HIPAA Compliance
AutoICD API is designed to be HIPAA compliant from the ground up. Patient data is processed in memory only and is never stored, logged, or used for model training.
How We Protect Patient Data
Every layer of the platform is built to minimize data exposure.
In-Memory Processing Only
Clinical text is processed entirely in memory. Nothing is written to disk, database, or any persistent storage. Once the response is sent, the data is gone.
Zero PHI Storage
We never store, log, or cache protected health information. Request payloads are not retained in any form — not in logs, not in analytics, not anywhere.
TLS Encryption in Transit
Every API request is encrypted with TLS 1.2+. Data is protected from the moment it leaves your system until the response arrives back.
API Key Authentication
Every request requires a valid API key. Keys are hashed at rest and can be rotated or revoked instantly from your dashboard.
Business Associate Agreements
BAAs are available for Pro and Enterprise plan users. Sign directly from your dashboard — no back-and-forth with legal teams required.
No Model Training on Your Data
Your clinical text is never used to train, fine-tune, or improve our models. The AI models are trained exclusively on public medical datasets.
HIPAA Rule Coverage
How AutoICD API addresses each of the three main HIPAA rules.
Privacy Rule
PHI is never stored or disclosed. Our de-identification endpoint helps you meet Safe Harbor requirements by stripping 18 HIPAA identifier types from clinical text.
Security Rule
Administrative, physical, and technical safeguards are in place: TLS encryption, API key authentication, in-memory-only processing, and access controls on all infrastructure.
Breach Notification Rule
Since we never store PHI, breach risk is structurally eliminated. There is no data at rest to be compromised.
PHI De-identification
In addition to our zero-storage architecture, we offer a dedicated de-identification endpoint that strips protected health information from clinical text before processing. It detects and masks names, dates, SSNs, phone numbers, email addresses, physical addresses, medical record numbers, and ages.
Business Associate Agreements
A BAA is a legal contract required by HIPAA when a covered entity shares PHI with a business associate. AutoICD API offers BAAs to Pro and Enterprise plan users, available for self-service signing directly from the dashboard.
Frequently Asked Questions
Do you store any patient data?
No. All clinical text is processed in memory and discarded immediately after the response is sent. We do not store, log, or cache any PHI.
Is a BAA included with all plans?
BAAs are available on Pro and Enterprise plans. The free trial and Basic plan do not include BAAs, though the same zero-storage architecture applies to all plans.
Is the de-identification endpoint required?
No. The de-identification endpoint is an optional tool for stripping PHI before processing or sharing text. The coding endpoint itself never stores data regardless.
Can I use AutoICD API with electronic health records?
Yes. The REST API and SDKs can integrate with any EHR system that supports outbound API calls. Data flows directly from your system to our API and back — nothing is stored in between.