DeskPilot is HIPAA-Ready for Healthcare Practices

Encryption at Rest and in Transit

DeskPilot implements HIPAA's technical safeguards as required under 45 CFR §164.312.

• ✓ TLS 1.2+ in transit — All communication between clients and DeskPilot servers uses HTTPS with TLS 1.2 or higher. HTTP access is automatically upgraded. HSTS (HTTP Strict Transport Security) is enabled with a 2-year max-age and preload flag.
• ✓ AES-256 at rest — All data stored in DeskPilot databases is encrypted at rest using AES-256 encryption at the infrastructure level (Neon/PostgreSQL on Render).
• ✓ Vapi & Twilio encryption — Call transcripts and recordings transmitted via Vapi and Twilio are encrypted in transit using TLS. Recording URLs are scoped and time-limited. Twilio credentials are stored only as environment variables — never in the database.
• ✓ No PHI in unencrypted channels — DeskPilot does not transmit Protected Health Information via plain-text email, SMS, or HTTP. All webhook endpoints (Vapi, Stripe) are HTTPS-only.
• ✓ Unique user identification — All admin access requires authenticated sessions with HMAC-signed cookies. Customer portal requires separate authenticated login.
• ✓ Automatic logoff — Sessions expire after 24 hours of inactivity.

Complete Audit Trail for All PHI Access

DeskPilot maintains an append-only audit log of all activity involving Protected Health Information. Logs cannot be deleted or modified — HIPAA requires 6-year retention and we enforce it at the database level.

• ✓ PHI access logging — Every recording play, download, and transcript view is logged with timestamp, user identity, IP address, and user agent.
• ✓ Modification logging — All deletes and updates to call records are logged before the operation executes.
• ✓ Admin audit dashboard — HIPAA compliance officers can filter, search, and export audit logs by action type, resource, date range, and IP address.
• ✓ 6-year retention — Audit log records are never deleted. Retention is enforced by the absence of any DELETE API on the audit_logs table.

Least-Privilege Access Architecture

DeskPilot enforces strict domain-based access separation. PHI is only accessible to authenticated users with a legitimate business need.

• ✓ Domain separation — Admin APIs are 404'd on the public domain (deskspilot.net). No PHI endpoints are reachable from the public-facing site.
• ✓ Customer portal isolation — Customer data is scoped to the authenticated customer account only. Cross-account data access is not possible.
• ✓ Rate limiting — Brute-force protection on all authentication endpoints (5 attempts per IP per 15 minutes).
• ✓ No PHI in URLs — Patient information is never included in query parameters or URL paths that could appear in server logs or browser history.

Breach Detection and 60-Day Notification

DeskPilot maintains automated breach detection and a documented incident response procedure in compliance with the HIPAA Breach Notification Rule.

• ✓ Automated anomaly detection — DeskPilot monitors PHI access patterns and flags unusual activity: bulk record access (>10 records in 1 hour), access from new IP addresses, and after-hours access (midnight–5 AM). Flagged events are logged to a dedicated security incidents table.
• ✓ Security incident log — A dedicated security_incidents table captures all detected and reported incidents with severity, affected record counts, investigation status, and resolution notes.
• ✓ 60-day notification — In the event of a confirmed breach, DeskPilot will notify affected individuals within 60 days as required by 45 CFR §164.404. Notification templates are pre-built and admin-accessible.
• ✓ HHS notification for 500+ records — For breaches affecting 500 or more individuals, DeskPilot will file notification with HHS via the online breach reporting portal within 60 days and provide media notice as required by §164.408.
• ✓ Incident response procedure — A documented incident response procedure is maintained and accessible to authorized administrators from the HIPAA compliance section of the admin dashboard.

BAA Execution for Covered Entities

Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity must execute a Business Associate Agreement. DeskPilot qualifies as a Business Associate when used by healthcare providers.

• ✓ Digital execution — BAA is signed digitally with name, email, and company verification. Acceptance is timestamped and IP-recorded per the ESIGN Act.
• ✓ Version tracking — BAA version is recorded at signing. When terms are updated, existing customers are notified and required to re-accept before continuing healthcare use.
• ✓ Healthcare modules gated — Access to dental, medical, and VA AI scripts requires BAA acceptance. The system verifies BAA status before activating healthcare-specific workflows.

Built for Dental, Medical, and VA Practices

DeskPilot includes purpose-built HIPAA-compliant AI scripts for three healthcare verticals, each with appropriate emergency protocols and PHI-minimum collection workflows.

• ✓ Dental offices — Scheduling, emergency triage, insurance handling, and HIPAA-compliant call flows for dental practices of all sizes.
• ✓ Medical offices — New patient intake, follow-up scheduling, prescription refill routing, and lab result handling with minimum-necessary PHI collection.
• ✓ VA & government facilities — Veteran-specific scheduling with crisis protocols (Veterans Crisis Line integration), mental health-aware call flows, and multi-department routing.

What DeskPilot Covers vs. What You're Responsible For

HIPAA compliance is a shared responsibility between DeskPilot (Business Associate) and your practice (Covered Entity).

• ✓ DeskPilot provides: technical safeguards (encryption, access controls), audit logging, breach detection, incident response procedures, and BAA execution.
• ✓ Your practice is responsible for: training staff on HIPAA policies, maintaining a Notice of Privacy Practices, obtaining patient authorizations where required, and configuring DeskPilot in compliance with your facility's specific policies.
• ✓ Call recording consent: Your practice is solely responsible for obtaining all-party consent for call recording as required in your state. DeskPilot provides a configurable recording disclosure in the AI greeting, but compliance with state recording laws is your responsibility.

This page describes DeskPilot's HIPAA compliance posture as of May 4, 2026. HIPAA compliance information is subject to change as regulations and our technical infrastructure evolve. For questions about our compliance program, contact security@deskspilot.net. Nothing on this page constitutes legal advice — consult your own counsel for compliance determinations specific to your practice.