Healthcare data security
🔒 Built for healthcare from day one

Compliance & security
from architecture to output

Every agent, integration, and patient-facing communication is built against healthcare regulatory requirements from day one — not retrofitted after the fact.

🔒 HIPAA + BAA ✓ TCPA Compliant ⚕️ HL7 FHIR 🏥 No Surprise Billing Act 🛡 SOC 2 Ready 🔐 AES-256 Encrypted
Core compliance framework

Every regulation. Every plan. No exceptions.

mosAIQ was designed for healthcare from the ground up. Every agent adheres to the same compliance framework — there is no lighter version.

HIPAA compliance security
🔒
HIPAA + BAA
Full Business Associate Agreement signed on all plans before any system access is granted. PHI is never stored in agent logs. All patient communications are end-to-end encrypted. Full audit trails maintained for all PHI access events.
  • BAA signed before we connect to your EHR or any patient system
  • PHI never persisted in AI model context or logs
  • All communications end-to-end encrypted in transit and at rest
  • Complete audit trail for every PHI access event
  • Role-based access control — staff see only what they need
✓ Signed before day 1
TCPA SMS compliance
📋
TCPA Compliant
Every automated SMS and voice communication follows TCPA requirements. Written consent is captured and archived before any automated patient outreach begins. Opt-out is honored immediately and documented.
  • Written consent captured and archived before any automated outreach
  • Opt-out honored within one message — fully documented
  • Time-of-day restrictions enforced automatically per state rules
  • Prior express written consent maintained for each patient
  • Do-not-call registry checked before voice outreach
✓ Consent archived per patient
No Surprise Billing Act compliance
🏥
No Surprise Billing Act
Good Faith Estimate requirements are satisfied through pre-appointment coverage verification before every scheduled appointment. Patients receive cost estimates before services when required.
  • Coverage verification triggered automatically at booking
  • Good Faith Estimate generated and delivered before appointment
  • Out-of-network disclosure workflow built into scheduling
  • Patient acknowledgment captured and logged
✓ GFE auto-generated at booking
HL7 FHIR EHR integration
⚕️
HL7 FHIR Integration
Standard HL7 FHIR and API integrations with all major EHR platforms. No screen-scraping. No credentials shared. Your EHR vendor relationship stays intact. We connect through the same integration layer your other tools use.
  • HL7 FHIR R4 standard API connections — no proprietary connectors
  • No screen-scraping, no credential sharing with our systems
  • EHR vendor relationship preserved — we work alongside, not around
  • Supported: NextGen, Athenahealth, eClinicalWorks, Epic, DrChrono, Kareo, Healthie
  • New integrations added on request — typical lead time 2–3 weeks
✓ No screen-scraping ever
Security architecture

Zero PHI in the AI layer

mosAIQ's architecture isolates PHI from AI model processing. Patient data is de-identified before any AI inference occurs. The AI never sees a patient name, DOB, or insurance ID — only structured clinical data tokens.

🔐
AES-256 encryption at rest + in transit
All patient data encrypted with AES-256. TLS 1.3 for all API connections. Keys managed in HSMs, rotated quarterly.
🧹
De-identification before AI inference
PHI stripped and tokenized before entering AI processing pipeline. Original data never touches model weights or logs.
📋
Full audit logging — every PHI access event
Every access, read, and write on PHI is logged with timestamp, user, and reason. Logs tamper-proof and retained 7 years.
🛡
SOC 2 Type II ready
Architecture designed to SOC 2 Type II controls. Report available to enterprise clients under NDA.
Data flow architecture
Your EHR
NextGen Athena eCW Epic DrChrono
↓ HL7 FHIR R4 API (TLS 1.3)
PHI Layer
AES-256 encrypted BAA covered Audit logged
↓ De-identification + tokenization
AI Layer
Tokens only No PHI No names No DOB
↓ Response + re-identification
Output
HIPAA-safe SMS TCPA-compliant voice Encrypted portal
PHI never enters the AI model layer — guaranteed by architecture, not policy
EHR integrations

Native connections — no screen-scraping

All integrations use official vendor APIs or HL7 FHIR endpoints. Your EHR vendor relationship stays intact.

NextGen
Ambulatory EHR · Multi-specialty
Connection: NextGen API + HL7 FHIR R4
✓ Certified
Athenahealth
Cloud EHR · Ambulatory + RCM
Connection: athenaClinicals API + FHIR
✓ Certified
eClinicalWorks
Integrated EHR/PM · All specialties
Connection: eCW FHIR R4 + REST API
✓ Certified
Epic
Enterprise EHR · Health systems
Connection: Epic FHIR R4 + MyChart API
✓ Certified
DrChrono
Cloud EHR · Small-mid practice
Connection: DrChrono REST API + FHIR
✓ Supported
Kareo / Tebra
Cloud EHR/PM · Independent practices
Connection: Kareo API + webhook
✓ Supported

Additional integrations available on request — typical lead time 2–3 weeks. Ask about your EHR →

Common questions

Compliance FAQ

Does mosAIQ sign a Business Associate Agreement (BAA)?+
Yes — the BAA is signed before we access any patient system, EHR, or PHI. The BAA covers all agents, integrations, and data flows. No access is granted until the BAA is fully executed. You receive a countersigned copy on day 1.
Does the AI see patient names, DOBs, or insurance IDs?+
No. PHI is de-identified and tokenized before any data enters the AI processing layer. The AI model sees only structured clinical tokens — never a patient name, date of birth, Social Security number, or insurance identifier. This is enforced at the architecture level, not by policy alone.
How does mosAIQ handle TCPA for SMS and voice outreach?+
Every automated SMS and voice communication follows TCPA requirements. Written consent is captured from each patient and archived in your records before any automated outreach begins. Opt-out is honored within one message. Time-of-day restrictions are enforced automatically based on the patient's state of residence. Do-not-call registry is checked before any voice outreach.
What happens if a patient opts out of automated messages?+
Opt-out is honored immediately — within the same message thread — and documented with a timestamp. The patient is flagged in your EHR as opted out. No further automated outreach is sent to that patient until explicit re-consent is captured. Opt-out records are maintained indefinitely.
Does mosAIQ screen-scrape my EHR?+
Never. All EHR connections use official vendor APIs or HL7 FHIR R4 endpoints — the same integration layer your other tools use. We do not store your EHR credentials on our systems. Your EHR vendor relationship and data agreement remain entirely intact.
How does the No Surprise Billing Act compliance work?+
Coverage verification is triggered automatically at the time of booking. A Good Faith Estimate is generated for applicable appointments and delivered to the patient before the visit. Out-of-network disclosure workflows are built into the scheduling sequence. Patient acknowledgment is captured and logged as required by the Act.
Is mosAIQ SOC 2 certified?+
mosAIQ is SOC 2 Type II ready — our architecture is designed to SOC 2 Type II controls across Security, Availability, and Confidentiality. A controls report is available to enterprise clients under NDA. Full Type II certification is in progress for 2026.
Ready to deploy

HIPAA-compliant AI.
Live in 14 days. Guaranteed.

Every plan starts with a signed BAA and a HIPAA architecture review. No patient data is touched until compliance is verified.

Get Free Pulse™ Audit → ☎ Speak to a Specialist