Last Updated: January 15, 2026

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that establishes standards to protect the privacy and security of protected health information. This includes requirements to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).

Our Shared HIPAA Commitment

Maintaining HIPAA compliance, and ensuring the security of ePHI, is a joint commitment between customers and Ava. Customers subject to HIPAA requirements can use Ava in support of compliant workflows; however, customers acting as covered entities or business associates have an obligation under HIPAA, independent of Ava, to implement the appropriate administrative, physical, and technical safeguards to ensure the security of ePHI.

Ava provides a solution that empowers customers to benefit from communication access in their conversations in a secure and compliant manner. Below, we have provided additional information to help customers ensure their use of Ava supports their efforts to maintain HIPAA compliance.

Business Associate Agreements

Ava Enterprise Customers may be interested in executing Ava’s Business Associate Agreement (BAA) if they are subject to HIPAA and intend to store or process ePHI in their Ava environment. Ava’s BAA is a contract between Ava and a customer acting as a covered entity or business associate under HIPAA, which governs how a customer’s ePHI in the Ava platform is protected in compliance with HIPAA. It is the customer’s responsibility to determine whether a BAA is required for their use case. To begin this process or request additional information, please contact a member of your account team. Enabling HIPAA compliance for your organization’s usage of Ava and the execution of a BAA is only available to customers on the Enterprise plan. For more information and to adjust your organization’s plan, please reach out to your sales representative. Please note that if you decide to later downgrade your plan, you will no longer be covered by the executed BAA.

Requirements for HIPAA Customers

For a customer’s use of Ava to be covered by the Ava BAA, the customer and customer’s permitted users must comply with the following requirements:

• AI Captions | Ava's AI speech-to-text service processes audio to generate text transcripts. When using this service:
  • Ensure that any audio who may contain ePHI are uploaded or recorded only through our secure, encrypted mobile and web application function.
  • Do not include patient names or other direct identifiers in file names or metadata.
  • Set Conversation Mode to Private mode to screen for users joining the conversation who may not be authorized to be seeing ePHI.
  • Be aware that our AI system may occasionally misinterpret medical terminology. Review AI-generated transcripts for accuracy before use in medical records.
• Scribe Captioning | For human-generated captions and transcripts:
  • Use our secure messaging system when communicating with human captioners about ePHI-containing content.
  • Scribe Captioners are instructed to put “Patient A” instead of real-names in transcripts when possible.
• File Storage | ePHI must only be in transcripts within the Ava platform, who are encrypted. Do not store ePHI in user profile or transcript titles.
• Sharing Transcripts | Ava allows sharing of completed transcripts. When sharing:
  • Use access controls to limit transcript visibility to authorized personnel only.
  • Do not use the public sharing link feature for any transcripts containing ePHI.
• Customer Support | When contacting Ava support:
  • Do not include ePHI in screenshots or support tickets.
  • Refrain from sharing ePHI with Ava representatives on calls, in emails, or through chat support.
• Integrations | Customers may integrate Ava with other intergrations and systems like video conference calling platforms, who are vetted to be HIPAA compliant. They are nonetheless responsible for ensuring such integrations comply with HIPAA requirements and that they have correctly activated the HIPAA agreements with these integrations. Be aware that Ava cannot ensure the security of data, including ePHI, outside of our platform.
• Mobile App | When using the Ava mobile app:
  • Enable device-level encryption and strong authentication.
  • Do not download ePHI-containing transcripts to local storage on mobile devices.
• Automations | Ava Automations allow users to automate workflows (say, to onboard a new member of your team on Ava), including outgoing email. When delivering automated emails, Ava will send email over a transport layer security (TLS) encrypted channel whenever possible; however, if the receiving email server does not support TLS, automated emails will send in cleartext.
  • Refrain from including ePHI directly in the body or subject line of the email. Ava cannot guarantee that the email content will be encrypted if the receiving email server does not support TLS.
  • Be mindful of recipients, when configuring automated messages.
• Customer Support | When contacting Ava, such as when using Customer Support, do not include ePHI in screenshots or support tickets. Refrain from sharing ePHI with Ava representatives on a call, email, or other digital communication.
• Integrations | Customers may choose to integrate their Ava instance with other systems and are responsible for ensuring such integrations are implemented in compliance with any applicable HIPAA requirements. When configuring integrations, be aware that Ava can not ensure and is not responsible for the security or privacy of data, including ePHI, when it leaves the boundaries of the Ava environment.