HIPAA Compliance at DoctorConnect
DoctorConnect has operated as a HIPAA Business Associate since the rule's inception. A full Business Associate Agreement is available to every healthcare customer; we sign one with all HIPAA Covered Entities before Protected Health Information is exchanged. PHI is stored exclusively in US data centers on Microsoft Azure infrastructure with SOC 2 Type II attestation.
Key Compliance Facts
What you need to know in 30 seconds.
Signed BAA
A custom Business Associate Agreement is available to every healthcare customer. We sign one with all customers who are HIPAA Covered Entities, before any Protected Health Information is exchanged.
US-Only PHI
All Protected Health Information is stored in US-based data centers. No off-shoring of data or processing.
Azure SOC 2 Type II
Hosted on Microsoft Azure, whose infrastructure holds SOC 2 Type II attestation independently audited annually.
17 Years Healthcare-Focused
DoctorConnect has served exclusively healthcare practices since 2009 (17 years). The parent company, Adtel International, has been in business since 1992. We do not serve consumer or advertising markets.
Technical Safeguards
How we protect PHI at the infrastructure and application layers — aligned with the HIPAA Security Rule.
- Encryption in transit using TLS 1.2 or higher across all customer-facing endpoints
- Encryption at rest for PHI stored in databases and object storage
- Role-based access controls — staff and clinical users see only the data their role requires
- Audit logging on all PHI access and administrative actions
- Multi-factor authentication available for clinical and administrative accounts
- Automatic session timeout and re-authentication for inactive sessions
- Network-level isolation between customer environments
- Regular security patching and vulnerability management on the Azure infrastructure
Administrative Safeguards
The organizational practices behind the technical controls.
Workforce Training
Every team member with PHI access completes HIPAA training and signs confidentiality agreements.
Written Policies
Documented Privacy Rule, Security Rule, and Breach Notification policies — available on request to procurement and compliance teams.
Breach Notification
Defined incident-response runbook with notification commitments per HIPAA §164.404 — within 60 days of discovery.
Products Covered Under the BAA
Every customer-facing product can be covered under a Business Associate Agreement when one is in place.
ARIA
AI Medical Receptionist — voice answering and SMS triage.
MIRA
AI Autonomous Scheduling — books, reschedules, and reminds patients.
KIRA
AI Autonomous Intake — patient registration and demographics capture.
2-Way Messaging
HIPAA-compliant real-time SMS between practice and patient.
Telehealth
Portal-less video visits, encrypted end-to-end.
RCM
Revenue cycle management — claims, eligibility, payments.
Appointment Reminders
Automated text, voice, and email reminders.
Digital Patient Forms
Mobile intake and e-signature forms.
Frequently Asked Questions
Do you sign a Business Associate Agreement?
A custom Business Associate Agreement is available to every healthcare customer. We sign one with all customers who are HIPAA Covered Entities, before any Protected Health Information is exchanged. Customers outside HIPAA's scope (e.g., veterinary practices, whose records are not Protected Health Information under HIPAA) may operate without one. BAAs are reviewed and countersigned by our compliance team.
Where is PHI stored?
PHI is stored exclusively in US-based Microsoft Azure data centers. We do not off-shore data or processing.
Does DoctorConnect hold SOC 2 Type II directly?
Our hosting platform (Microsoft Azure) holds SOC 2 Type II attestation, independently audited annually. DoctorConnect operates as a HIPAA Business Associate; HIPAA itself does not have a formal certification body — compliance is demonstrated through executed BAAs, documented policies, and operational controls.
What encryption do you use?
TLS 1.2 or higher for data in transit on all customer-facing endpoints. Encryption at rest for PHI stored in databases and object storage.
How do we get a BAA?
Contact our team via the form on /contact or by emailing sales@doctorconnect.net. We'll send the BAA, route it to compliance, and have it ready for signature alongside your service agreement.
What happens in a breach?
DoctorConnect maintains a documented incident-response runbook. Any unauthorized PHI disclosure triggers internal investigation, customer notification, and reporting to affected individuals and HHS as required by HIPAA §164.404 — within 60 days of discovery.
Are your AI agents (ARIA, MIRA, KIRA) HIPAA-compliant?
Yes. All AI agents operate inside the same HIPAA-compliant infrastructure as the rest of DoctorConnect, under the same BAA. PHI processed by AI agents is not used to train external foundation models or shared with any third party outside the BAA.
Need a BAA or compliance details?
Contact our team — we'll send the BAA template and any documentation your procurement or compliance team needs.
Contact our compliance team