Fiftyfoursix Medical AIBack to home

Legal

HIPAA Compliance

Last updated: May 13, 2026

Fiftyfoursix Medical AI is committed to safeguarding protected health information (PHI) for every clinic and every patient interaction we touch. We operate as a HIPAA Business Associate to the healthcare providers (Covered Entities) that use the Services, and we align our administrative, physical, and technical safeguards with the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164).

Our Commitment

  • We treat PHI with the highest level of care and process it strictly to perform the services requested by the clinic.
  • All PHI is protected with end-to-end encryption in transit (TLS 1.2+) and at rest (AES-256).
  • We do not store PHI longer than necessary to route a message, schedule an appointment, or complete the clinical workflow it was provided for.
  • We sign a Business Associate Agreement (BAA) with every clinic and with every sub-processor that may handle PHI on our behalf.
  • We never sell PHI and never use PHI to train third-party AI models.

Administrative Safeguards

  • Designated Security and Privacy Officers responsible for our HIPAA program.
  • Workforce HIPAA training on hire and annually thereafter.
  • Documented policies covering access management, incident response, sanctions, and contingency planning.
  • Annual risk assessments and ongoing risk-management activities.
  • Vendor risk reviews and executed BAAs with all PHI sub-processors.

Physical Safeguards

  • PHI is hosted in SOC 2 Type II–audited, U.S.-based cloud data centers with 24/7 physical access controls.
  • No PHI is stored on employee endpoints; workforce access is brokered through hardened, logged systems.
  • Secure media handling and disposal procedures for any device that has touched PHI.

Technical Safeguards

  • Encryption in transit: TLS 1.2 or higher for all network communication, including telephony bridges.
  • Encryption at rest: AES-256 across databases, object storage, and backups.
  • End-to-end encryption across the call-handling and message-routing pipeline.
  • Access controls: unique user IDs, SSO/MFA enforcement, role-based access, and least-privilege defaults.
  • Audit logging: immutable logs of access to PHI, retained per regulatory requirement.
  • Automatic logoff and session protections on all administrative interfaces.

Minimum Necessary & Data Minimization

We apply the HIPAA minimum necessary standard to every workflow. The Services capture only the information required to route a call or schedule an appointment, and PHI is purged from active systems as soon as the routing or scheduling task is complete. Operational metadata that is not PHI (call counts, latency, error rates) may be retained in de-identified form for performance and billing.

Breach Notification

In the event of a discovered breach of unsecured PHI, Fiftyfoursix will notify the affected clinic without unreasonable delay and no later than the timeframes required under 45 CFR § 164.410, providing the information needed for the Covered Entity to fulfill its notification obligations.

Patient Rights

Patients exercising rights under HIPAA — access, amendment, accounting of disclosures, or restriction requests — should contact the treating clinic, which is the Covered Entity. We support clinics in fulfilling those requests.

Business Associate Agreements

A signed BAA is required before PHI is exchanged through the Services. To request a BAA, contact info@fiftyfoursix.com.

Contact Our Privacy Office

Privacy & Security Office · Fiftyfoursix Medical AI · Houston, TX · info@fiftyfoursix.com

Questions about this policy? Email info@fiftyfoursix.com.