HIPAA-ReadyBAA-Backed OnboardingAES-256 Encrypted

AI platform for HIPAA-ready healthcare onboarding

Eliminate language barriers in clinical settings without compromising patient privacy. Real-time translation, SOAP note generation, medical STT, and encrypted messaging — with the controls needed for approved healthcare workflows under an executed BAA.

View Onboarding Steps Email Healthcare Team

Executed BAA6-Year Audit TrailScoped Healthcare AccountsAccess ControlsAudit Logging

Healthcare Readiness

Security controls for HIPAA-ready deployment

The healthcare posture depends on approved workflow scope, organization onboarding, executed BAAs, and ongoing operational controls.

8-Hour JWT Token Expiry

Session tokens expire every 8 hours compared to 30 days for personal accounts. Eliminates stale credential risk on shared clinical workstations.

15-Minute Idle Timeout

Automatic session lock after 15 minutes of inactivity. No unattended screens exposing patient data in exam rooms or nurse stations.

Zero PHI in Logs

Transcripts, translations, and personal health data never appear in application logs. Architecturally enforced at the code level, not policy-dependent.

AES-256-GCM Encryption at Rest

PHI encrypted at rest with AES-256-GCM; new data is additionally client-encrypted with XSalsa20-Poly1305 (TweetNaCl secretbox) before upload. Encryption keys managed and rotated independently from data storage.

Secure File Deletion

Temporary files overwritten with random data before filesystem unlinking via secureDelete(). No residual PHI on disk after processing.

6-Year Audit Retention

Complete audit trail retained for 6 years via GCS lifecycle management and Cloud Logging. Meets HIPAA minimum retention requirements.

PHI Field Encryption in Streams

PHI fields encrypted within WebSocket streaming sessions. Data is protected in transit and at the application layer, not just the transport layer.

Root/Jailbreak Detection

Mobile apps detect rooted or jailbroken devices and restrict PHI access. Compromised devices cannot access healthcare features.

HIPAA RequirementHow Vavus Meets It

Access Controls (SS 164.312(a))

Role-based access, 8-hour token expiry, 15-minute idle lock, healthcare account type

Audit Controls (SS 164.312(b))

6-year audit log retention, tamper-evident logging, user action tracking, GCS lifecycle

Integrity Controls (SS 164.312(c))

AES-256-GCM encryption at rest, client-side XSalsa20-Poly1305 for new data, secure file deletion, data integrity verification, key rotation

Transmission Security (SS 164.312(e))

TLS 1.2+ for all data in transit, encrypted WebSocket connections, PHI field encryption

Person Authentication (SS 164.312(d))

JWT-based authentication, TOTP two-factor, SSO integration, root/jailbreak detection

Data Backup (SS 164.308(a)(7))

Encrypted hourly backups, cross-region replication, tested recovery procedures

PHI Disclosure (SS 164.502)

Zero PHI in logs, architectural enforcement, no third-party data sharing, secure deletion

Business Associate Agreements

Executed BAA before approved PHI workflows, organization status tracking, onboarding record, audit trail

Clinical Workflows

Purpose-built tools for clinical environments

From patient intake to discharge instructions — every clinical touchpoint gets AI-powered language support with healthcare-ready controls and documented onboarding.

Patient Intake Forms

Drag-and-drop form builder with auto-translated labels. Create custom fields, validation rules, and multi-language patient intake forms. Collect responses directly in the platform.

Drag-and-drop creation
Custom fields & validation
Multi-language labels
Patient response collection

SOAP Note Summarization

Auto-generate Subjective, Objective, Assessment, and Plan notes from patient conversations. AI extracts structured clinical data from free-form dialogue.

Auto-structured output
Clinical vocabulary recognition
Editable before saving
EHR-ready format

Medical Speech Recognition

Deepgram Medical STT engine specialized for clinical vocabulary. Accurate transcription of drug names, procedures, anatomy terms, and medical abbreviations.

Clinical vocabulary model
Drug name accuracy
Medical abbreviations
Speaker diarization

Voice Profiles

Custom TTS voices for clinical consistency. Patients hear the same synthesized voice across all interactions, building familiarity and trust in translated communications.

Consistent voice identity
Multiple language support
Clinical tone calibration
Per-provider profiles

Offline Language Packs

Download language packs for areas with poor connectivity. Rural clinics and mobile health units maintain full translation capability without internet access.

Downloadable language packs
No internet required
Full STT/TTS offline
Auto-sync when connected

Document Translation

Translate medical documents including consent forms, discharge instructions, medication guides, and patient education materials while preserving formatting.

