HIPAA & Compliance at SanovaTech

1. Scope & how HIPAA applies

When SanovaTech provides services to clinics, health systems, or other healthcare organizations that are covered entities or business associates under HIPAA, SanovaTech acts as a Business Associate. In this role, we handle Protected Health Information (PHI) only to provide, maintain, secure, and support the contracted services.

This page describes SanovaTech's platform-level controls and practices. It does not replace your organization's own HIPAA compliance program or legal advice. Each Customer is responsible for configuring SanovaTech in a compliant way within their own covered environment.

2. Business Associate Agreements (BAAs)

SanovaTech enters into a Business Associate Agreement with Customers that qualify as covered entities or business associates under HIPAA. The BAA governs how we handle PHI, the purposes for which it may be used, and the safeguards we are required to maintain.

• SanovaTech uses PHI only to provide the contracted services.
• We do not sell PHI or use PHI for advertising or cross-context behavioral advertising.
• We do not use Customer PHI to train third-party foundation models.
• We support Customer obligations for access, amendment, and accounting of disclosures as set out in the BAA.

To request a copy of our standard BAA or discuss a Customer-specific BAA, contact us at privacy@sanovatech.io.

3. PHI handling, data segregation & residency

SanovaTech is a multi-tenant healthcare platform. Customer data is logically isolated to prevent cross-tenant access. Within each tenant, Customer administrators control which users and systems can access PHI.

• Data segregation: Each Customer's data is logically separated from other tenants using application- and database-level isolation.
• Data residency: By default, U.S. healthcare workloads are hosted in U.S.-based data centers. Customers may request regional options where available.
• Cross-border transfers: PHI is not moved outside the selected region unless explicitly authorized by the Customer and permitted by applicable law and the BAA.

4. Security controls & technical safeguards

SanovaTech maintains administrative, physical, and technical safeguards that are designed to meet or exceed the HIPAA Security Rule and industry best practices for healthcare workloads.

• Encryption: PHI is encrypted in transit using TLS (v1.2+) and at rest using strong industry standard algorithms (such as AES-256).
• Access control: RBAC, least-privilege access, SSO/SAML, and MFA support. Customer admins manage user roles and permissions.
• Audit logging: Access to PHI, configuration changes, and key clinical events are logged.
• Network security: Network isolation, firewalls/WAF, endpoint protection, and monitoring.
• Secure development: Change management, code review, and vulnerability management processes.
• Vendor risk management: Key infrastructure and service providers are evaluated and bound by written agreements.

5. AI features & automated assistance

SanovaTech provides AI-assisted features such as transcription, documentation suggestions, coding assistance, clinical insights, and operational predictions. These features are designed to support clinicians and staff—not replace clinical judgment.

• PHI used in AI workflows remains subject to the BAA, HIPAA, and Customer configuration.
• We do not use Customer PHI to train third-party foundation models.
• Where required by applicable law, we enable human review and, where appropriate, appeal of automated outputs with material impact.
• Customers remain responsible for reviewing outputs before using them in clinical decision-making or patient care.

6. Sub-processors & third-party services

SanovaTech uses carefully selected sub-processors to provide infrastructure, storage, communication tools, and other supporting services. When these vendors may have access to PHI, they act as subcontractors under our BAA with Customers.

• All sub-processors are bound by written agreements.
• We require appropriate security controls and confidentiality protections.
• We maintain a list of material sub-processors, available upon request at privacy@sanovatech.io.

7. Breach notification & incident response

SanovaTech maintains incident response policies and procedures for detecting, investigating, and responding to potential security events involving PHI.

• Suspected incidents are triaged, investigated, and documented by our security team.
• If we determine that a breach of unsecured PHI has occurred, SanovaTech will notify affected Customers without unreasonable delay and within the timelines required by HIPAA and applicable law.
• We cooperate with Customers to support any required notifications to individuals, regulators, or other parties.

8. Customer responsibilities

HIPAA compliance is a shared responsibility between SanovaTech and each Customer. While we provide secure infrastructure and controls, Customers are responsible for how the platform is configured and used in their environment.

• Granting and revoking user access and managing roles.
• Maintaining accurate contact information for security and breach notifications.
• Configuring retention, export, and integration settings to align with their own policies.
• Ensuring that content uploaded to SanovaTech is handled in accordance with their internal HIPAA and compliance requirements.

9. Relationship to our Privacy Policy

This HIPAA & Compliance page focuses on how we support healthcare-specific regulatory obligations and PHI. For information about how we handle Personal Data more broadly—including website visitors, product analytics, and marketing data—please see our Privacy Policy.

10. Contact & additional information

If you have questions about HIPAA, PHI handling, or compliance on the Sanova platform, please contact:

This page is provided for transparency and informational purposes only and does not constitute legal advice. Customers should consult with their own legal counsel to determine how HIPAA and other laws apply to their use of SanovaTech.