HIPAA Compliance
KolAI is built from the ground up for healthcare. Every design decision — from how we store data to how our AI responds to patients — is made with HIPAA compliance as a hard requirement, not an afterthought.
How we protect patient data
These are the specific safeguards we have in place — technical, administrative, and physical.
Encryption at Rest & in Transit
All patient data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. No PHI travels unencrypted at any point in our infrastructure.
Business Associate Agreement (BAA)
We execute a BAA with every clinic before any PHI is processed. This is non-negotiable. No clinic goes live on KolAI without a signed BAA in place.
US-Based Infrastructure
All PHI is stored and processed on US-based infrastructure. We do not transfer patient data outside the United States.
Minimum Necessary Access
KolAI staff access PHI only on a strict need-to-know basis. Access is role-based, logged, and audited. No engineer has unrestricted access to production patient data.
No AI Training on Patient Data
Patient data is never used to train our AI models or any third-party AI models. PHI is used solely to deliver the services your clinic contracted us for.
Audit Logging
All access to PHI is logged and retained in accordance with HIPAA's 6-year record retention requirement. Logs are tamper-evident and available for audit.
Breach Notification
In the event of a breach involving PHI, we will notify affected clinics within 60 days of discovery, as required by the HIPAA Breach Notification Rule — and in practice, as fast as possible.
Workforce Training
All KolAI personnel who handle PHI complete HIPAA training before gaining access and on an annual basis. We maintain documented training records.
Ready to get your BAA signed?
Every KolAI clinic gets a BAA as part of onboarding. Book a demo and we'll walk you through our compliance documentation.
Book a demo →HIPAA frequently asked questions
Does KolAI sign a BAA with every clinic?
Yes, always. No clinic begins processing patient data through KolAI without a fully executed Business Associate Agreement. We provide the BAA as part of onboarding — it takes minutes to sign.
Where is patient data stored?
All PHI is stored in US-based data centres. We do not transfer or replicate patient data outside the United States.
Is patient data used to train AI models?
No. Patient data is never used for AI model training — by KolAI or any third-party provider. PHI is used exclusively to deliver the care coordination services your clinic has contracted.
What happens to patient data if we cancel?
Upon termination, you can export all your data within 30 days. After that period, PHI is securely deleted in accordance with HIPAA requirements and our BAA obligations.
Does KolAI support both cosmetic and medical dermatology under HIPAA?
Yes. HIPAA protections apply across all patient communications regardless of whether the visit is cosmetic or medical. KolAI's HIPAA controls cover all patient interactions on the platform.
Has KolAI undergone a third-party security audit?
We conduct regular internal security reviews and are working toward a third-party SOC 2 Type II audit. Contact us for the latest status of our compliance documentation.
For further compliance documentation or to request our BAA template, contact us at garvita@supertubos.ai. See also our Privacy Policy.