HIPAA at AskVault, when and how

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 5 min read

TL;DR

AskVault's Enterprise plan supports HIPAA-eligible deployments with a signed BAA. Our storage provider offers BAA-eligible storage. Audit logs extended to 6 years (HIPAA minimum). Dedicated workspaces isolated from non-PHI workspaces. Do not upload PHI to a non-Enterprise workspace.

When you need HIPAA support

If you operate in US healthcare and any of these apply, you need HIPAA-compliant AskVault:

• You're a Covered Entity (a healthcare provider, health plan, or healthcare clearinghouse) processing Protected Health Information (PHI).
• You're a Business Associate to a Covered Entity, processing PHI on their behalf.
• Your customer-support chatbot might receive PHI in conversations (e.g., a patient describing symptoms, an insurance member asking about claims).

HIPAA-compliant AskVault is on the Enterprise plan only. Enterprise

What "HIPAA-compliant" means here

Three components:

1. Business Associate Agreement (BAA). AskVault signs a BAA naming AskVault as a Business Associate to your Covered Entity. The BAA covers permitted uses, disclosure limits, security obligations, and breach notification.
2. Infrastructure compliance. AskVault runs on SOC 2 Type II certified storage that offers BAA-eligible storage. Encryption at rest with AES-256, encryption in transit with TLS 1.3, access logging at the storage layer.
3. Operational compliance. Audit logs retained for 6 years (HIPAA minimum), dedicated workspaces isolated from non-PHI use, restricted access to AskVault personnel, documented incident-response runbook.

Setup process

Enterprise contracts include the HIPAA-BAA addendum. The setup flow:

1. Contract signing. AskVault and your legal team execute the Enterprise contract with HIPAA-BAA addendum. Typically 2 to 4 weeks.
2. Workspace provisioning. AskVault provisions a dedicated workspace, isolated from any non-PHI workspaces in our infrastructure. Identifier flagged as phi: true.
3. Audit retention upgrade. Audit logs for this workspace extend from 365 days to 6 years.
4. Personnel training. Your authorized users complete a one-time PHI training (what can and cannot be stored, how to escalate suspected breaches).
5. Go-live. First production traffic allowed only after the above steps complete.

End-to-end implementation: typically 6 to 10 weeks from contract signing to first production traffic.

What you can and cannot do

In a HIPAA-eligible AskVault workspace:

Allowed:

• Store PHI in indexed documents (patient handbooks, care guides, medication info).
• Process PHI in chat conversations (patient symptoms, claim numbers, prescription details).
• Connect HIPAA-allowed channels (the web widget over HTTPS, identity-verified Slack with appropriate scopes).

Not allowed:

• Use the Free, Starter, Growth, or Business plans for PHI. The BAA doesn't cover them.
• Mix PHI and non-PHI in the same workspace.
• Use channels we haven't designated HIPAA-compliant (e.g., SMS today; some carriers' compliance status varies).
• Use upstream LLM providers we haven't contracted under our BAA.

Important. Do not upload PHI to a non-Enterprise workspace, ever. The BAA does not cover it and you'd be in violation of HIPAA.

Channels supported under HIPAA

Designations as of 2026:

Channel	HIPAA-supported?	Notes
Web widget	Yes	Over HTTPS, identity-verified
Hosted page	Yes	Over HTTPS with custom domain
REST API	Yes	Direct integration with your HIPAA-compliant systems
Email Assistant	Yes	With BAA-eligible email provider
Slack	Yes	Enterprise Grid with BAA only
WhatsApp	No	Meta does not offer BAA-eligible WhatsApp
Telegram	No	Telegram does not offer BAA
Discord	No	Discord does not offer BAA
SMS	Variable	Twilio offers BAA on specific configurations only
Voice	Variable	Twilio Voice BAA available on specific configurations

Configure your HIPAA workspace to use only the designated channels. We disable the others at provisioning time.

Skills under HIPAA

Most skills work under HIPAA. Specific notes:

• knowledge_search. Allowed. Default RAG retrieval.
• escalate_to_human. Allowed. Critical for cases the bot can't handle.
• collect_lead. Allowed but careful with PHI capture. Storing diagnosis information as a "lead" requires the right consent.
• ticketing_router. Allowed if the downstream ticketing system also has a BAA (most healthcare-focused Zendesk and Freshdesk plans do).
• custom_webhook. Allowed but your endpoint must be HIPAA-compliant.
• subscription_manager, discount_negotiator. Generally not relevant for healthcare workloads.

Disable skills you don't need to minimize PHI surface area.

Audit logging

Every PHI-touching operation is logged with:

• Workspace ID
• User ID (or API key for programmatic calls)
• Action verb (read, create, update, delete)
• Affected resource ID
• Source IP (truncated to /24 for de-identification)
• User agent
• UTC timestamp

Logs are append-only. No application code path has UPDATE or DELETE permission on the audit table. Retained 6 years per HIPAA minimum.

Export via Dashboard > Settings > Audit Log > Export. Filterable by date range and action type.

Breach notification

If AskVault detects a security incident affecting PHI:

1. Notification to your designated security contact within 24 hours of confirmed breach.
2. Joint root-cause analysis within 7 days.
3. Postmortem report within 14 days.
4. Coordination on regulatory notification under HHS rules within your 60-day window.

Specific notification channels and contacts are documented in your BAA addendum.

Cost and contract

HIPAA-eligible Enterprise contracts are quote-based, typically starting at $24,000 USD per year. Pricing depends on:

• Expected query volume.
• Number of HIPAA workspaces.
• Channels enabled.
• Audit log retention beyond 6 years if required.
• Sub-processor restrictions (e.g., LLM provider exclusions).

Contact sales@askvault.co for a HIPAA-specific quote.

Common questions before you commit

Can a Covered Entity use AskVault standalone?

Yes, on Enterprise with HIPAA-BAA. The Free through Business plans are not HIPAA-eligible.

Can a Business Associate use AskVault to process the Covered Entity's PHI?

Yes, with a downstream BAA between AskVault and the Business Associate. The Business Associate then maintains their own BAA with the Covered Entity. This is the standard pattern for HIPAA-compliant SaaS chains.

What about ePHI in email?

Email is HIPAA-eligible only when both ends have BAA-eligible providers. AskVault's Email Assistant channel works with BAA-eligible providers; check your customer-facing email provider has its own BAA.

Can I get a HIPAA-compliant audit report?

Yes. AskVault's internal HIPAA-compliance attestation is available under NDA on Enterprise contracts. We don't publish it publicly.

What if my workload involves PHI but I don't have a BAA with my Covered Entity yet?

Don't upload PHI to AskVault until your full BAA chain is in place. Use the Free or Starter plan with synthetic test data while you work out the legal layer.

How is data deleted from a HIPAA workspace?

Same flow as standard workspaces (one-click delete, 10-second cascade), but backups retain for 6 years rather than 30 days per HIPAA retention rules.

Related guides

• Security overview
• GDPR at AskVault
• SOC 2 Type II posture
• Sub-processor list
• SLA breakdown per plan

Talk to our compliance team

We can sign DPA, support BAA, and configure SSO for Enterprise contracts.

Talk to sales → View pricing

Was this page helpful? Yes No