Warpflow
Signals

HIPAA compliance

What HIPAA compliance means for your practice when using Warpflow Signals, including what's covered, your responsibilities, and how Signal Guard protects patient data.

Who this applies to

If your business handles protected health information (PHI) (patient names, appointment details, medical conditions, treatment information), you're subject to HIPAA requirements. This typically includes:

  • Medical spas and aesthetics practices
  • Dental offices
  • Healthcare clinics and providers
  • Any business that communicates with patients about health-related services

What Warpflow covers

Warpflow's infrastructure is designed to meet HIPAA requirements for electronic PHI (ePHI):

Data encryption

  • All data is encrypted in transit (TLS 1.2+) and at rest
  • Encryption keys are managed by a dedicated key management service
  • Encryption is always on; it cannot be disabled

Access controls

  • Authenticated access to all patient-related data
  • Role-based permissions for team members
  • Session management with automatic timeout

Audit logging

  • Every access to patient data is logged
  • Signal processing events create a complete audit trail
  • Signal Guard evaluations are recorded for compliance review
  • Logs can be exported as CSV or JSON for your records

Data isolation

  • Your data is stored separately from other tenants
  • No cross-tenant data access is possible
  • Data is stored in US-based data centers

Signal Guard for PHI

  • Signal Guard prevents AI-generated replies from diagnosing conditions, prescribing treatments, or making medical claims
  • Healthcare industry presets (Medical Aesthetics, Dental) include pre-configured prohibited phrases and compliance rules
  • The AI judge evaluates every reply for HIPAA-sensitive content before it can be sent
  • Messages flagged as requiring expert knowledge are automatically escalated to your clinical team

Your responsibilities

HIPAA is a shared responsibility. Warpflow secures the platform, but your practice is responsible for:

Staff training

  • Train team members on HIPAA-compliant communication practices (for example, never text a patient's medical record number, lab results, or detailed medical history)
  • Ensure staff understand which information can and cannot be shared via SMS

Your own policies

  • Maintain written HIPAA policies and procedures for your practice (for example, document your approval process for automated patient replies)
  • Include digital communication in your Notice of Privacy Practices

Access management

  • Only grant dashboard access to authorized team members
  • Review and remove access when staff leave

Patient consent

  • Obtain appropriate consent for automated communications
  • Inform patients that automated systems may process their messages

Template review

  • Review automated message templates to ensure they don't request or reveal PHI inappropriately
  • Use the test runner to verify that AI replies handle sensitive topics correctly

How Signal Guard protects patient data

When AI reply generation is enabled for a healthcare practice, multiple layers of protection are active:

  1. Prohibited phrases: the Medical Aesthetics and Dental presets block words like "diagnose," "prescribe," "cure," and "guaranteed results" from appearing in AI replies
  2. Escalation keywords: terms like "allergic reaction," "infection," or "malpractice" trigger automatic escalation to your team
  3. Compliance rules: the AI judge checks every reply against healthcare-specific principles (for example, "Never provide specific medical advice" and "Always recommend an in-person consultation for clinical questions")
  4. Expert escalation: when the AI detects a question requiring licensed professional knowledge, it routes the conversation to your clinical team instead of generating a reply

These Signal Guard rules are enabled by default when you apply a healthcare industry preset. You can add custom rules on the Signal Guard page.

Audit trail access

To access your audit trail:

  1. Go to Signal GuardAudit Log tab
  2. Review Signal Guard evaluations with color-coded recommendations (send/review/escalate/block)
  3. Click any event to see the full evaluation details
  4. Use Export to download records as CSV or JSON

Keep these records for your compliance documentation. They demonstrate that automated patient communications are monitored and controlled.

Email and HIPAA

When HIPAA mode is enabled for your tenant, the Email section is hidden from the dashboard sidebar and email integration is not available. This is because email requires a separate HIPAA-compliant agreement (Business Associate Agreement) with the email provider. SMS remains fully available for HIPAA tenants with all protections active.

Business Associate Agreement (BAA)

Enterprise plan customers who require a BAA can request one by contacting support@warpflow.ai. The BAA covers Warpflow's handling of ePHI within the Signals platform.

Questions?

For HIPAA-specific questions or to discuss your practice's compliance needs, email support@warpflow.ai.

Security & compliance

How Warpflow protects your data with encryption, access controls, audit logging, and infrastructure security.

For Developers

API reference, webhook integration, and automation guides for building on the Warpflow Signals platform.

On this page

Who this applies toWhat Warpflow coversYour responsibilitiesHow Signal Guard protects patient dataAudit trail accessEmail and HIPAABusiness Associate Agreement (BAA)Questions?

We use cookies to understand how you use our site and improve your experience. Privacy Policy