HIPAA-aware AI · ADA / WCAG-compliant builds · trusted by practices nationwide HIPAA-aware · ADA-compliant
[HIPAA-PRM.001]
ONLINE · 214MS
// ENCRYPTION AES-256
UPTIME 99.99% //
HIPAA-compliant PRM

The patient system, built HIPAA-first

Automated intake, AI-drafted conversations, follow-up, and reactivation — with real BAAs, real encryption, and AI that never sees raw patient identifiers. The relationship engine your practice already needed.

BAA on file AES-256 at rest SOC 2 in progress
CCAPRM
JM
Patient #7842 · Post-op D3
HIPAA
Session timeline LIVE
10:42Consent granted (SMS + Email)
11:03Post-op check-in sent
11:15Reply routed to Dr. Chen
11:32Follow-up scheduled
nowAI drafting reply···
P
Is the swelling still normal after day 3?
AI
DRAFT · PENDING REVIEW Some swelling for 3–5 days is normal after your procedure. Continue icing and monitor for [REDACTED] — call us if it worsens.
AES-256 TLS 1.3 Audit: 214 events / 90d
BAA on filesigned · every client
SOC 2 in progressType II · 2026
Secure channelTLS 1.3 · established

Marketing tech was built for e-commerce. Patient data needs a different shape — and a different threshold for trust

What it does

One system, the whole patient relationship

From first form to five-year recall — automated where it should be, human where it must be.

01 · INTAKE

Consent & onboarding

New patient enters — consent captured, forms auto-populated, records requested.

Automated
02 · ACTIVATE

Welcome sequence

Personalized onboarding messages, appointment prep, and first-visit expectations.

Automated
03 · CONVERSE

AI-drafted replies

Two-way messaging with AI drafts — every reply reviewed by a human before send.

Automated
04 · FOLLOW UP

Post-visit care

Automated recovery instructions, symptom check-ins, and satisfaction feedback.

Automated
05 · REACTIVATE

Recall & retention

Recall for overdue visits, birthday touches, and lapsed-patient sequences.

Automated
Architecture

How data actually flows

Every arrow encrypted. AI works from redacted content only. Every access logged — permanently.

TLS 1.3 FHIR/HL7 PHI STRIPPED IMMUTABLE LOG CCA PRM HUB PatientMOBILE · SMS EHR / PMSEPIC · ATHENA AI ModelREDACTED ONLY Audit LogTAMPER-EVIDENT
Encrypted channel (TLS 1.3 / FHIR) Redacted-only path to AI (PHI stripped)
HIPAA Security Rule

The controls, mapped and audited

Every card below maps to a real HIPAA Security Rule requirement. Not marketing language — the actual code sections.

§164.312(a)(1)

Access control

Unique user IDs, RBAC, automatic logoff, encryption & decryption enforced.

§164.312(b)

Audit controls

Immutable, tamper-evident audit trails for every PHI access and modification.

§164.312(c)(1)

Integrity

PHI is protected against improper alteration or destruction with hash verification.

§164.312(d)

Authentication

Multi-factor authentication for every staff account, no shared credentials.

§164.312(e)(1)

Transmission security

TLS 1.3 for every packet in transit — internal and external.

§164.308(a)(1)

Security management

Documented risk analysis, sanction policy, and information system activity review.

§164.310(a)(1)

Facility access

Physical safeguards at HIPAA-eligible cloud data centers — SOC 2 audited.

§164.410

Breach notification

Defined incident response, notification timelines, and disclosure workflow.

Integrations

Talks to your existing systems

Every major EHR and PMS — plus dozens more via documented APIs.

EpicMyChart, App Orchard
AthenahealthathenaOne API
CernerOracle Health
NextGenAPI v2
DentrixAscend, Enterprise
Open DentalREST API
EaglesoftPatterson integration
KareoTebra API

Don't see yours? If it has an API, we can integrate. Ask us on your intro call.

Governance

The paperwork you actually need

Compliance isn't a badge on a homepage. Here's the documentation we bring on day one.

Trust artifacts

Signed. Dated. Auditable

Everything below is on the table before we start work — not after you ask, not after you sign. If any item can't be produced, we'll tell you before you spend a dollar.

Business Associate AgreementSigned BAA on file for every engagement, reviewable by your counsel.
Signed
Annual penetration testIndependent third-party pen test, report available under NDA.
Annual
SOC 2 Type II attestationCurrently mid-engagement with independent auditor, targeting 2026.
In progress
Incident response planDocumented, tested quarterly, with 24-hour breach-notification workflow.
Live
The numbers

What we hold ourselves accountable to

These aren't marketing numbers. They're the operational commitments we sign into every BAA.

0%
BAA-ready engagements
Every client, day one
0
PHI breaches, ever
Zero, and we intend to keep it there
0m
Audit trail search
Any patient, any date, any event
24/7
SOC monitoring
Real humans watching, always
FAQ

The PRM, answered

The questions practice owners and IT leads ask us most.

01

What exactly is a PRM and how is it different from a CRM?

Definition

A CRM (customer relationship manager) is built for e-commerce and B2B sales. A PRM (patient relationship manager) is built for regulated healthcare communication — it treats every message as potentially containing protected health information, applies HIPAA safeguards by default, and integrates with EHR and PMS systems that CRMs never touch.

02

Do you sign a Business Associate Agreement (BAA)?

Legal

Yes. A signed BAA is a prerequisite for any engagement — not an add-on. We sign yours before we touch a single record, and we can review edits from your counsel. Anyone offering a “HIPAA-compliant” system without a BAA is not actually offering one.

03

Where is patient data stored and how is it encrypted?

Security

Data is stored in U.S.-based, HIPAA-eligible cloud infrastructure with AES-256 encryption at rest and TLS 1.3 in transit. Access is role-based, audit-logged, and time-bounded. No PHI ever leaves the encrypted boundary except through explicit, logged patient-facing channels.

04

Does the AI ever see raw patient identifiers?

AI Safety

No. Before any message reaches an AI model for drafting, our redaction layer strips names, dates of birth, MRNs, and other identifiers, replacing them with tokens. The AI works from the redacted content only; the final message is reconstructed inside the encrypted boundary. Your practice sees the full text; the model never does.

05

What EHR and PMS systems do you integrate with?

Integrations

We integrate with any system that offers a documented API or standards-based interface — including Epic, Athena, Cerner, Dentrix, Open Dental, Practice Fusion, Eaglesoft, Kareo, and dozens more. Integration is a scoped part of onboarding; we won't promise it if we can't deliver it.

06

What happens to our data if we cancel?

Governance

You own your data. On cancellation, we export it in an open, structured format within 30 days, then permanently delete it from our systems with a signed certificate of destruction. No lock-in, no ransom clauses, no exceptions.

Want to see the PRM with your data?

Book a scoped demo — we'll walk your practice manager and your IT lead through the same interface your team would use, and answer every compliance question on the call.

[DEMO.SCHEDULE]
OPERATIONAL · 99.99%
// SECURE_CHANNEL ESTABLISHED
NODE NY-01 //
Ready when you are

See it with your workflow.

Book a 30-minute scoped demo. Bring your practice manager and your IT lead — we'll answer every compliance question live, and hand off a spec you can review with your counsel.

BAA signed AES-256 TLS 1.3 SOC 2 HIPAA 24/7 SOC