HIPAA compliance,
explained in English.
Not a legal document. A straight explainer of what HIPAA means for your practice and exactly how Perpetua meets every requirement.
What HIPAA means for your practice.
HIPAA (Health Insurance Portability and Accountability Act) is the federal law that protects patient health information. Your practice is a Covered Entity — anyone who handles Protected Health Information (PHI) on your behalf is a Business Associate.
Perpetua is a Business Associate. That means two things:
- We must sign a Business Associate Agreement (BAA) with you before we touch any PHI. We do this same-day, no negotiation required.
- We must implement the same safeguards HIPAA requires of you — administrative, physical, and technical. Plus we inherit your breach notification obligations.
The practical question is never "is this vendor HIPAA compliant?" — there's no federal certification. The real question is: will they sign the BAA, and will the safeguards in the BAA hold up under audit?
Both answers for Perpetua are yes. Here's what that looks like in practice.
Every safeguard, how we implement it.
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit. Call recordings, transcripts, and database backups all encrypted with separate keys.
Role-based access controls
Every user has a role (owner, manager, biller, front desk, provider). Permissions are enforced at the database row level — not just in the UI.
Complete audit logs
Every PHI access — view, edit, export, API call — is logged with user, timestamp, IP, and reason. Logs retained 7 years.
MFA required
Multi-factor authentication is required for every Perpetua employee and strongly encouraged for your team. We support TOTP and hardware keys.
HIPAA-eligible infrastructure
Data stored on Supabase (Postgres) running in AWS us-east under a signed BAA. Row-Level Security prevents cross-tenant data access at the database level.
Breach response plan
We monitor for anomalies 24/7. If a breach affects PHI, you're notified within 24 hours of discovery — far faster than HIPAA's 60-day minimum.
What we store · what we don't.
We only take what's required to run the Service. Everything else stays in your EHR.
Appointment data
Patient name, appointment time, reason for visit, provider, status.
Insurance information
Member ID, payer, plan type, copay, deductible status — for eligibility checks.
Call recordings & transcripts
Stored 12 months by default. Retention is configurable; you can also opt out of storage.
Audit logs
Every PHI access event, retained 7 years per HIPAA minimum.
Credit card numbers
Never. Stripe tokenizes all payment data — we see a last-4 at most.
Full medical records
We access only what the agent needs (appointment + insurance). We don't pull clinical notes or labs unless you explicitly enable an agent that needs it.
Training data for AI models
PHI is never used to train AI. Our language models run under zero-retention contracts with upstream providers.
We sign BAAs same-day.
Our Business Associate Agreement is standard, reasonable, and we don't negotiate the terms — so you don't waste a week in a contract loop. Sign it, return it, and we're live same day.
Supporting documents.
Start a practice with HIPAA-first AI.
14-day free trial. Signed BAA in your inbox within an hour.