HIPAA Compliance and BAA
OzyOps is built for healthcare practices and takes HIPAA compliance seriously. This page explains how we protect patient data and what your responsibilities are.
OzyOps as a Business Associate
Under HIPAA, OzyOps is a Business Associate of your practice. This means we handle Protected Health Information (PHI) on your behalf and are legally obligated to protect it.
Business Associate Agreement (BAA)
Every healthcare customer signs a BAA during onboarding. The BAA covers:
- What PHI we receive and how we use it
- Our security obligations
- Breach notification procedures
- Data retention and destruction timelines
- Your rights regarding your patients' data
To view your signed BAA: Go to Settings > Profile in your dashboard.
PHI Categories We Collect
During AI-handled calls, the following patient information may be collected:
| Category | Examples |
|---|---|
| Identifiers | Name, phone number, email address, date of birth |
| Health information | Reason for visit, symptoms described, medications (for refill requests) |
| Scheduling data | Appointment dates, provider assignments, procedure types |
| Insurance | Carrier name, member ID (if provided during the call) |
| Payment | Payment method type (cash, card, insurance -- no card numbers are collected) |
| Communication records | Call recordings, transcripts, SMS messages |
The AI does not ask for or store credit card numbers, Social Security numbers, or bank account details during calls.
Data Encryption
All PHI is protected with multiple layers of encryption:
- In transit: TLS 1.2+ encryption for all data moving between systems.
- At rest: AES-256 encryption for stored data, including call recordings, transcripts, and patient records.
- EMR credentials: AES-256-GCM encryption for stored EMR API keys and OAuth tokens.
Multi-Factor Authentication (MFA)
MFA is mandatory for all healthcare accounts. Every team member must set up MFA before accessing the dashboard.
This adds a second layer of security beyond your password. Even if your password is compromised, an attacker cannot access your account without the MFA code from your phone.
See the MFA Setup Guide for instructions.
Subprocessors
OzyOps uses the following subprocessors that may handle PHI. Each has a signed BAA in place:
| Subprocessor | Purpose | BAA |
|---|---|---|
| Retell AI | Voice AI platform (handles all calls) | Yes |
| Neon | HIPAA-compliant PostgreSQL database (stores PHI) | Yes |
| Twilio | SMS delivery only (does not store PHI) | BAA available |
All subprocessors are contractually bound to protect PHI in accordance with HIPAA requirements.
Data Retention
OzyOps retains healthcare data according to the following schedule:
| Data Type | Active Retention | After Active Period |
|---|---|---|
| Call recordings | 24 months | Moved to cold storage |
| Call transcripts | 24 months | Moved to cold storage |
| Patient contact info | Duration of account + 30 days | Deleted |
| SMS messages | 24 months | Deleted |
| Audit logs | 6 years | Deleted |
| Cold storage data | Up to 6 years total | Permanently deleted |
The 6-year audit log retention supports the HIPAA requirement to maintain records of policies and procedures for at least 6 years.
When you cancel your account, call data remains accessible for 30 days. After that, data follows the retention schedule above. Request a data export before cancellation if you need long-term access to your records.
Your Responsibilities
As the healthcare practice (the Covered Entity), you are responsible for:
- Signing the BAA -- Completed during onboarding.
- Enforcing MFA -- All team members must set up MFA. OzyOps requires this automatically.
- Managing team access -- Remove team members promptly when they leave your practice.
- Patient consent -- Obtaining any required patient consent for AI-handled calls and SMS communication.
- Breach reporting -- Notifying OzyOps if you suspect unauthorized access to your account.
- Minimum necessary -- Only sharing the minimum necessary PHI in your AI agent's special instructions.
Breach Notification
If OzyOps discovers a security breach involving PHI:
- We notify you within 72 hours of discovery.
- We provide details of what data was affected.
- We assist with investigation and remediation.
- We support your obligation to notify affected patients and HHS (if required).
If you discover or suspect a breach (unauthorized access to your account, lost device with dashboard access, etc.), contact us immediately at security@ozyops.com.
Common Questions
Is OzyOps HIPAA certified? There is no official "HIPAA certification." HIPAA compliance is demonstrated through policies, procedures, technical safeguards, and BAAs. OzyOps implements administrative, physical, and technical safeguards required by the HIPAA Security Rule.
Can I use OzyOps without signing a BAA? For healthcare practices that handle PHI, a BAA is required. Non-healthcare customers (trades, law) do not need a BAA.
What happens if a team member's phone is lost or stolen? The team member should notify the account Owner immediately. The Owner should remove the team member from Settings > Team and contact support@ozyops.com. If MFA was set up on the lost device, see the Account Recovery guide.
Does OzyOps conduct security audits? Yes. We perform regular security assessments and maintain security policies aligned with HIPAA requirements. Contact security@ozyops.com for details.
Can I request a copy of OzyOps security policies? Yes. Contact support@ozyops.com with the subject "Security Documentation Request."