HIPAA Compliance

Clinivore enters into Business Associate Agreements with covered entities prior to handling any Protected Health Information. The BAA outlines our obligations as a Business Associate under HIPAA, including safeguards, breach notification, and permissible uses of PHI.

BAAs are available upon request before any PHI is entered into the platform. Use of Clinivore with PHI prior to BAA execution is not permitted under our Terms of Service.

• Encryption in Transit: TLS 1.2+ for all data transmitted between clients and servers
• Encryption at Rest: AES-256 encryption for all stored data
• Role-Based Access Control: Admin, Provider, and Staff roles with differentiated access levels
• Session Management: Automatic session timeout after inactivity
• Audit Logging: Append-only audit trail for all PHI access, modification, and AI usage events

• Staff access limited by role (Admin / Provider / Staff)
• Audit trail retention per HIPAA requirements (minimum 6 years)
• Data breach notification procedures per HIPAA Breach Notification Rule
• Practice administrators control staff provisioning and access

Clinivore supports practices that treat substance use disorders. Our workflows are designed with 42 CFR Part 2 protections in mind. Substance use disorder treatment records — including records related to Vivitrol and Sublocade administration — require patient consent before disclosure and carry stricter protections than standard HIPAA PHI.

Clinivore does not automate any disclosure of SUD treatment records. All outreach tasks and documentation are staff-reviewed and staff-initiated. Practices with SUD patients are responsible for ensuring that disclosures comply with applicable 42 CFR Part 2 requirements.

PHI is never transmitted to AI services without explicit BAA-covered configuration. Default AI mode uses only non-identifying patient identifiers (e.g., internal patient IDs and protocol names) when generating documentation drafts. The full name, date of birth, and other PHI fields are excluded from AI requests unless the practice has explicitly opted into PHI-enabled AI under a BAA with Clinivore.

All AI draft generation events are logged in the audit trail, including the PHI context level used.