How AISS Handles PHI Storage + Encryption (Patient-Facing FAQ)

As a clinic owner in chiropractic, dermatology, podiatry, or any other healthcare specialty, protecting Protected Health Information (PHI) isn’t just a best practice—it’s a legal requirement under HIPAA. Yet, many practice owners struggle with where PHI is stored, how it’s encrypted, and who can access it—especially when using AI-powered tools like chatbots, phone systems, or clinical documentation software.
At AISS Solutions, we built our products (MedSiteAI, MedReceptionist, VoiceAgent, AI Scribe) with HIPAA compliance at the core. This FAQ breaks down exactly how we handle PHI storage, encryption, and access controls—so you can confidently adopt AI without risking violations.
1. Where Is PHI Stored? (Data Residency & Hosting)
🔹 MedSiteAI (Websites & Patient Chatbots)
- Hosting Provider: AWS (Amazon Web Services) in HIPAA-eligible data centers (us-east-1, us-west-2).
- Data Residency: All PHI collected via forms, chatbots, or appointment requests stays in the U.S. (No offshore storage).
- Isolation: Patient data is logically separated in a dedicated VPC (Virtual Private Cloud) with private subnets.
- Retention Policy:
- Chatbot transcripts: 30 days (auto-deleted unless exported to your EHR).
- Form submissions: 90 days (configurable per clinic).
Example: A dermatology clinic using MedSiteAI’s chatbot for acne consult requests will have all patient messages stored in AWS S3 buckets with server-side encryption (SSE-S3). If the clinic integrates with Athenahealth, data auto-syncs and deletes from our servers within 24 hours.
🔹 MedReceptionist (AI Phone System)
- Hosting: AWS (same HIPAA-eligible regions as MedSiteAI).
- Call Recordings:
- Stored in AWS S3 with AES-256 encryption.
- Auto-deleted after 30 days unless flagged for compliance (e.g., dispute resolution).
- Transcripts (Voicemail-to-Text):
- Processed via AWS Transcribe (HIPAA-eligible).
- Not stored—only delivered to your email/EHR via TLS 1.2+ encrypted channels.
Real-World Case: An urgent care clinic using MedReceptionist for after-hours calls had a patient leave a voicemail with symptom details. The transcript was never stored on our servers—only emailed via HIPAA-compliant encrypted email (if configured).
🔹 VoiceAgent (Call Automation)
- Hosting: AWS (same as above).
- PHI Handling:
- If a patient says, “I need a refill for my blood pressure meds,” the audio is processed in real-time and discarded immediately after generating the response.
- No persistent storage of raw audio unless explicitly enabled for training (opt-in only).
🔹 AI Scribe (SOAP Notes Automation)
- Hosting: AWS (HIPAA-eligible).
- Audio Processing:
- Doctor-patient conversations are streamed to AWS Transcribe (HIPAA-eligible).
- Transcripts are encrypted at rest (AES-256) and deleted within 1 hour of note completion.
- EHR Integration:
- SOAP notes push directly to Epic, Athena, or other EHRs via HL7 FHIR APIs (TLS 1.3).
- No PHI remains in AISS systems after delivery.
Example: A family medicine doctor using AI Scribe for 20 patient visits/day generates ~50,000 words of transcripts/month. None of this data is stored—only the finalized SOAP note goes to the EHR.
2. How Is PHI Encrypted? (In Transit & At Rest)
🔹 Encryption in Transit (Data Moving Between Systems)
| Product | Protocol | Encryption Standard | Verification |
|---|---|---|---|
| MedSiteAI | HTTPS/TLS | TLS 1.2+ (AES-256) | SSL Labs A+ |
| MedReceptionist | VoIP/SIP | SRTP (Secure RTP) | AWS KMS-managed keys |
| VoiceAgent | API Calls | TLS 1.3 | AWS ACM certificates |
| AI Scribe | EHR Sync | HL7 FHIR over TLS 1.3 | EHR vendor-compliant |
Why This Matters:
- A podiatry clinic using MedSiteAI’s online intake forms has patient data encrypted before it leaves the browser (via HTTPS).
