HIPAA Readiness Policy

HookPilot's current HIPAA posture, BAA scope and the Healthcare-department readiness path.

Version 1.0.0Effective May 30, 2026Last reviewed May 30, 2026
Plain-English summary. HookPilot is HIPAA-ready, not HIPAA-cleared by default. Customers who need to send Protected Health Information (PHI) through the platform must sign a Business Associate Agreement (BAA), enable the Healthcare-department safeguards, and use a HIPAA-cleared workspace tier. Do not send PHI to a workspace that is not HIPAA-enabled.

1. Status Today

HookPilot Caption Studio LLC operates the platform under controls that align to the HIPAA Security Rule (45 CFR Part 164, Subpart C) — encryption, access control, audit logging, workforce training, incident response, and contingency planning. BAAs are available on Enterprise plans through the Healthcare department. We do not claim certification we have not completed.

2. Where PHI Can Flow

PHI may only be processed inside HIPAA-enabled workspaces. These workspaces enforce: BAA on file; HIPAA-aware AI provider routing only; PHI-detection in the input layer; redacted logging; restricted sub-processor list; longer audit retention; and an additional layer of veto authority from the Healthcare-department Statute and Shield agents. PHI sent to a non-HIPAA-enabled workspace is treated as a customer breach of the Acceptable Use Policy and we will not knowingly process it.

3. Security Rule Mapping

Administrative

Risk analysis, workforce training, sanction policy, access management, contingency plan.

Physical

Sub-processor data centers under SOC 2 / ISO 27001 attestation; no on-prem PHI at HookPilot.

Technical

Access control, audit controls, integrity, person/entity authentication, transmission security.

Organizational

BAAs with sub-processors that touch PHI; documented policies and procedures.

4. Privacy Rule

HookPilot is a Business Associate; the Privacy Rule applies to our Covered Entity customers, but we support their compliance by limiting use and disclosure of PHI to what the BAA permits, honoring minimum necessary, and assisting with patient rights requests forwarded by the customer.

5. Breach Notification

For breaches of unsecured PHI under 45 CFR 164.410, HookPilot will notify the Covered Entity without unreasonable delay and within sixty (60) days from discovery, providing the information required by the rule. Where encryption rendered the PHI unusable (a safe harbor), we still document the event for the Covered Entity. See the Incident Response Policy for the broader runbook.

6. BAA Scope

HookPilot's standard BAA covers: workspace data, audit logs, support communications, and AI provider routing for HIPAA-cleared models. It excludes: PHI sent to non-HIPAA-enabled workspaces; data subject to the HIPAA "Conduit" exception; and any deidentified data the customer chooses to use outside HIPAA scope.

7. AI Provider Routing for PHI

HIPAA-enabled workspaces route to AI providers that (a) sign a BAA with HookPilot or are covered under HookPilot's BAA chain; (b) offer short-retention or zero-retention prompt handling; and (c) accept HookPilot's PHI-detection pre-filter. Other providers in HookPilot's routing pool are excluded from HIPAA-enabled traffic at the router.

8. Customer Responsibilities

  • Execute the BAA before sending any PHI.
  • Use HIPAA-enabled workspaces only; do not paste PHI into other workspaces or into hookpilot.co support chat.
  • Enforce minimum necessary at the source.
  • Manage authorisations, accountings of disclosures and patient rights at the Covered Entity level.
  • Notify HookPilot of any incident you suspect HookPilot caused.

9. Roadmap

The HookPilot Healthcare department's published readiness path moves from "HIPAA-ready with BAA" today, toward independent third-party HIPAA security assessment in line with SOC 2 Type II completion (see SOC 2 Readiness Framework).

10. Contact

BAAs and HIPAA questions: legal@hookpilot.co
Security incident reports (24/7): security@hookpilot.co