Code 7 Consulting

Legal · Healthcare

HIPAA statement.

For healthcare clients: how we handle PHI, the BAAs we sign, the subprocessors we use, and the controls in place.

HIPAA-aware engagements available

Business Associate Agreement (BAA)

For healthcare engagements where we may access or process PHI, we execute a Business Associate Agreement under HIPAA before any work begins. Our subprocessors that touch PHI sign downstream BAAs with us. We provide the full subprocessor list and the BAA language on request.

How our agents handle PHI

  • Voice and chat agents are configured to refuse free-text PHI capture. They route to secure forms when PHI is needed.
  • Recordings and transcripts are encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access to PHI is role-based and audit-logged. Every read is attributable.
  • Retention is configured per your compliance policy. We can destroy data on request.
  • We never train models on PHI, and we never grant model providers training rights to your data.

Subprocessors

We use HIPAA-eligible subprocessors only for PHI-touching workloads. The full list — including each subprocessor's role, location, and BAA status — is available on request.

What we won't do

  • Deploy an agent that gives clinical advice.
  • Deploy an agent that diagnoses or interprets test results.
  • Train models on patient data — yours or anyone's.
  • Route PHI through subprocessors that haven't signed a BAA.

Incident reporting

In the unlikely event of a security incident involving PHI, we notify affected clients within the timeframes required by our BAA and HIPAA — typically within 60 days, often faster.

Questions

For BAA copies, subprocessor lists, or specific security questions, email bechor@code7talentsolutions.com with “HIPAA” in the subject line.