Solafya handles protected health information (PHI) under HIPAA. Every decision we make about how to store, transmit, and process your patients' information is made with audit, encryption, and access control as defaults — not afterthoughts.
We sign a Business Associate Agreement (BAA) with every clinic before any patient data flows. Our cloud infrastructure is HIPAA-eligible, and so are all of our subprocessors — the email and text vendors we use, the AI environment we run summaries inside, everything.
We know this is the question every clinician asks first. The answer is no — Solafya's AI summaries and trend insights run inside our HIPAA-aligned environment, under our Business Associate Agreement. Your patients' information never leaves that environment to power someone else's model.
Patient information is encrypted both while it sits in our systems and while it travels between them — between your EHR, our service, and back to your clinic's devices.
Access to any part of the system is permission-based. Your staff sees what they need for their role — and no more. Our staff sees only what they need to support you. Every clinical action is recorded.
Your clinic owns its patient data, end to end. We don't sell it. We don't share it with anyone outside the BAA chain. We don't use it for anything other than running Solafya for your practice. If you ever leave, we delete it on request.
We'll tell you within 72 hours of confirming any security incident affecting your clinic's data. We'd rather you hear it from us first — with the full picture and the action we're taking — than from anyone else.
