HIPAA at Wilma.

• BAA on every plan, executed before any PHI is processed.
• PHI encrypted in transit (TLS 1.3) and at rest (AES-256).
• Strict access controls, audit logs, breach-notification commitments.
• U.S.-only processing. No training on patient data — ever.

Where Wilma processes PHI on behalf of a Covered Entity, the BAA we sign with that customer governs the processing. The BAA conforms to 45 CFR § 164.504(e) and covers:

• Permitted and required uses and disclosures of PHI
• Safeguards Wilma must implement
• Reporting of unauthorized uses, disclosures, or security incidents
• Sub-Business Associate requirements
• Access, amendment, and accounting-of-disclosures support
• Return or destruction of PHI at termination

• Privacy & Security Officer. Wilma appoints a Privacy Officer and a Security Officer. Reach them at email them.
• Risk assessments. Annual Security Risk Assessment under the HIPAA Security Rule, plus a follow-up after any material architectural change.
• Workforce training. All personnel complete HIPAA training within 30 days of hire and annually thereafter.
• Sanctions policy. Documented disciplinary process for any workforce member who fails to comply.
• Business associate management. BAAs in place with every downstream sub-processor that may handle PHI.

• Access control. Unique user IDs, automatic logoff, emergency access procedure, MFA required for production access.
• Audit controls. Every read, write, and admin action on PHI is captured with actor, source IP, and timestamp.
• Integrity. Append-only storage for call records and transcripts. Tampering detection on PMS writes.
• Transmission security. All PHI in motion uses TLS 1.3 with modern cipher suites. Telephony traffic to Twilio is encrypted to the telephony edge.

Wilma runs on AWS infrastructure in U.S. regions that maintain SOC 2 Type II, ISO 27001, and HITRUST attestations covering physical access, environmental controls, and media handling. Wilma workstations and laptops are managed by MDM with full-disk encryption and remote-wipe.

In the event of a breach affecting unsecured PHI, Wilma will notify the affected customer without unreasonable delay and in any event within 72 hours of discovery, in accordance with 45 CFR §§ 164.410 and our signed BAA.

• We do not sell PHI. