AWS HIPAA-eligible infrastructure, executed BAAs, TLS 1.3/AES-256 encryption, zero-retention AI policies, and audit-ready logging. Your compliance team can sign off without hesitation.
ClaireMed is designed to support HIPAA compliance with infrastructure, vendor governance, and operational controls that meet OCR requirements. HIPAA compliance depends on both technology (what we provide) and operational controls (how you deploy it). ClaireMed provides HIPAA-compliant architecture; your compliance team verifies operational controls before pilot.
ClaireMed infrastructure uses only AWS covered services under executed AWS Business Associate Agreement (BAA):
S3: Call recordings, transcripts, audit logs (encrypted at rest)
RDS: Customer data, configuration (encrypted at rest)
Lambda/ECS in VPC: Isolated, encrypted network
KMS: Key management for all encryption
CloudTrail: AWS API activity, access logs
CloudWatch: Metrics, logs, alerts
ClaireMed has executed BAAs with all subprocessors that handle PHI:
| Subprocessor | Service | BAA Status |
|---|---|---|
| AWS | Infrastructure | ✓ Executed |
| Twilio Security Edition | Telephony | ✓ Executed |
| ElevenLabs | Text-to-Speech (TTS) | ✓ Executed |
| Deepgram | Speech-to-Text (STT) | ✓ Executed |
| OpenAI/Anthropic | LLM (Conversational AI) | ✓ Executed |
BAA copies are available for your compliance review before pilot begins.
TLS 1.3 for all network traffic:
AES-256 for all stored data:
AWS KMS Key Management: Customer-managed keys optional, key rotation policies, access controls via IAM roles.
All AI vendors operate under zero-retention agreements—no training on your patient data, no data retention beyond active call processing.
Zero-Retention mode required for PHI; no voice data retained after synthesis
Enterprise ZDR contracts, US-only processing, no training on customer data
Zero-retention transcription processing
Why This Matters: Without zero-retention policies, AI vendors could use your patient data to train future AI models, creating privacy and compliance risks. ClaireMed's vendor agreements contractually prohibit this.
ClaireMed maintains immutable audit logs with S3 Object Lock (write-once-read-many), ensuring traceability and tamper-proof logging for OCR audits.
AWS API activity, access logs, configuration changes
Caller ID, timestamp, intent detected, routing path, agents involved, duration
Full conversation transcripts (Deepgram STT)
Emergency keyword detection events (for audit)
| Data Type | Default Retention | Configurable? |
|---|---|---|
| Call recordings | ≤30 days | Yes |
| Transcripts | ≤30 days | Yes |
| Security logs | ≥1 year hot, ≥6 years archived | No (compliance requirement) |
| Backups | ≤90 days | No |
Hard delete of all client data within 7 days of termination request. Security logs retained per regulatory requirements. Confirmation provided to client.
Before discussing appointments, medical records, or PHI, ClaireMed agents request identity verification.
Identity verification methods are configurable per your security posture.
We believe transparency builds trust. Here are questions your IT/security team should ask any healthcare voice AI vendor (including ClaireMed):
ClaireMed Answer: Yes—AWS HIPAA-eligible services only (S3, RDS, Lambda/ECS in VPC, KMS, CloudTrail)
ClaireMed Answer: Yes—BAA copies available for review before pilot (AWS, Twilio, ElevenLabs, OpenAI/Anthropic, Deepgram)
ClaireMed Answer: No—zero-retention agreements with all AI vendors contractually prohibit training on PHI
ClaireMed Answer: TLS 1.3 in transit, AES-256 at rest, AWS KMS key management
ClaireMed Answer: Yes—S3 Object Lock (write-once-read-many) with cross-account replication
ClaireMed Answer: 2-of verification (DOB, ZIP, last name, last-4 MRN, phone on file), optional OTP
ClaireMed Answer: AWS US regions only; all AI vendors operate under US-only processing agreements
Download our security architecture documentation, BAA templates, and encryption specifications. Your IT/compliance team can review before pilot begins.