Compliance Notes

This page is operational guidance, not legal advice.

HIPAA Path

For US healthcare customers, HIPAA may apply when protected health information is created, received, maintained, or transmitted on behalf of covered entities. Before production use with PHI, use vendors that support appropriate agreements and sign any required BAA.

Messaging Consent

Patient-facing SMS should be consent-based. Clinic scripts should include opt-out language and avoid clinical advice over automated messages.

UK, EU, and Germany Path

For UK and EU customers, production use should define controller/processor roles, use an appropriate data processing agreement, document subprocessors, and keep marketing or patient messaging aligned with consent and electronic communications rules.

Email Outreach

Commercial outbound email should use truthful sender/subject information, include an opt-out method, include a valid postal address, and honor opt-outs.

AI Guardrails

The AI should help with intake, reminders, scheduling, and summaries. It should route diagnosis, urgent symptoms, treatment recommendations, insurance guarantees, and final pricing to staff.

Useful Official References

• HHS: Covered Entities and Business Associates
• HHS: Business Associates
• FTC: CAN-SPAM Compliance Guide
• EDPB: Data controller or data processor
• ICO: Electronic mail marketing

View DPA and BAA readiness notes