Security

Security Is the Product

Clinical documentation is only useful if it is unimpeachably private. The moment a patient begins to speak, every word of that conversation becomes Protected Health Information under HIPAA, and the obligation to protect it transfers, instantly, to the platform listening on the other end of the microphone.

VoiceboxMD was built around that obligation. Speech recognition is what the product does; security is what makes the product trustworthy enough to use. Every utterance processed by our engine is encrypted before it leaves the device, decrypted only inside isolated processing memory, and re-secured before persistent storage. Audio recordings are not retained beyond the active session. Transcripts and account data are accessible only through the credentials of the clinician who authored them. There is no shared inbox, no bulk export, no data lake of patient voice. Confidential information stays confidential by default, by configuration, and by cryptography.

HIPAA Compliance and Your Business Associate Agreement

Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate, and a signed BAA is required by 45 CFR 164.504(e). VoiceboxMD signs a Business Associate Agreement with every customer who handles PHI, on every paid plan, at no extra cost.

The VoiceboxMD BAA establishes our binding obligations to:

• Use and disclose PHI only as permitted by the agreement and the HIPAA Privacy and Security Rules.
• Implement administrative, physical, and technical safeguards consistent with 45 CFR 164.308, 164.310, and 164.312.
• Report any security incident or breach of unsecured PHI without unreasonable delay.
• Pass equivalent obligations to subcontractors that touch PHI.
• Return or destroy PHI at the end of the relationship.

Our compliance program is mapped to the standards published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights and to NIST Special Publication 800-66 Revision 2 (Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide, finalized February 14, 2024), the current authoritative federal guidance for HIPAA-regulated entities. Where the proposed January 2025 HIPAA Security Rule modifications anticipate new mandatory controls, including universal encryption of ePHI, enforced multi-factor authentication, biannual vulnerability scans, and annual penetration testing, VoiceboxMD already operates at or above that bar.

To request a copy of the current BAA, email support@voiceboxmd.com

Zero-Knowledge, Least-Privilege Architecture

VoiceboxMD is built on a zero-knowledge, least-privilege model: the platform does the cryptographic work required to recognize speech and store transcripts, but no human at VoiceboxMD has standing access to the contents of any customer’s clinical notes.

In practical terms:

• No standing employee access. Engineers cannot read clinical transcripts as part of normal operations. Production data is segregated from development and staging environments.
• Break-glass procedure only. Any access to a customer’s data, for example to investigate a support ticket the customer has explicitly filed, requires customer authorization, time-bounded credentials, dual-control approval, and an immutable audit log entry.
• Account-level isolation. Each customer’s transcripts are bound to that customer’s encryption context. There is no cross-tenant query path.
• Device-bound access. Every utterance is, by design, accessible only to the authenticated user and the device they used to capture it. Login credentials are the gatekeeper, and credentials are protected by MFA and rate-limiting.

The architecture borrows the rigor of zero-trust networking, never trust, always verify, and applies it inside the application layer, not just at the perimeter.

Penetration Testing, Vulnerability Management, and Independent Audits

Security claims are only credible when they are tested by people whose job is to break them. VoiceboxMD’s external assurance program includes:

• Annual third-party penetration testing of the web application, API, mobile clients, and supporting infrastructure, conducted by an independent credentialed firm. Critical findings are remediated on a documented SLA; reports are available under NDA to qualified prospects.
• Continuous automated vulnerability scanning of production hosts, container images, and dependencies, exceeding the biannual cadence anticipated by the proposed 2025 HIPAA Security Rule update.
• Static and dynamic application security testing (SAST/DAST) integrated into our CI/CD pipeline, so security regressions are blocked before they reach production.
• Responsible disclosure channel for independent researchers (see Vulnerability Reporting below).
• SOC 2 Type II-aligned controls across security, availability, and confidentiality criteria.

Infrastructure Hardening and Incident Response

VoiceboxMD runs on a cloud-native, segmented, defense-in-depth infrastructure inside US-region cloud environments. Network segmentation isolates the public web tier, the application tier, and the data tier. A Web Application Firewall and DDoS mitigation sit in front of every public endpoint. Container images and host operating systems are hardened and automatically patched. Production data stores have no direct internet access. Production hosts are immutable, rebuilt from known-good images rather than patched in place. Encrypted backups are stored in a separate availability zone and key context, and their recoverability is tested on a documented schedule.

VoiceboxMD maintains a documented Incident Response Plan tested at least annually. Our targeted timeline aligns with the 72-hour restoration objective contemplated by the proposed HIPAA Security Rule update. In the unlikely event of a confirmed breach of unsecured PHI, VoiceboxMD will (1) contain and eradicate the threat while preserving forensic evidence, (2) notify affected covered-entity customers without unreasonable delay and within the timelines required by 45 CFR 164.410, (3) provide affected customers with the information they need to satisfy their own breach-notification obligations to patients and HHS, and (4) conduct a documented post-incident review and remediation.

Operational Practices: Workforce, Subprocessors, and Business Continuity

Workforce security. Background checks (criminal, employment, education) on all employees and long-term contractors prior to access provisioning. Mandatory HIPAA Privacy and Security Rule training at onboarding and annually thereafter. Phishing simulation and security-awareness exercises throughout the year. Confidentiality and acceptable-use agreements signed before any access to systems. Documented offboarding that includes same-day credential revocation.

Subprocessor management. VoiceboxMD operates a documented Vendor Risk Management program. Every subprocessor that may touch PHI is reviewed for SOC 2, ISO 27001, or HITRUST posture, signs a HIPAA-compliant BAA, and is reassessed at least annually. A current list of subprocessors is maintained and provided to BAA-covered customers on request.

Business continuity and disaster recovery. Redundant compute and storage span multiple availability zones inside the US region. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets are documented in our Business Continuity Plan, which is tested at least annually. Encrypted backups are isolated from production credentials and are recoverable into a clean environment.

Frequently Asked Questions