubbed of PHI before leaving our systems.

4. How we use information

We use visitor information solely to provide the chat service to the Practice — to generate AI responses, route inquiries and appointment requests to the Practice, and maintain security and audit records. We do not sell personal information, use PHI for advertising, or permit our AI subprocessors to train models on PHI.

5. Subprocessors

We use a limited set of infrastructure providers (hosting, AI inference, email, payments) under written agreements, including BAAs where they handle PHI. A current list is available on request at the contact below.

6. Your rights

Website visitors seeking access to, or deletion of, information submitted through a Practice's chat widget should contact that Practice directly — it is the covered entity responsible for your records. Practices can export or delete their data from the dashboard or by contacting us.

7. Breach notification

If a breach of unsecured PHI occurs, we will notify affected Practices without unreasonable delay and within the timelines required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and our BAA, so the Practice can meet its notification obligations to individuals and regulators.

8. Contact

Privacy questions: contact us.

Privacy Policy