HIPAA Compliance

ActorDO, as the backend system that powers the intelligent AI Assistant, is HIPAA Compliant.

Here’s all you need to know about Actor HIPAA Compliancy.

Our HIPAA Compliance Approach

• Policies and Procedures: Overview of your internal policies designed to meet HIPAA standards.
• Data Protection Measures: Summary of technical safeguards (encryption, access controls, audit logs).
• Administrative Safeguards: Employee training, risk assessments, compliance officer roles.
• Physical Safeguards: Data center security, hardware protections.

If you are using email or calendar as any of the following entities, you are safe to use Actor as your compliant AI Assistant, Email & Calendar compliant solution.

• Health care providers
  • Doctors 
  • Clinics 
  • Psychologists 
  • Dentists 
  • Chiropractors 
  • Nursing homes 
  • Pharmacies 
  • Health Plan  
• Health insurance companies
  • HMOs 
  • Company health plans 
  • Government-provided health care plans 

Actor policies for HIPAA Compliance

Policies & Procedures	See below
Data Protection measures	Everything under Data Security
Administrative Safeguards
Physical Safeguards	Any physical support for the data we manage is covered by our Data Security policy

Actor protect any of the following data that might be individually identifiable health information:

• Names and birthdates 
• Dates pertaining to a patient’s birth, death, treatment schedule, or relating to their illness and medical care 
• Contact information such as telephone numbers, physical addresses, and email. 
• Social Security Numbers 
• Medical record numbers 
• Photographs and digital images 
• Fingerprints and voice recordings 
• Any other form of unique identification or account number 

If any of this information is accessible within email content that Actor reads, the following processes are in place.

ACTOR does not store any data on our servers or databases. We pull data, process it in memory and drop it immediately. Not saving data is the safest method to be compliant.
ACTOR does not use data to train AI/ML models. Data is not used to train any ML/AI models, either internal or from third parties.
ACTOR does not give any humans access to your email content. There is no way our development/business team has access to your email content.

Business Associate Agreement (BAA)

As a HIPAA-compliant SaaS provider, we understand the critical role of the Business Associate Agreement (BAA) in maintaining compliance with HIPAA regulations

If it’s a requirement for your business, we can have an agreement signed to outline our responsibilities in protecting your Protected Health Information (PHI) and ensures both parties comply with HIPAA requirements.

Our Commitment

• We sign a BAA with all covered entities and business associates who use our SaaS solution and handle PHI.
• Our BAA includes all required HIPAA clauses and aligns with the latest regulatory standards.
• We strictly enforce policies and controls described in the BAA to safeguard your data.
• We ensure all subcontractors and third parties that might have access to PHI also comply with HIPAA through similar agreements.

How to Request a BAA

• Simply contact our support or compliance team at alex@actordo.com
• We will provide a BAA template for your review and signature.
• BAA are available for the business plans with Actor
• Once executed, the BAA will be incorporated into your customer agreement, ensuring legal protection for both parties.

HIPAA Compliance Overview 

HIPAA compliance audits can be challenging and disruptive to an ordinary workday. Here are some questions you can answer in advance that can help you understand what you might face during a HIPAA compliance audit: 

• Who has access to PHI/ePHI? 
  • Nobody. There is no data from your email or calendar stored on our systems
    
• Are you regularly auditing permissions, so they are current and updated? 
  • Yes
    
• Are you 100% sure there isn’t ePHI with saved that you don’t know about? 
  • Yes. Not storing any data is the first and best method to be compliant.
    
• Can you readily identify all file activity that occurs on ePHI? 
  • We do log all user actions that could present access to ePHI.
    
• Are you following the standard security practices?
  • Absolutely. Technical and Data Security controls are presented here

Internal Policies and Procedures

We maintain comprehensive policies and procedures that ensure ongoing compliance with HIPAA regulations, including:

• Risk Assessments: Regular evaluations to identify and mitigate potential vulnerabilities affecting Protected Health Information (PHI).
• Access Controls: Strict protocols defining who can access PHI based on job roles and responsibilities.
• Incident Management: Defined processes for detecting, reporting, and responding to security incidents or breaches.
• Employee Training: Mandatory HIPAA compliance training for all staff to reinforce data privacy and security awareness.
• Data Handling Standards: Clear guidelines for collecting, storing, transmitting, and disposing of PHI securely throughout its lifecycle.

Our policies are reviewed and updated periodically to reflect regulatory changes and industry best practices.

Administrative Safeguards

Our administrative safeguards ensure that HIPAA compliance is embedded in everyday operations through:

• Dedicated Compliance Officer: Responsible for overseeing HIPAA adherence and coordinating compliance activities. See contact info.
• Employee Training and Awareness: Regular training programs to educate all personnel on HIPAA requirements and data protection best practices.
• Access Management: Procedures to assign, review, and revoke user access based on roles and job functions.
• Risk Management: Continuous risk assessments and mitigation plans to address vulnerabilities related to PHI.
• Incident Response Plan: There are established protocols for promptly managing and reporting security incidents or breaches.
• Business Associate Management: Processes to evaluate and monitor third-party vendors for HIPAA compliance, including formal agreements like BAAs.

These administrative controls form the backbone of our commitment to protecting your sensitive health data.

User Rights and Data Handling

We take your rights under HIPAA very seriously and have implemented strict policies and procedures to ensure your Protected Health Information (PHI) is handled with the highest level of care and compliance.

Access, Modification, and Portability

• Right to Access: Authorized users have the right to access their PHI stored in our system at any time, ensuring transparency and control over their personal health data.
• Right to Amend: Users can request corrections or updates to their PHI if they believe the information is inaccurate or incomplete, helping maintain data integrity.
• Data Portability: Upon request, we provide users with a secure, machine-readable copy of their PHI, enabling easy transfer to other HIPAA-compliant systems or providers.

Data Retention and Disposal

• PHI data that we store can be only be saved with purpose into:
  • custom Actor prompts
  • custom Data Knowledge & Context you provide
• We retain eventual PHI only for the duration required by HIPAA and applicable laws or as specified in our service agreements.
  • We provide notifications and messages to ensure your inserted data is not PHI data.
• When PHI is no longer needed, we securely delete or anonymize data to prevent unauthorized access or disclosure.
• Our data disposal processes comply with HIPAA standards and industry best practices to ensure complete destruction of sensitive information.

Breach Notification and Incident Response

• In the unlikely event of a data breach involving PHI, we have a comprehensive incident response plan to promptly investigate and contain the breach.
• We will notify affected clients and relevant authorities in accordance with HIPAA breach notification requirements within the mandated timelines.
• Our security team conducts root cause analyses and implements corrective measures to prevent future incidents.

Confidentiality and Security Training

• All employees and contractors with access to PHI receive mandatory HIPAA training focused on confidentiality, security practices, and breach prevention.
• Ongoing education ensures our team remains updated on regulatory changes and emerging threats.

To remind you, Actor does not store any Email Content on it’s servers

Your Privacy, Our Priority

Choosing ActorDO platform, you entrust us with sensitive health information, and we are fully committed to safeguarding your privacy rights and complying with all HIPAA mandates.

Contact & Support

Our contact info for HIPAA-related inquiries (email, phone)

• alex@actordo.com
• (+41) 764 65 67 65