Privacy & Security

Data Processing

PhysOpsAI processes clinical data inside hardware-attested secure environments with cryptographic proof of integrity. Patient health information is separated from clinical content before any AI processing occurs. External AI services process only de-identified clinical content. They never receive PHI.

Infrastructure

All processing runs on HIPAA-eligible cloud infrastructure with signed Business Associate Agreements at the infrastructure level. Cryptographic attestation verifies the integrity of every data processing environment. No persistent storage of PHI outside secure boundaries.

Compliance

• ·SOC 2 Type II (infrastructure provider)
• ·HITRUST (infrastructure provider)
• ·HIPAA BAA (signed at infrastructure level)

Business Associate Agreement available on request for pilot and enterprise customers.

AI Provider Isolation

No Business Associate Agreement is required with any AI model provider used by PhysOpsAI. This is by design: AI providers process only de-identified clinical content that contains zero Protected Health Information. This architectural decision eliminates an entire category of compliance risk.