Trust & Compliance

Last updated: July 9, 2026

Automate Admits is built for admissions and intake teams that handle sensitive health information. This page explains how we handle HIPAA and 42 CFR Part 2, the standing Business Associate Agreement we offer every customer, the subprocessors we rely on, and how we protect your data.

On this page

HIPAA & Business Associate Business Associate Agreement 42 CFR Part 2 Security program Subprocessors Data handling & retention Incident response Compliance roadmap Contact

HIPAA & Business Associate status

When you use Automate Admits to communicate with patients and leads, we act as your Business Associate under the HIPAA Rules (45 CFR Parts 160 and 164). You remain the Covered Entity (or, in some arrangements, another business associate) and control the care relationship; we provide the software and process protected health information (PHI) only to deliver the Service on your behalf.

We are software, not a healthcare provider — we do not provide medical, clinical, or treatment advice, and we are not part of your care team. But because your conversations can include PHI, we take on the safeguards, reporting, and contractual obligations that HIPAA requires of a business associate.

Standing Business Associate Agreement (BAA)

We publish a single, standing BAA that applies to every customer — you don't need to negotiate or sign a separate agreement for your organization. By subscribing to and using Automate Admits to handle PHI, your organization accepts the standing BAA by reference; it is incorporated into our Terms of Service and takes effect the moment the Service is used with PHI.

Need a countersigned copy for your records, or want to review the full text before you sign up? Request it at privacy@automateadmits.com. Signed-in customers can also read the full BAA and policy pack under Settings → Policies & procedures.

The standing BAA commits us to, among other things:

The published BAA governs; this summary is for orientation only.

42 CFR Part 2 — substance use disorder records

Many of our customers are substance use disorder (SUD) treatment programs. Where the Service is used by a Part 2 program, records that identify an individual as having a substance use disorder receive the heightened confidentiality protections of 42 CFR Part 2 in addition to HIPAA:

As the covered program, you are responsible for obtaining and documenting any patient consent required before information is entered into or sent through the platform.

Security program

PHI is encrypted in transit (TLS) and at rest, access is role-based and least-privilege, passwords are stored only as salted hashes, and two-factor authentication is available. PHI access and account changes are recorded in a per-organization activity log. Full technical detail is on our Security page.

Because the AI agent must read message content to draft replies, the Service is not end-to-end encrypted; data is encrypted in transit and at rest and access-controlled.

Subprocessors

We use a small set of vetted providers to operate the Service, each under contractual confidentiality and security obligations. Providers that store or process PHI on our behalf do so under a business associate agreement; where a provider only transports data (for example, an SMS/voice carrier), PHI is stored and processed by us on AWS under our BAA, and the carrier is engaged under contractual confidentiality and security terms.

SubprocessorPurposeDataPHI
Amazon Web Services, Inc.Application hosting, database, object storage, and compute — where PHI is stored and processedAll application and patient data (PHI), encrypted at rest and in transitYes — BAA
Cloudflare, Inc.Public website & application static-asset delivery, DNS, and CDN/DDoS protectionPublic marketing content and application code only — no PHINo PHI
Twilio Inc.SMS and voice message transport and delivery, call recordingPhone number and message/call content pass through in transit for delivery; the message content and recordings are stored and processed by us on AWSTransport only — no BAA
Anthropic PBCAI drafting and conversation summarizationMessage content, processed transiently; not used for trainingYes — BAA
Meta Platforms, Inc.Send/receive messages on connected Facebook & Instagram accountsConversation content on connected channelsYes
ResendTransactional & notification email to your teamTeam email addresses, notification contentTeam data only
Square, Inc.Subscription & top-up payment processingBilling contact & card data only — no patient PHINo PHI

We give notice before adding or replacing a subprocessor that handles PHI. To be notified, email privacy@automateadmits.com.

Data handling & retention

Incident & breach response

On discovery of a security incident or breach of unsecured PHI, we contain and investigate, and notify affected customers without unreasonable delay and no later than 60 days after discovery, in accordance with 45 CFR 164.410. Report a suspected incident to privacy@automateadmits.com.

Compliance roadmap

We are an early-stage company and we build our compliance program in the open. Current status:

We will update this page as our program matures. If your due-diligence process needs specific documentation, contact us.

Contact

Compliance, BAA, or data-handling questions — including requesting a countersigned BAA — go to privacy@automateadmits.com.

Request a BAA

Automate Admits is operated by Automate Admits, Inc. This page is provided for general information and is not legal advice. The published Terms of Service, Privacy Policy, DPA, and standing Business Associate Agreement govern the relationship between you and Automate Admits.