Frontis is built with HIPAA compliance as a foundation, not an afterthought. Here is exactly what we do to protect your patients' data.
When an AI answers patient calls, it may receive Protected Health Information — patient names, dates of birth, symptoms, insurance details, appointment history. Under HIPAA, any vendor handling this information must:
Frontis satisfies all of these requirements on every plan at no extra cost.
| Requirement | How Frontis handles it |
|---|---|
| Access control | Unique credentials per practice, role-based access, automatic session expiry |
| Audit controls | All access to PHI logged with timestamp, user, and action type |
| Integrity controls | Recordings and transcripts checksummed; modifications detectable |
| Transmission security | TLS 1.3 on all data in transit; no PHI over unencrypted channels |
| Encryption at rest | AES-256 on all PHI stored in AWS S3 |
| Backup and recovery | Daily encrypted backups, 30-day retention |
| Breach notification | Automated alerting; practice notified within 60 days of confirmed breach |
| Vendor | Role | BAA status |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and encrypted storage | Signed |
| Vapi.ai | Voice AI orchestration | Signed (Business plan) |
| Twilio | Phone number provisioning and call routing | Signed |
| Resend | Transactional email delivery of call summaries | Signed |
| ElevenLabs | Voice synthesis (text only — no PHI processed) | N/A |
We are happy to answer specific questions, provide documentation for your own compliance review, or discuss custom requirements for larger practices or DSOs. Contact us at hello@frontis.ai.