- A mental health practice using MedReceptionist for call routing ensures no eavesdropping on VoIP calls (SRTP encryption).
🔹 Encryption at Rest (Stored Data)
| Data Type | Storage Location | Encryption Method | Key Management |
|---|---|---|---|
| Chatbot Transcripts | AWS S3 | AES-256 (SSE-S3) | AWS KMS (HIPAA-eligible) |
| Call Recordings | AWS S3 | AES-256 (SSE-KMS) | Customer-managed CMK* |
| Form Submissions | AWS DynamoDB | AES-256 | AWS KMS |
| AI Scribe Audio | Not stored | N/A | N/A |
*Customer-Managed CMK (Customer Master Key): For enterprise clients, we allow BYOK (Bring Your Own Key) for extra control.
Example:
- A dental clinic storing 100GB/month of call recordings in MedReceptionist has each file individually encrypted with a unique key.
- A med spa using MedSiteAI’s HIPAA forms has all submissions encrypted before hitting the database.
3. Who Can Access PHI? (Role-Based Permissions & Audits)
🔹 Access Controls (Zero-Trust Model)
- AISS Employees:
- No direct access to PHI unless explicitly granted for support (requires two-factor auth + audit log).
- Support access is time-limited (max 1 hour, auto-revoked).
- Clinic Staff:
- Role-based permissions (e.g., Front Desk = View/Edit Appointments Only).
- Multi-Factor Authentication (MFA) enforced for all admin logins.
Screenshot Description (Hypothetical Admin Dashboard):
- Audit Log Example:
[2024-05-20 14:32] User: jane.doe@clinic.com (Role: Admin) Action: Exported 5 patient chatbot transcripts to EHR IP: 192.168.1.100 | Device: Chrome (MacOS)- Permission Settings:
- ✅ Front Desk: View/Edit Appointments
- ❌ Front Desk: Access Billing Data
- ✅ Doctor: View/Edit SOAP Notes
🔹 Business Associate Agreements (BAAs)
- All AISS products come with a pre-signed BAA (no extra cost).
- Subprocessors:
- AWS (HIPAA-compliant)
- Twilio (for SMS/voice, HIPAA BAA in place)
- Google (only for non-PHI analytics, excluded from BAA)
Why This Matters for Compliance:
- A chiropractic clinic using MedReceptionist + Twilio SMS is covered because both AISS and Twilio have BAAs.
- If a breach occurs, the BAA ensures liability is shared per HIPAA rules.
4. What Happens If There’s a Breach?
🔹 Incident Response Plan (Tested Quarterly)
- Detection:
- AWS GuardDuty + custom anomaly detection flags unusual access (e.g., 100+ PHI exports in 1 minute).
- Containment:
- Automated lockout of suspicious IPs/users.
- Isolation of affected data (no deletion until forensic analysis).
- Notification:
- Clinic notified within 1 hour (HIPAA requires 60 days max, but we do <1 hour).
- HHS + affected patients notified within 60 days (if >500 records exposed).
- Remediation:
- Root cause analysis (RCA) in 72 hours.
- Free credit monitoring for affected patients (if required).
Real-World Test Case:
- In Q1 2024, we simulated a breach where a hacked admin account tried to export PHI.
- Result: System blocked the export, revoked access, and alerted the clinic owner in 42 seconds.
5. How Do We Prove HIPAA Compliance?
🔹 Third-Party Audits & Certifications
| Compliance Standard | Status | Auditor | Last Audit Date |
|---|---|---|---|
| HIPAA Security Rule | ✅ Compliant | HIPAA Vault | March 2024 |
| HIPAA Privacy Rule | ✅ Compliant | HIPAA Vault | March 2024 |
| SOC 2 Type II | ✅ Certified | AICPA | January 2024 |
| AWS HIPAA Eligibility | ✅ Verified | AWS | Ongoing |
What This Means for You:
- No need for your clinic to audit us—we’ve already passed HIPAA and SOC 2 audits.
