Compliance & Governance
HIPAA BAA + SOC 2 AI built for independent practices
HIPAA Business Associate Agreement
A signed BAA is a precondition for every deployment. We never process PHI without one. The agreement covers all 7 services and applies to every model and integration we operate on your behalf.
SOC 2 controls
SMBlify Health operates under SOC 2 controls covering security, availability, confidentiality, and processing integrity. Customer data is encrypted in transit and at rest, access is least-privilege and logged, and changes are reviewed and recorded.
AI governance model
- Model whitelist: only models covered under our BAA process PHI
- No customer PHI is used to train foundation models
- Prompt and tool calls are versioned and reviewed before deployment
- Every PHI interaction generates an immutable audit log entry
- Practice-specific overrides allow clinical staff to set escalation rules
Audit logs & incident response
Every AI interaction with PHI — voice calls, SMS, chat, intake, recall — is logged with timestamp, actor, model version, and outcome. Logs are available to the practice for compliance review. Incidents are reported per the BAA, with a documented response runbook.
Accountability
SMBlify Health is the single accountable partner. We do not subcontract PHI handling. The named operator on your account owns compliance posture in the same way they own outcomes. Implementation is a 12-week product with compliance reviewed at every gate.
Frequently asked questions
Do you sign a HIPAA BAA?
Yes — required for every customer. We do not deploy without one.
Are you SOC 2 compliant?
Yes. Under SOC 2 controls with continuous monitoring and documented policies.
How is PHI used in AI prompts?
Only models covered by our BAA process PHI. Customer PHI is never used to train foundation models.
Do you provide audit logs to the practice?
Yes. Every PHI interaction is logged and available for compliance review.