HIPAA Compliance Notice

1. What ClarioScope AI Does and Does Not Do With Health Information

ClarioScope AI provides two categories of services with very different data handling profiles. Understanding which category applies to your practice determines whether you need to execute a BAA.

2. AI Receptionist and HIPAA

The ClarioScope AI Receptionist is a VAPI-powered voice AI that handles inbound calls on behalf of your practice — scheduling appointments, answering FAQs, and routing urgent calls to your staff. Because this service may capture and process information about identifiable patients, it constitutes a HIPAA Business Associate function.

• Call recording encryption: All call recordings are encrypted in transit using TLS 1.3 and stored at rest with AES-256 encryption on HIPAA-compliant AWS infrastructure. Recordings are retained only for the period specified in your service agreement (default: 90 days) and are accessible only to authorized personnel.
• AI session data handling: Transcriptions generated by the AI Receptionist are treated as ePHI where they contain identifiable patient information. They are stored in your practice's portal (accessible only to authorized staff) and are not used to train general AI models. Session logs are subject to the same 90-day or BAA-specified retention schedule.
• BAA requirement: A signed BAA between your practice and ClarioScope AI is required before the AI Receptionist can be activated. ClarioScope AI also maintains a BAA with VAPI as a HIPAA subcontractor. The AI Receptionist will not be enabled on any account that has not completed BAA execution.
• Script and call flow compliance: All AI Receptionist scripts are reviewed by your authorized representative before deployment. Scripts are designed to avoid unlicensed medical advice and to comply with applicable state telehealth and call recording consent laws (including two-party consent states).

3. Review and Reputation Management

ClarioScope AI's reputation management module monitors and helps you respond to patient reviews on Google, Healthgrades, Yelp, and other public platforms. This service is designed to operate without requiring access to PHI in most standard configurations.

• Public review handling: Reviews posted by patients on public platforms are by definition not confidential under HIPAA. However, our response drafting protocol instructs you never to confirm or deny that the reviewer is a patient of your practice, in compliance with OCR guidance on HIPAA and public review responses.
• No PHI in review requests: Review generation campaigns (automated requests to patients asking them to leave reviews) are conducted using only names and contact information provided through HIPAA-compliant channels. Where review requests are sent using patient appointment data, this requires a BAA and falls under Enhanced Services.
• Response drafting compliance: AI-drafted responses to negative or sensitive reviews are reviewed by you before posting. Draft responses are designed to: avoid confirming the patient relationship, avoid disclosing any clinical information, acknowledge the feedback professionally, and invite the reviewer to contact the practice directly to resolve concerns.

4. Marketing Content Compliance

Healthcare marketing is subject to FTC regulations, state medical board rules, and HIPAA's marketing provisions. ClarioScope AI builds compliance checkpoints into every campaign workflow.

• FTC endorsement rules: All patient testimonials and endorsements must represent the genuine experience of the patient. Material connections between the practice and the reviewer (e.g., compensation, free services) must be disclosed. ClarioScope AI will not publish or distribute testimonials that violate 16 C.F.R. Part 255 (FTC Endorsement Guides).
• Testimonial substantiation requirements: Testimonials may only claim outcomes that are typical for patients receiving the relevant treatment or service. Atypical results must be accompanied by a clear, conspicuous disclaimer ("Individual results may vary. Consult with a qualified provider to determine if this treatment is right for you.").
• Outcome claim requirements: Specific outcome claims (e.g., success rates, patient satisfaction scores) must be documented with verifiable evidence. We will request the supporting data before publishing any quantitative outcome claims in your marketing materials.
• Before/after photo consent: Before-and-after photographs used in any marketing context require documented patient consent specifying the approved uses (digital advertising, website, social media, print, etc.). You are responsible for maintaining consent records. ClarioScope AI will not publish before-and-after photography without written confirmation from your authorized representative that consent has been obtained for the specific intended use.

5. Frequently Asked Questions