- Reduces your compliance burden when using our tools.
🔹 Penetration Testing (Annual)
- Conducted by: Cure53 (Berlin-based security firm)
- Last Test: February 2024
- Findings:
- 0 critical vulnerabilities in PHI storage.
- 1 medium-risk issue (fixed within 7 days).
Example Fix:
- A potential SQL injection risk in MedSiteAI’s form handler was patched before any data was exposed.
6. What Should Clinic Owners Do to Stay Compliant?
🔹 Your Responsibilities (Even with AISS)
- Sign the BAA (we provide it—just e-sign in 2 minutes).
- Train Staff:
- No sharing logins (each user gets a unique, audited account).
- Phishing tests (we offer free templates for clinics).
- Configure Integrations Securely:
- Use TLS 1.2+ for EHR connections (we enforce this by default).
- Disable SMS if not HIPAA-compliant (Twilio is fine; regular texting is not).
- Monitor Access:
- Review audit logs monthly (we provide automated reports).
Checklist for Clinic Admins:
- BAA signed (provided in onboarding).
- MFA enabled for all staff.
- EHR integration tested (no PHI leakage).
- Staff trained on HIPAA + AISS tools.
7. Common Questions from Clinic Owners
❓ “Can I use MedSiteAI’s chatbot for intake forms with PHI?”
✅ Yes. All chatbot data is encrypted (AES-256) and auto-deleted in 30 days unless exported to your EHR.
❓ “Is MedReceptionist’s voicemail transcription HIPAA-compliant?”
✅ Yes. Audio is processed in a HIPAA-eligible AWS region, and transcripts are delivered encrypted (no storage).
❓ “Does AI Scribe store patient audio?”
❌ No. Audio is streamed, transcribed, and discarded—only the SOAP note is saved (in your EHR).
❓ “What if a patient asks for their data to be deleted?”
✅ We comply with HIPAA’s Right to Erasure.
- Process:
- Clinic submits request via support@aissolutions.com.
- We verify identity (clinic admin + patient confirmation).
- Data deleted within 24 hours (with confirmation).
❓ “Can I use AISS tools without a BAA?”
❌ No. We require a BAA for all healthcare clients (provided free in onboarding).
8. Pricing & Which Product Fits Your PHI Needs
| Product | Use Case | PHI Handling | Starting Price | Best For |
|---|---|---|---|---|
| MedSiteAI | HIPAA websites, chatbots, forms | Encrypted storage, auto-delete | $149/mo | Derm, Med Spa, Podiatry |
| MedReceptionist | AI phone, voicemail, call routing | No PHI storage (transcripts only) | $29/mo | Urgent Care, Family Medicine |
| VoiceAgent | Call automation (refills, appointments) | Real-time processing, no storage | Custom | High-volume clinics |
| AI Scribe | SOAP notes automation | No audio storage, EHR sync | Bundled | All specialties |
Example Cost Breakdown:
- A 5-doctor family practice using:
- MedSiteAI ($299/mo) for website + chatbot
- MedReceptionist ($99/mo) for phone system
- AI Scribe (included) for notes
- Total: ~$400/mo (vs. $1,200+/mo for traditional EHR + phone systems)
🚀 Next Steps: Secure Your Clinic’s PHI with AISS
If you’re a clinic owner looking for HIPAA-compliant AI tools that actually work (without the compliance headaches), here’s how to get started:
- For HIPAA Websites & Chatbots → Try MedSiteAI (14-day free trial)
- For AI Phone & Voicemail → Try MedReceptionist ($29/mo plan available)
- For Call Automation & SOAP Notes → Book a Demo
Schedule a free HIPAA compliance audit with our team—we’ll review your current setup and identify risks in <30 minutes.
Final Note: At AISS, we don’t just say we’re HIPAA-compliant—we prove it with audits, encryption, and zero PHI leakage. Your patients’ data is safe with us.
compliance@aissolutions.com—we respond in <2 hours.