← Back to incoko.ai

HIPAA Compliance

How InCoko protects health information for dental practices, healthcare providers, and other covered entities.

What is HIPAA and why it matters

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of individually identifiable health information, known as Protected Health Information (PHI).

If your business is a covered entity—such as a dental practice, medical clinic, therapy office, or other healthcare provider—any technology that handles PHI on your behalf must meet HIPAA requirements. This includes AI phone systems that may hear, record, or transcribe patient-related conversations.

InCoko is built with HIPAA compliance in mind. We implement safeguards across all three categories defined by the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic PHI (ePHI).

Administrative Safeguards

Administrative safeguards are the policies, procedures, and organizational actions to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. The HIPAA Security Rule (45 CFR 164.308) requires:

  • Security management process — risk analysis and risk management policies to prevent, detect, contain, and correct security violations.
  • Workforce security — policies ensuring only authorised personnel have access to ePHI, with procedures for granting and revoking access.
  • Information access management — role-based access to ePHI, consistent with the minimum necessary standard.
  • Security awareness and training — ongoing training for workforce members on security policies and procedures.
  • Contingency plan — data backup, disaster recovery, and emergency mode operation plans.

How InCoko addresses this

Biz Digital IT maintains documented security policies and procedures. All team members with access to ePHI complete security training. Access to production systems is governed by IAM policies with least-privilege principles and is reviewed regularly. We maintain data backup and disaster recovery procedures within our AWS infrastructure.

Physical Safeguards

Physical safeguards are the physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorised intrusion. The HIPAA Security Rule (45 CFR 164.310) requires:

  • Facility access controls — procedures to limit physical access to electronic information systems and the facilities in which they are housed.
  • Workstation use and security — policies specifying the proper functions and physical attributes of workstations that access ePHI.
  • Device and media controls — policies governing the receipt and removal of hardware and electronic media containing ePHI into and out of a facility.

How InCoko addresses this

InCoko runs entirely on AWS infrastructure. AWS data centres maintain rigorous physical security controls including biometric access, 24/7 surveillance, and multi-factor authentication for physical entry. AWS facilities hold SOC 2 Type II and ISO 27001 certifications. No ePHI is stored on local devices or removable media.

Technical Safeguards

Technical safeguards are the technology and related policies and procedures that protect ePHI and control access to it. The HIPAA Security Rule (45 CFR 164.312) requires:

  • Access controls — technical policies to allow only authorised persons to access ePHI, including unique user identification, emergency access procedures, automatic logoff, and encryption.
  • Audit controls — hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI.
  • Integrity controls — policies and procedures to protect ePHI from improper alteration or destruction, including mechanisms to authenticate ePHI.
  • Transmission security — technical measures to guard against unauthorised access to ePHI being transmitted over electronic communications networks.

How InCoko addresses this

  • Encryption in transit — all data transmitted over TLS 1.2 or higher.
  • Encryption at rest — AES-256 encryption via AWS Key Management Service (KMS).
  • Automated PII/PHI/PCI redaction — call transcripts are automatically scanned and redacted for personally identifiable information, protected health information, and payment card data using a dual-engine approach (regex-based PCI detection + AI-powered PII/PHI detection via Amazon Bedrock).
  • Audit logging — call transcripts serve as audit logs. All system access is logged via AWS CloudTrail.
  • IAM-based access controls — fine-grained, role-based permissions with unique user identification.
  • Session security — 15-minute idle timeout and 8-hour absolute session limit to prevent unauthorized access.
  • Infrastructure compliance — AWS infrastructure holds SOC 2 Type II and ISO 27001 certifications.

Breach notification

In the event of a breach of unsecured PHI, Biz Digital IT will notify affected covered entities without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR 164.400-414). We will provide all information necessary for covered entities to fulfil their own notification obligations.

Business Associate Agreements

When InCoko handles PHI on behalf of a covered entity, Biz Digital IT will enter into a Business Associate Agreement (BAA). The BAA defines our responsibilities for safeguarding PHI, including permitted uses and disclosures, breach notification requirements, and obligations upon termination.

To request a BAA, contact us at privacy@incoko.ai.

Limitations

InCoko is a technology provider. While we implement comprehensive safeguards to protect ePHI within our systems, covered entities remain responsible for their own HIPAA compliance programme. This includes:

  • Conducting your own risk assessments.
  • Training your workforce on HIPAA policies.
  • Ensuring that all business associates, including InCoko, have executed BAAs.
  • Maintaining your own policies and procedures for HIPAA compliance.

Contact

For questions about our HIPAA compliance posture or to request a Business Associate Agreement, contact us at privacy@incoko.ai.