Security & compliance
Built for patient data, not bolted on later
PracticeKit handles protected health information the way a medical platform should — encrypted, audited, isolated, and under a BAA the call trackers refuse to sign.
PHI encrypted at rest
Phone numbers, emails, dates of birth, and message contents are encrypted with AES-256. Identifiers are hashed for lookup so we never match on plain text.
Append-only audit log
Every access and change is recorded — who, what, when, and the before/after. The application role has no permission to edit or delete history.
Strict tenant isolation
Row-level security enforces that one practice can never read another's data. Each practice is its own isolated organization.
Minimal data footprint
Calls are transcribed and the transcript encrypted — raw audio isn't warehoused. We store the least PHI needed to do the job.
Guardrailed AI
The AI runs under an Anthropic BAA with deterministic safety rails: it never gives medical advice, never invents prices, and escalates emergencies to a human.
Consent & opt-out enforced
A single send chokepoint enforces TCPA consent, STOP/HELP handling, and per-number opt-out on every outbound message.
The BAA difference
A Business Associate Agreement is what legally allows a vendor to handle PHI on your behalf. Phone numbers and names tied to people seeking treatment are PHI. Most mainstream call-tracking and lead tools are built for general business and simply won't sign a BAA — which quietly disqualifies them for any practice that takes compliance seriously.
PracticeKit will. We sign a BAA and stand behind it with real controls, not just a signature.
PracticeKit implements administrative, physical, and technical safeguards aligned with HIPAA. This page summarizes our approach and is not a substitute for your own compliance review. Request our BAA and security documentation via contact.
Free 30-day loss audit
Run the numbers on patient data, safely.
Start a free 30-day loss audit on a platform that signs a BAA and encrypts PHI from day one.