HIPAA + AI: how Olvaro handles PHI
Published · Reading time: 7 min
Most vendor security pages read like fog. Here is the plain sequence: BAAs, subprocessors, access controls, AI data flow, exports, and what you should still verify with your lawyer.
TL;DR
- Olvaro signs BAAs with covered entities and aligns AI subprocessors under HIPAA obligations.
- PHI stays inside role-based access with audit trails on reads, edits, and AI-assisted drafts.
- We do not train foundation models on your patient charts for advertising or resale.
- You can export structured data on demand; deletion follows your written request and retention rules.
- This article describes product design and is not legal advice; confirm details with counsel.
Plain-English posture
Olvaro enters a BAA because we handle PHI on your behalf. Subprocessors that process PHI on our instructions sign BAAs or equivalent protections with us. Your data stays portable: export charts, patients, and financial summaries in standard formats whenever you need them.
Where PHI lives and who sees it
Charts, schedules, billing artifacts, and communications tied to identifiable patients reside in Olvaro’s tenant for your practice. Roles limit views: front desk sees scheduling and payments, clinical roles see chart sections tied to encounters, leadership sees reporting scoped to locations you grant.
How AI features touch PHI
- Scribe: audio or dictation streams to Olvaro’s AI pipeline and returns draft documentation inside the encounter under review.
- Front desk agent: reads scheduling and policy context you enable to answer calls with accurate availability and fees.
- Marketing agent: reads campaign and revenue data you scope so recommendations map to performance, not generic templates.
Each flow logs actor, timestamp, and scope so security reviews have receipts.
Audit trail
Olvaro records authentication events, chart edits, AI draft generations, and exports. Your compliance lead can trace who pulled a chart, who altered a SOAP note after AI draft, and who exported patient lists.
Vendor checklist before you sign anything
- Executed BAA covering AI features and hosting.
- Hosting region and failover spelled out for your contracts.
- Training-data clause stating customer PHI is not reused to train public models.
- Breach notification SLA aligned with your policies.
- Deletion and export timelines with named contacts.
- Subprocessor list with notification rules when vendors change.
Breach posture
Olvaro maintains incident response playbooks, logging, and vendor escalation paths. Your practice still trains staff on phishing, workstation locks, and device policies because HIPAA is shared responsibility.
Disclaimer
This page explains how Olvaro intends to operate. It is not legal advice. Have your counsel review BAAs, state privacy laws, and your internal policies before relying on any vendor summary.
Related reading
- How to choose medspa software in 2026→Most medspa software pitches sound the same until you ask the right questions. Here is how to separate a real platform from a stitched stack, before you sign a three-year contract.
- Migrating off Boulevard in 2 days→Switching systems only looks expensive when the cutover is undefined. Here is what we import, what we rebuild by hand, and how go-live works when the team still has patients on the calendar Monday morning.
- What an AI scribe writes→Most decks say "clinical documentation." Here is what lands in the EMR after a neurotoxin follow-up: real SOAP sections, consent lines you still sign, and unit counts that only appear if someone said them out loud.
FAQ
Is Olvaro HIPAA compliant?
Olvaro builds HIPAA-aligned controls including BAAs, access controls, audit logs, encryption in transit and at rest, and subprocessors bound to appropriate protections. Compliance also depends on how your practice configures workflows and trains staff.
Does Olvaro sign a BAA?
Yes for covered entities that require one. Execute the BAA during onboarding so responsibilities for PHI are clear before go-live.
Are my patient records used to train AI?
Olvaro does not use your patient charts to train public foundation models or sell derived models. AI inference runs against your tenant data under contract and security controls described in our security materials.
Where is my data stored?
Data resides in Olvaro’s production environment with encryption and regional placement described in our security documentation. Ask sales or security for the current region map during your review.
How do I export or delete my data?
Export patient, chart, and financial datasets from Olvaro in standard formats. Submit deletion requests in writing with scope; we process them per the BAA and retention policies you agree to.
Canonical URL: https://www.olvaro.net/blog/hipaa-and-ai-how-olvaro-handles-phi