HIPAA policy

Overview

Axis HQ, Inc. operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) for every healthcare practice that uses our services. This page summarizes how we handle protected health information (PHI) and how we help your practice stay compliant.

The complete legal terms are in the Business Associate Agreement (BAA) you sign before onboarding. This page is a plain-language summary.

What is PHI in our context?

When Axis handles a patient call on behalf of your practice, the following becomes PHI:

• The audio of the call
• Any transcript we generate
• Patient names, phone numbers, addresses, and other identifiers
• Insurance details and eligibility information
• Reason for visit and scheduling preferences
• Any other identifying information the patient shares

All of this is treated as PHI from the moment it enters our systems until it's deleted per your retention policy.

How we protect PHI

Encryption. All PHI is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are managed in AWS KMS with audited access controls.

Access controls. Only authorized Axis personnel can access PHI, and only when required for service delivery or support. Access is logged, reviewed, and subject to multi-factor authentication.

Network segmentation. Our PHI-handling systems are isolated from our public-facing systems. Patient data never traverses shared infrastructure.

Vendor management. Every vendor in our stack that touches PHI has a written BAA with Axis. This includes our voice infrastructure, our language model providers, our cloud hosting, and our data storage layer.

Training. Every Axis employee with PHI access completes HIPAA training on hire and annually.

Audit logging. We log all access to PHI. Logs are retained for 7 years and available for your audit on request.

What we don't do

We don't train public language models on your patient data. Your patient recordings and transcripts are never used to improve publicly available AI systems.

We don't aggregate and sell your data.We don't compile "industry benchmarks" or "de-identified insights" from your practice's patient information.

We don't share PHI outside the BAA. PHI moves only between you, Axis, and the specific vendors covered in our BAA. No exceptions.

Breach notification

If we discover a breach of unsecured PHI, we will notify you in writing within 24 hours of discovery. Our notice will include:

• What happened and when
• Which categories of PHI were involved
• The number of patient records affected
• The steps we've taken to contain and remediate
• What we're doing to prevent recurrence

We will cooperate fully with your breach notification obligations to patients and to the Department of Health and Human Services under HIPAA.

Your role as the covered entity

Your practice is the HIPAA covered entity. Axis is your business associate. This means:

• You're responsible for obtaining patient authorizations where required
• You're responsible for responding to patient requests for access, amendment, or accounting
• You're responsible for your practice's Notice of Privacy Practices
• We support you by providing audit logs, data exports, and deletion on request

Getting our BAA

We sign a BAA with every practice before service begins — not after a sales conversation, not as a separate transaction. To request our BAA:

Email sebastian@useaxis.app with your practice name, point of contact, and practice management system. We'll respond within one business day with a BAA tailored to your practice.

Related policies

• Privacy Policy
• Terms of Service
• Security details

Contact

• HIPAA questions — sebastian@useaxis.app
• Security reports — sales@useaxis.app

Axis HQ, Inc.
2261 Market Street STE 62976
San Francisco, CA 94114