HIPAA Compliance

Protecting Patient Privacy | Last updated: January 1, 2026

Our Commitment

ALVEA maintains HIPAA compliance and implements administrative, physical, and technical safeguards to protect patient health information (PHI) in accordance with the Health Insurance Portability and Accountability Act.

Business Associate Agreement

ALVEA acts as a Business Associate when processing PHI on your behalf. We provide Business Associate Agreements (BAA) to all customers upon request. The BAA outlines our obligations for protecting PHI and our permitted uses and disclosures.

Technical Safeguards

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based permissions, multi-factor authentication available
• Audit Logging: Comprehensive logging of all PHI access and modifications
• Session Management: Automatic session timeout and secure token handling
• Data Integrity: Checksums and verification for all stored data

Administrative Safeguards

• Security Officer: Designated security personnel responsible for compliance
• Risk Assessment: Regular risk analysis and management
• Training: All personnel receive HIPAA training
• Incident Response: Documented breach notification procedures
• Vendor Management: All subcontractors are vetted and bound by data protection agreements

Physical Safeguards

• Data Centers: US-based, SOC 2 Type II certified facilities
• Access Controls: Biometric and keycard access to facilities
• Monitoring: 24/7 surveillance and security monitoring
• Disaster Recovery: Geographically distributed backups

PHI Handling by Service

Voice Services

Call recordings containing PHI are encrypted immediately upon capture. Transcriptions are processed securely and stored in your designated database. You control retention periods.

CBCT Imaging Services

DICOM files are transmitted over encrypted connections and stored with AES-256 encryption. Processing occurs on isolated, secure infrastructure. You maintain ownership and control of all imaging data.

Your Responsibilities

As a Covered Entity, you are responsible for:

• Obtaining appropriate patient authorizations
• Maintaining your own HIPAA compliance program
• Managing user access within your organization
• Reporting suspected breaches promptly

Breach Notification

In the unlikely event of a breach involving PHI, we will notify you within 24 hours of discovery and cooperate fully with your breach response procedures as required by HIPAA.

Request a BAA

Ready to get started? Request your Business Associate Agreement:

• Email: compliance@alveaos.com
• Phone: (845) 409-0692