HIPAA-Compliant Clinical AI: How We Handle Your Data
When you're dealing with protected health information (PHI), security isn't optional — it's foundational. Here's how Quicka Health ensures your patient data is protected at every level.
Our Security Principles
Every decision we make is guided by three core principles:
- Least privilege access — only the minimum data needed is accessed
- Encryption everywhere — data is encrypted in transit and at rest
- Australian data residency — your data stays in Australia
Data Flow Architecture
Here's what happens when you record a consultation:
Recording Phase
- Audio is streamed over TLS 1.3 encrypted connections
- No raw audio is stored permanently
- Transcription happens in real-time with immediate processing
Processing Phase
- AI generates structured clinical notes
- Notes are stored in encrypted databases
- Patient identifiers are handled with strict access controls
Storage Phase
- All data resides in Australian data centres
- Row-level security (RLS) ensures multi-tenant isolation
- Regular security audits and penetration testing
We use Supabase with Row-Level Security (RLS) policies to ensure that clinic data is completely isolated. One clinic can never access another clinic's patient data.
What We Don't Do
Equally important is what we don't do with your data:
- ❌ We never use patient data to train AI models
- ❌ We never share data with third parties
- ❌ We never store raw audio after processing
- ❌ We never allow cross-tenant data access
Compliance Framework
Quicka Health's architecture is designed to comply with:
| Standard | Status |
|---|---|
| HIPAA | ✅ Compliant |
| Australian Privacy Act | ✅ Compliant |
| GDPR (for EU patients) | ✅ Compliant |
| SOC 2 Type II | 🔄 In progress |
For IT Teams and Practice Managers
If you're evaluating Quicka Health for your practice, here are the key technical details:
Authentication
- Multi-factor authentication (MFA) support
- SSO integration available for enterprise plans
- Session management with automatic timeout
Audit Logging
- All data access is logged
- Audit trails for compliance reporting
- Real-time monitoring for anomalous access patterns
Data Portability
- Export your data at any time in standard formats
- No vendor lock-in
- Full data deletion on account closure
If you have specific compliance requirements beyond what's listed here, please contact our security team. We're happy to provide detailed security documentation and complete a security questionnaire.
Learn More
- Security & Privacy page — our full security documentation
- Privacy Policy — how we collect, use, and protect data
- Terms of Service — our service agreement
Questions about security? Reach out to our team — we take data protection seriously.