Compliance

HIPAA Compliance

Our commitment to protecting patient health information

HIPAA Compliant
Full compliance
BAA Available
Business Associate Agreement
Zero PHI at Rest
Stateless architecture
Encrypted
In transit & at rest

Our HIPAA Commitment

Verora AI is committed to maintaining the highest standards of data protection and privacy in compliance with the Health Insurance Portability and Accountability Act (HIPAA). We understand the critical importance of safeguarding Protected Health Information (PHI) and have built our platform from the ground up with security and compliance as foundational principles.

Zero PHI at Rest Architecture

Verora AI employs a unique stateless architecture designed to minimize PHI exposure:

  • No patient data is stored in our database. Patient information is processed in real-time and held only in encrypted, short-lived memory caches that expire daily.
  • Verification results are transient. Insurance verification data exists only for the duration of your active session and is never written to persistent storage.
  • Practice Management System (PMS) remains the source of truth. All patient data originates from and returns to your PMS — Verora AI acts as a secure processing layer.

Administrative Safeguards

  • Security Officer: We maintain a designated Security Officer responsible for HIPAA compliance oversight
  • Workforce Training: All team members undergo comprehensive HIPAA training before accessing any systems
  • Access Controls: Role-based access controls ensure that only authorized personnel can access PHI
  • Incident Response: We maintain a documented incident response plan with defined procedures for identifying, containing, and reporting any potential breaches
  • Risk Assessments: We conduct regular risk assessments to identify and mitigate potential vulnerabilities

Technical Safeguards

  • Encryption in Transit: All data transmitted between your practice and Verora AI is encrypted using TLS 1.2 or higher
  • Encryption at Rest: Any temporarily cached data is encrypted using AES-256 encryption standards
  • Authentication: Multi-factor authentication is available and recommended for all accounts
  • Audit Logging: Comprehensive audit logs track all system access and data processing activities
  • Automatic Session Expiry: User sessions automatically expire after periods of inactivity
  • Network Security: Our infrastructure is hosted on SOC 2 Type II certified platforms with enterprise-grade firewalls and intrusion detection

Physical Safeguards

  • Cloud Infrastructure: Our services run on enterprise cloud infrastructure with physical security controls including 24/7 monitoring, biometric access, and environmental controls
  • No Local Storage: Verora AI does not store PHI on local workstations or portable devices
  • Data Center Security: Our hosting providers maintain SOC 2 Type II and ISO 27001 certifications

Business Associate Agreement (BAA)

Verora AI will execute a Business Associate Agreement (BAA) with all covered entities prior to processing any PHI. Our BAA outlines:

  • The permitted and required uses and disclosures of PHI
  • Our obligation to safeguard PHI from unauthorized use or disclosure
  • Our commitment to report any security incidents or breaches
  • Requirements for return or destruction of PHI upon contract termination
  • Our obligations to ensure any subcontractors also comply with HIPAA requirements

To request a BAA, please contact us at thomas@veroraai.com.

Breach Notification

In the unlikely event of a data breach involving PHI, Verora AI will:

  • Notify affected covered entities within 24 hours of discovery
  • Provide a detailed incident report including the nature and extent of the breach
  • Cooperate fully with any investigation and remediation efforts
  • Assist in meeting notification obligations to affected individuals and regulatory authorities as required by the HIPAA Breach Notification Rule

Patient Rights

Verora AI supports covered entities in fulfilling patient rights under HIPAA, including:

  • The right to access their health information
  • The right to request amendments to their records
  • The right to receive an accounting of disclosures
  • The right to request restrictions on certain uses and disclosures
  • The right to receive confidential communications

Continuous Improvement

We continuously review and improve our security practices. Our compliance program includes:

  • Annual HIPAA risk assessments and gap analyses
  • Regular penetration testing and vulnerability scanning
  • Ongoing employee training and awareness programs
  • Policy reviews and updates to reflect regulatory changes
  • Third-party audits and assessments

Questions?

If you have questions about our HIPAA compliance practices or would like to request a BAA, please don't hesitate to reach out: