HIPAA Compliance

1. Our Role Under HIPAA

Medical spas that provide services involving individually identifiable health information — such as treatment notes, patient intake records, or appointment data tied to medical diagnoses — may qualify as HIPAA Covered Entities. Where that applies, In&Out Digital functions as a Business Associateas defined under 45 CFR § 160.103, because we perform services on your behalf that involve creating, receiving, maintaining, or transmitting PHI.

Specifically, our AI receptionist handles inbound calls from your patients. During those calls, callers may disclose health-related information. That information is processed by Synthflow's HIPAA-certified infrastructure on our behalf.

2. Business Associate Agreement (BAA)

Before any patient-facing AI services begin, we execute a signed Business Associate Agreement with every client whose practice involves PHI. The BAA establishes:

• The permitted uses and disclosures of PHI on your behalf
• Our obligation to implement appropriate administrative, physical, and technical safeguards
• Requirements to report breaches or security incidents to you promptly
• Provisions for subcontractors (specifically Synthflow) who handle PHI under sub-BAA agreements
• Data return and destruction requirements on termination of our engagement

If you have not yet executed a BAA with us and your practice involves PHI, contact us immediately before AI receptionist services go live.

3. Synthflow: Our HIPAA Infrastructure Partner

All patient call recordings, transcripts, and related data are processed and stored exclusively within Synthflow's infrastructure. Synthflow is certified across the following compliance frameworks:

• HIPAA: Synthflow operates a HIPAA-compliant environment and enters into BAAs with Business Associates like In&Out Digital
• SOC 2 Type II: independently audited for security, availability, processing integrity, confidentiality, and privacy
• PCI DSS Level 1: the highest level of payment card industry data security certification
• ISO 27001: internationally recognized information security management system standard
• GDPR: compliant with EU General Data Protection Regulation requirements

We do not store, copy, or independently access PHI on our own servers. PHI remains within Synthflow's HIPAA-certified environment at all times. Your Synthflow account — including all call recordings — is owned by you and transferred to you in full upon termination of our engagement.

4. What PHI We Handle and How

PHI that may be processed

• Patient name and contact information provided during AI-handled calls
• Appointment-related information (dates, services, provider names)
• Health-related disclosures made voluntarily by callers (e.g., condition being treated, prior procedures)

How we handle it

• Minimum necessary standard: we access PHI only to the extent required to configure, manage, and optimize the AI receptionist on your behalf (45 CFR § 164.502(b))
• No independent use: we do not use PHI for our own marketing, research, or any purpose beyond the contracted services
• No onward disclosure: we do not disclose PHI to third parties except as required to provide services (e.g., Synthflow as a sub-Business Associate) or as required by law
• Retention: call recordings and transcripts are retained per the settings you configure in your Synthflow account, which you control directly

5. Safeguards We Maintain

Administrative safeguards

• Designated privacy and security responsibility within our team
• Staff training on HIPAA obligations and the handling of PHI
• Policies and procedures governing PHI access, use, and disclosure
• Vendor assessment process before engaging any subcontractor that may access PHI

Physical safeguards

• We do not operate physical facilities that store PHI. All PHI storage is within Synthflow's certified data centers, which maintain their own physical access controls

Technical safeguards

• Access to client accounts and configurations is role-based and limited to personnel who need it to perform their duties
• All data in transit is encrypted using TLS 1.2 or higher
• Audit logging is maintained for access to client systems and configurations

6. Breach Notification

In the event of a suspected or confirmed breach involving PHI, we will:

• Notify you in writing within 60 days of our discovery of the breach, consistent with 45 CFR § 164.410
• Provide, to the extent available: a description of the breach, the types of PHI involved, the number of individuals affected, steps taken to mitigate harm, and steps being taken to prevent future breaches
• Cooperate fully with your investigation and any required notifications to individuals or the US Department of Health and Human Services (HHS)

To report a suspected security incident involving PHI, contact us immediately using the details in Section 8. Mark your communication "HIPAA Security Incident."

7. Your Responsibilities as a Covered Entity

As the Covered Entity, you are responsible for:

• Determining whether your practice qualifies as a HIPAA Covered Entity and notifying us before AI services begin
• Providing patients with your Notice of Privacy Practices as required under 45 CFR § 164.520
• Obtaining any required patient authorizations before disclosing PHI to us beyond what is permitted under HIPAA's treatment, payment, and healthcare operations provisions
• Ensuring your staff follows appropriate access controls for systems we integrate with (e.g., your scheduling software)
• Notifying us promptly if you become aware of any security incident involving our shared systems

8. Contact for HIPAA Matters

For all HIPAA-related requests, questions, BAA execution, or security incident reporting, contact us at: