hipaa compliance

coya ai is designed from the ground up to meet hipaa requirements for handling protected health information in behavioral health intake. compliance is not an add on. it is built into every layer of the platform, from call handling to data storage to team access.

all protected health information is stored in a dedicated encrypted vault, completely isolated from operational and analytics data. phi never appears in urls, browser local storage, cookies, or shareable links. intake form links use token based authentication with automatic 7 day expiration.

all data is encrypted at rest using aes 256 and in transit using tls 1.2 or higher. encryption keys are managed through a dedicated key management service with automatic rotation. no unencrypted phi is ever written to disk, logs, or temporary storage.

coya implements role based access controls across every level of the platform. every data access event is logged with a timestamp, user identity, and action performed. practice administrators control which team members can view phi, manage configurations, or access the action center.

coya signs a business associate agreement with every practice as part of onboarding. the baa covers all phi handling, subprocessor obligations, breach notification requirements, and data return or destruction procedures. all third party infrastructure providers that touch phi are bound by their own baas with coya.

call recordings and transcripts are stored encrypted and access restricted to authorized practice staff. retention periods are configurable per practice. recordings can be deleted on demand. transcripts are available for clinical review through the secure dashboard with full audit logging.

coya includes real time detection of suicidal ideation or safety concerns during calls. when a crisis is detected, the system immediately initiates a warm transfer to the 988 suicide and crisis lifeline, sends an instant sms and dashboard alert to the on call coordinator, and preserves the full transcript for clinical review. no caller in crisis is ever left unattended.

all sms messages sent by coya are tcpa compliant. opt out requests are honored immediately and automatically on every message. intake form links are sent via sms only with caller consent during the call. no marketing messages are ever sent through the platform.

for practices with strict data isolation requirements, coya offers a high compliance mode. this provides maximum data separation between practice instances, restricted data processing geography, and enhanced audit controls. contact us for details on enabling this for your practice.

coya maintains a complete, immutable log of all phi access events. audit logs include user identity, timestamp, data accessed, and action performed. logs are exportable for compliance review, internal audits, or regulatory inquiries. retention of audit logs exceeds the minimum required by hipaa.

in the event of a data breach, coya will notify the affected covered entity within 72 hours of discovery. our incident response plan includes containment, investigation, notification, and remediation procedures aligned with hipaa breach notification requirements.

for compliance questions, audit requests, or to report a security concern, contact us at hello@getcoya.ai. our team will respond within 2 business days for all compliance related inquiries.