Trust & Compliance
Automate Admits is built for admissions and intake teams that handle sensitive health information. This page explains how we handle HIPAA and 42 CFR Part 2, the standing Business Associate Agreement we offer every customer, the subprocessors we rely on, and how we protect your data.
On this page
HIPAA & Business Associate Business Associate Agreement 42 CFR Part 2 Security program Subprocessors Data handling & retention Incident response Compliance roadmap ContactHIPAA & Business Associate status
When you use Automate Admits to communicate with patients and leads, we act as your Business Associate under the HIPAA Rules (45 CFR Parts 160 and 164). You remain the Covered Entity (or, in some arrangements, another business associate) and control the care relationship; we provide the software and process protected health information (PHI) only to deliver the Service on your behalf.
We are software, not a healthcare provider — we do not provide medical, clinical, or treatment advice, and we are not part of your care team. But because your conversations can include PHI, we take on the safeguards, reporting, and contractual obligations that HIPAA requires of a business associate.
Standing Business Associate Agreement (BAA)
We publish a single, standing BAA that applies to every customer — you don't need to negotiate or sign a separate agreement for your organization. By subscribing to and using Automate Admits to handle PHI, your organization accepts the standing BAA by reference; it is incorporated into our Terms of Service and takes effect the moment the Service is used with PHI.
Need a countersigned copy for your records, or want to review the full text before you sign up? Request it at privacy@automateadmits.com. Signed-in customers can also read the full BAA and policy pack under Settings → Policies & procedures.
The standing BAA commits us to, among other things:
- Using and disclosing PHI only to provide the Service, as permitted by the BAA, or as required by law;
- Limiting use and disclosure to the minimum necessary;
- Implementing administrative, physical, and technical safeguards and complying with the HIPAA Security Rule;
- Requiring every subcontractor that handles PHI to agree to protections at least as strict (flow-down);
- Reporting security incidents and breaches, and notifying you of a breach of unsecured PHI within 60 days of discovery;
- Making PHI available for access, amendment, and accounting of disclosures as required;
- Making our practices available to HHS for compliance review;
- Returning or destroying PHI on termination where feasible.
The published BAA governs; this summary is for orientation only.
42 CFR Part 2 — substance use disorder records
Many of our customers are substance use disorder (SUD) treatment programs. Where the Service is used by a Part 2 program, records that identify an individual as having a substance use disorder receive the heightened confidentiality protections of 42 CFR Part 2 in addition to HIPAA:
- Such records are disclosed only as permitted by patient consent or a Part 2 exception;
- Disclosures carry the required notice prohibiting redisclosure;
- We do not use Part 2 records for any purpose other than providing the contracted Service.
As the covered program, you are responsible for obtaining and documenting any patient consent required before information is entered into or sent through the platform.
Security program
PHI is encrypted in transit (TLS) and at rest, access is role-based and least-privilege, passwords are stored only as salted hashes, and two-factor authentication is available. PHI access and account changes are recorded in a per-organization activity log. Full technical detail is on our Security page.
Because the AI agent must read message content to draft replies, the Service is not end-to-end encrypted; data is encrypted in transit and at rest and access-controlled.
Subprocessors
We use a small set of vetted providers to operate the Service, each under contractual confidentiality and security obligations. Providers that store or process PHI on our behalf do so under a business associate agreement; where a provider only transports data (for example, an SMS/voice carrier), PHI is stored and processed by us on AWS under our BAA, and the carrier is engaged under contractual confidentiality and security terms.
| Subprocessor | Purpose | Data | PHI |
|---|---|---|---|
| Amazon Web Services, Inc. | Application hosting, database, object storage, and compute — where PHI is stored and processed | All application and patient data (PHI), encrypted at rest and in transit | Yes — BAA |
| Cloudflare, Inc. | Public website & application static-asset delivery, DNS, and CDN/DDoS protection | Public marketing content and application code only — no PHI | No PHI |
| Twilio Inc. | SMS and voice message transport and delivery, call recording | Phone number and message/call content pass through in transit for delivery; the message content and recordings are stored and processed by us on AWS | Transport only — no BAA |
| Anthropic PBC | AI drafting and conversation summarization | Message content, processed transiently; not used for training | Yes — BAA |
| Meta Platforms, Inc. | Send/receive messages on connected Facebook & Instagram accounts | Conversation content on connected channels | Yes |
| Resend | Transactional & notification email to your team | Team email addresses, notification content | Team data only |
| Square, Inc. | Subscription & top-up payment processing | Billing contact & card data only — no patient PHI | No PHI |
We give notice before adding or replacing a subprocessor that handles PHI. To be notified, email privacy@automateadmits.com.
Data handling & retention
- Each organization's data is logically isolated in our multi-tenant database and scoped to that organization on every request.
- Conversation and contact data is retained for the life of the account and deleted or returned on request within a reasonable period after termination.
- Access and audit logs are retained approximately six months, then purged automatically.
- Individual data-deletion requests are honored across the platform; see our Privacy Policy.
- Payment card data is handled solely by our PCI-compliant payment processor and is never stored on our servers.
Incident & breach response
On discovery of a security incident or breach of unsecured PHI, we contain and investigate, and notify affected customers without unreasonable delay and no later than 60 days after discovery, in accordance with 45 CFR 164.410. Report a suspected incident to privacy@automateadmits.com.
Compliance roadmap
We are an early-stage company and we build our compliance program in the open. Current status:
- HIPAA / 42 CFR Part 2 — standing BAA and safeguards live today.
- Subprocessor BAAs — in place or being executed with each provider that handles PHI.
- SOC 2 Type I — on our roadmap; we are formalizing the controls and documentation needed to pursue a report. This is a stated goal, not a current certification.
We will update this page as our program matures. If your due-diligence process needs specific documentation, contact us.
Contact
Compliance, BAA, or data-handling questions — including requesting a countersigned BAA — go to privacy@automateadmits.com.
Automate Admits is operated by Automate Admits, Inc. This page is provided for general information and is not legal advice. The published Terms of Service, Privacy Policy, DPA, and standing Business Associate Agreement govern the relationship between you and Automate Admits.