Skip to main content
Bota is designed to support customers building healthcare applications that handle Protected Health Information (PHI). This page describes our HIPAA compliance program and your responsibilities as a covered entity or business associate.

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes standards for protecting sensitive patient health information. If you are a covered entity or business associate handling PHI, you must ensure your vendors also comply with HIPAA requirements.

Bota’s HIPAA Compliance

Business Associate Agreement (BAA)

Bota offers a Business Associate Agreement to customers who need to process PHI through our platform. The BAA establishes:
  • Bota’s obligations as your business associate
  • Permitted uses and disclosures of PHI
  • Safeguards we implement to protect PHI
  • Breach notification procedures
  • Audit and compliance requirements

Request a BAA

Contact [email protected] to execute a Business Associate Agreement

Administrative Safeguards

SafeguardImplementation
Security OfficerDesignated security officer responsible for HIPAA compliance
Workforce TrainingAll employees complete HIPAA training annually
Access ManagementRole-based access controls, principle of least privilege
Incident ResponseDocumented procedures for security incident handling
Risk AssessmentAnnual risk assessments and remediation planning

Physical Safeguards

SafeguardImplementation
Data Center SecurityAWS data centers with SOC 2 certification
Access ControlsBadge access, biometric authentication, 24/7 monitoring
Workstation SecurityEncrypted devices, remote wipe capability
Device DisposalSecure destruction of media containing PHI

Technical Safeguards

SafeguardImplementation
Encryption in TransitTLS 1.2+ for all API communication
Encryption at RestAES-256 encryption for all stored data
Access ControlsUnique user identification, automatic session timeout
Audit LoggingComprehensive logging of all PHI access and modifications
Integrity ControlsChecksums and validation for data integrity
Transmission SecuritySecure API endpoints, webhook signature verification

Your Responsibilities

As a covered entity or business associate, you are responsible for:

Before Using Bota

1

Execute a BAA

Contact [email protected] to sign a Business Associate Agreement before processing any PHI
2

Assess Your Use Case

Determine what PHI will be processed and ensure Bota is appropriate for your needs
3

Configure Retention

Set appropriate data retention policies for your project (we recommend aligning with your organization’s retention requirements)

During Operation

ResponsibilityDescription
Patient ConsentObtain appropriate consent before recording patient interactions
Minimum NecessaryOnly include PHI that is necessary for your use case
Access ControlsLimit API key access to authorized personnel
Audit Your LogsRegularly review access logs for your Bota project
Incident ReportingReport any suspected breaches immediately
When using Bota to record patient-provider conversations:
  1. Inform the patient that the conversation will be recorded
  2. Explain the purpose — clinical documentation, quality improvement, etc.
  3. Obtain explicit consent — verbal or written, as required by your policies
  4. Document consent — store consent status with the recording via API metadata
  5. Honor opt-outs — do not record patients who decline
// Example: Storing consent with a recording
{
  "end_user_id": "eu_patient123",
  "device_id": "dev_clinic456",
  "metadata": {
    "consent_obtained": true,
    "consent_type": "verbal",
    "consent_timestamp": "2025-01-15T10:00:00Z",
    "provider_id": "dr_smith789"
  }
}

PHI in Bota

What Constitutes PHI

Protected Health Information includes any individually identifiable health information, such as:
  • Patient names and contact information
  • Medical record numbers
  • Diagnosis and treatment information
  • Dates of service
  • Audio recordings of clinical encounters
  • Transcriptions containing health information

Where PHI May Exist in Bota

ComponentPHI PotentialNotes
Audio RecordingsHighPrimary source of PHI
TranscriptionsHighContains spoken PHI
SummariesHighMay contain clinical information
EndUser RecordsMediumDepends on external_id usage
MetadataLow-MediumDepends on what you store

De-identification

If you want to reduce PHI exposure, consider:
  • Using internal patient IDs as external_id rather than names
  • Storing metadata references rather than PHI directly
  • Implementing automated redaction in your downstream systems

Data Handling

Storage Location

All PHI is stored in AWS data centers in the United States. For customers requiring specific geographic storage, contact us about regional deployment options.

Data Retention

Configure retention policies appropriate for your compliance requirements: 
# Example: Setting 7-year retention for clinical recordings
curl -X PATCH https://api.bota.dev/v1/projects/current \
  -H "Authorization: Bearer sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "settings": {
      "retention_days": 2555
    }
  }'
HIPAA requires retention of medical records for 6 years from date of creation or last effective date. State laws may require longer retention.

Data Deletion

You can delete PHI at any time via the API: 
# Delete an EndUser and all associated PHI
curl -X DELETE https://api.bota.dev/v1/end-users/eu_patient123 \
  -H "Authorization: Bearer sk_live_..."
Deletion is permanent and includes:
  • All recordings for the EndUser
  • All transcriptions and summaries
  • All associated metadata

Breach Notification

Our Obligations

If we discover a breach of unsecured PHI, we will:
  1. Notify you within 24 hours of discovery
  2. Provide details of the breach (what data, how many affected, timeline)
  3. Describe our remediation actions
  4. Cooperate with your investigation and notification requirements

Your Obligations

You are responsible for:
  • Notifying affected patients as required by HIPAA
  • Reporting to HHS Office for Civil Rights
  • Documenting the breach and response
  • Implementing corrective actions

Audit and Compliance

Audit Logs

Bota maintains comprehensive audit logs for all PHI access:
  • API requests (who, what, when)
  • Data modifications
  • Access by Bota personnel (rare, only for support with your permission)
Enterprise customers can request audit log exports.

Compliance Certifications

CertificationStatus
SOC 2 Type IICertified
HIPAACompliant (with BAA)
GDPRCompliant

Third-Party Audits

We engage independent auditors annually to assess our security controls. Audit reports are available to customers under NDA.

Frequently Asked Questions

You need a BAA only if you will process PHI through Bota. If you’re using Bota for non-healthcare purposes (e.g., sales calls), a BAA is not required.
Bota employees do not access customer PHI in normal operations. Access is only possible with your explicit permission for troubleshooting specific issues, and all access is logged and audited.
Our transcription pipeline is covered under the BAA. Audio is processed in isolated environments and deleted after transcription completes. We do not use PHI to train AI models.
Bota Pin and Bota Note devices store audio locally with encryption. Data is only transmitted when synced via the mobile app over encrypted connections.
Bota is designed for in-person conversation capture. For telehealth recording, consult with your compliance team about applicable regulations beyond HIPAA.

Contact

For HIPAA compliance questions or to request a BAA: Email: [email protected] Subject: HIPAA / BAA Inquiry
Last updated: January 15, 2025