Consent forms
Discharge instructions
Medication guides
Format preservation

Healthcare Features

Everything a healthcare team needs

Conference rooms, diarized transcripts, encrypted messaging, and real-time call translation — all with healthcare audit logging and scoped account controls.

Conference Rooms

Multi-provider consultation rooms with real-time translation. Multiple clinicians join a single session with a patient, each receiving translation in their preferred language.

Speaker Diarization

Conversation history identifies and labels speakers — doctor vs. patient vs. interpreter. Clear attribution in transcripts for accurate medical records.

Encrypted Provider Messaging

End-to-end encrypted messaging for provider-to-provider communication. Discuss patient cases with colleagues without PHI exposure risk.

Real-Time Call Translation

Live voice translation during patient consultations. Both parties speak naturally in their language while hearing translations in real time.

Comprehensive Audit Logging

Every action logged with user ID, timestamp, IP address, and action type. Tamper-evident records for compliance audits and incident investigation.

Healthcare Account Controls

Dedicated healthcare account type with specialized security controls, access restrictions, and compliance settings enabled by default.

Summary Templates for Healthcare

AI-generated summaries in clinically relevant formats from any conversation.

SOAP Notes

Subjective, Objective, Assessment, Plan structured clinical notes

Clinical Summary

Concise overview of patient encounter for chart documentation

Patient Education

Simplified explanations of diagnosis and treatment for patients

Meeting Minutes

Structured notes from care team meetings and case conferences

Key Points

Bullet-point extraction of critical information from conversations

Action Items

Follow-up tasks, referrals, and orders extracted from discussions

Security Architecture

Defense-in-depth, not security theater

Multiple independent security layers ensure that a single point of failure cannot expose patient data. Encryption, isolation, and audit at every level.

Encrypted Audio Pipeline

Audio streams encrypted in transit with TLS 1.2+ and at rest with AES-256-GCM; client-encrypted audio uses NaCl secretbox (XSalsa20-Poly1305) before upload. Encryption keys rotated independently of data storage. No unencrypted audio touches disk.

TLS 1.2+ in transit, AES-256-GCM at rest

Secure Deletion Protocol

All temporary files — audio recordings, transcripts, translations — overwritten with random data via secureDelete() before filesystem unlinking. Verified deletion, not just unlink.

secureDelete() overwrites before unlink

Immutable Audit Trail

Every access, modification, and deletion logged with user ID, timestamp, IP, and action type. Tamper-evident, retained 6 years via GCS lifecycle and Cloud Logging.

6-year retention, tamper-evident

Regional Data Residency

US-primary infrastructure with configurable data residency. PHI never leaves designated regions. Three-region deployment ensures availability without data sovereignty violations.

3-region GCP deployment

Session Security

8-hour JWT expiry for healthcare accounts with 15-minute idle timeout. Token revocation on logout, password change, and suspicious activity. No long-lived sessions.

8h expiry, 15min idle, revocation

Mobile Device Security

Root and jailbreak detection prevents PHI access on compromised devices. Certificate pinning, secure storage, and biometric authentication support on mobile platforms.

Root/jailbreak detection, cert pinning

Healthcare Onboarding

BAA-backed onboarding, tracked and auditable

Healthcare use is enabled through onboarding, not generic self-serve signup. We confirm workflow scope, execute a BAA, configure the organization for healthcare use, and verify the first approved PHI path before go-live.

Review the intended healthcare workflow and approved vendor scope
Execute a BAA before PHI workflows are enabled
Configure the organization for healthcare-specific controls
Provision and verify the organization PHI encryption path
Validate the first approved PHI write/read path before go-live
Maintain audit logging and operational controls after launch

Start Healthcare Onboarding Review Controls

Healthcare onboarding checklist

Required before approved PHI workflows go live

OrganizationApproved healthcare org

Workflow ScopeReviewed during onboarding

BAA StatusExecuted before PHI use

Org Encryption PathProvisioned before first PHI write

Breach NotificationPer executed BAA and applicable law

Audit Log Retention6 years minimum

Status TrackingOnboarding record + organization status

Onboarding status is tracked so admins can verify whether an organization is approved for PHI-bearing workflows and request supporting documentation.

HIPAA-Ready

Bring healthcare teams through a documented onboarding path

Start with workflow review, BAA execution, healthcare account controls, and PHI-path verification. Then launch medical STT, SOAP notes, intake forms, and encrypted messaging on an approved footing.

Start Healthcare Onboarding Review Healthcare Controls

Healthcare onboarding is completed before PHI workflows are enabled.