HIPAA COMPLIANCE

How we handle patient data under HIPAA.

Built for healthcare from day one. Here's exactly what that means.

1. Our role under HIPAA

Under HIPAA, your clinic is the Covered Entity — you're responsible for patient health information. Sorta is your Business Associate — we handle PHI on your behalf to provide intake automation services.

Before any real patient data enters Sorta, we execute a Business Associate Agreement (BAA) with your clinic. This is a legal requirement under HIPAA and we take it seriously.

2. What PHI we handle

Sorta handles the following PHI on behalf of your clinic:

  • Patient demographics — name, date of birth, address, phone, email
  • Insurance information — provider, policy number, group number
  • Medical history — as collected on your existing intake forms
  • Emergency contact information

We handle this PHI solely to provide the intake automation service. We never use it for any other purpose.

3. Technical safeguards

  • All data encrypted in transit via TLS 1.2+
  • All data encrypted at rest on Azure infrastructure
  • Multi-tenant isolation — each clinic's data is completely separated
  • JWT authentication with 24-hour expiration on all staff sessions
  • Patient intake links expire after 7 days and are single-purpose
  • Role-based access controls — staff only access their clinic's data
  • Audit logging of all PHI access events

4. AI and PHI — the most important section

AI never touches patient data at Sorta.

Our AI runs exactly once: during initial form setup, to identify and map field locations on your uploaded PDF templates. This runs on blank, empty forms — before any patient has used the system.

After that, AI is not involved. When a patient submits their intake form, their answers go directly to our Azure servers. No patient name, no date of birth, no insurance information, no medical history ever passes through OpenAI, Azure AI, or any external AI system during a patient visit.

This was an intentional architectural decision. We believe patient health information should never be processed by external AI systems without explicit patient consent.

5. Infrastructure

Sorta runs on Microsoft Azure:

  • US clinics: data stored in Azure US regions
  • Canadian clinics: data stored in Azure Canada Central — data never leaves Canada
  • Microsoft's HIPAA BAA covers our Azure infrastructure automatically
  • Azure provides encryption at rest, network isolation, and enterprise-grade physical security

6. Breach notification

In the event of a data breach involving PHI, we will:

  • Notify affected clinics within 60 days of discovery
  • Provide details of what happened, what PHI was involved, and what we're doing about it
  • Assist clinics with their own HIPAA breach notification obligations
  • Document and report as required by HIPAA

7. Business Associate Agreement

Every clinic that processes real patient data through Sorta must sign our Business Associate Agreement before going live. The BAA:

  • Defines our obligations to protect your patients' PHI
  • Establishes breach notification procedures
  • Governs data retention and deletion
  • Complies with HIPAA Privacy and Security Rules

To request a BAA, email compliance@getsorta.io.

8. Questions

Questions about our HIPAA compliance? Email compliance@getsorta.io. We respond within 1 business day.