Back to Home

HIPAA Compliance

Notice of Privacy Practices

Last Updated: November 29, 2025

Your Health Information is Protected

Vocanta is fully committed to protecting the privacy and security of your Protected Health Information (PHI). We comply with all requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the HITECH Act of 2009. This notice describes how medical information about you may be used and disclosed and how you can get access to this information.

Our Commitment to HIPAA

As a Business Associate to healthcare providers, Vocanta takes our HIPAA obligations seriously. We have implemented comprehensive policies, procedures, and technical safeguards to ensure the confidentiality, integrity, and availability of all Protected Health Information (PHI) we handle.

Privacy Rule Compliance

We limit PHI use and disclosure to the minimum necessary for treatment, payment, and healthcare operations.

Security Rule Compliance

We implement administrative, physical, and technical safeguards to protect electronic PHI.

Breach Notification

We have procedures to detect, contain, and report any breach of unsecured PHI within required timeframes.

Patient Rights

We support patient rights to access, amend, and receive accounting of disclosures of their PHI.

Designated Privacy Officer: Vocanta has appointed a Privacy Officer responsible for overseeing HIPAA compliance, handling privacy complaints, and ensuring our workforce is trained on HIPAA requirements.

Technical Safeguards

We implement robust technical measures to protect electronic Protected Health Information (ePHI) as required by the HIPAA Security Rule.

Access Controls

  • Unique user identification for all system users
  • Automatic logoff after period of inactivity
  • Emergency access procedures for PHI retrieval
  • Role-based access controls (RBAC)

Audit Controls

  • Comprehensive logging of all PHI access
  • Real-time monitoring of system activities
  • Automated alerts for suspicious behavior
  • Audit trail retention for 6+ years

Transmission Security

  • TLS 1.3 encryption for data in transit
  • End-to-end encryption for voice calls
  • Secure API communications with mTLS
  • VPN access for administrative functions

Encryption

  • AES-256 encryption for data at rest
  • Hardware Security Modules (HSM) for key management
  • Encrypted database connections
  • Secure key rotation policies

Administrative Safeguards

Our administrative policies and procedures ensure that our workforce understands and follows HIPAA requirements.

Security Management

  • Comprehensive risk analysis and management
  • Security policies and procedures documentation
  • Regular policy review and updates
  • Sanction policy for workforce violations

Workforce Security

  • Background checks for all employees
  • Security awareness training (annual)
  • HIPAA-specific training for relevant staff
  • Confidentiality agreements for all personnel

Information Access Management

  • Minimum necessary access principle
  • Access authorization procedures
  • Access modification and termination protocols
  • Regular access reviews and audits

Contingency Planning

  • Data backup procedures (continuous)
  • Disaster recovery plan
  • Business continuity planning
  • Emergency mode operation procedures

Physical Safeguards

We maintain physical security measures to protect our systems and the data they contain.

Facility Access Controls

  • SOC 2 Type II certified data centers
  • 24/7 security personnel and surveillance
  • Biometric access controls
  • Visitor management and escort policies

Workstation Security

  • Remote work security policies
  • Encrypted workstations and devices
  • Screen lock enforcement
  • Clean desk policy

Device Controls

  • Mobile device management (MDM)
  • Hardware inventory tracking
  • Secure media disposal procedures
  • Equipment reuse and disposal protocols

Data Center Security

Vocanta uses enterprise-grade cloud infrastructure providers that maintain SOC 2 Type II certification and HIPAA compliance. Our data centers feature:

24/7 Security
Biometric Access
Fire Suppression
Redundant Power

Business Associate Agreements

Vocanta executes Business Associate Agreements (BAAs) with all covered entities we work with, as well as with our own subcontractors who may have access to PHI. Our BAAs ensure:

Appropriate use and disclosure limitations
Required safeguards implementation
Breach notification obligations
Subcontractor compliance requirements
Return or destruction of PHI upon termination
Audit and access rights for covered entities

Request a BAA

If you are a covered entity and need to execute a Business Associate Agreement with Vocanta, please contact our compliance team:

Certifications and Audits

We regularly undergo third-party assessments and maintain industry certifications to demonstrate our commitment to security and compliance.

SOC 2 Type II

Certified

Annual third-party audit of security, availability, and confidentiality controls

HIPAA Compliance

Compliant

Comprehensive compliance with HIPAA Privacy and Security Rules

HITRUST CSF

In Progress

Healthcare-specific security framework certification

Penetration Testing

Current

Quarterly penetration testing by independent security firms

Audit Reports

Current or prospective customers under NDA can request copies of our audit reports and security documentation:

  • SOC 2 Type II Report
  • Penetration Test Summary
  • HIPAA Risk Assessment Summary

Compliance Contact

For questions about our HIPAA compliance practices, to report a privacy concern, or to exercise your rights under HIPAA, please contact our Privacy Officer:

Privacy Officer

Mail

Vocanta Privacy Officer
123 Healthcare Blvd, Suite 100
San Francisco, CA 94102

Security Officer

HIPAA/BAA Requests

hipaa@vocanta.io

Security Incidents

incident@vocanta.io

Report a Privacy Concern

If you believe your privacy rights have been violated or you suspect a breach of PHI, please contact our Privacy Officer immediately. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint.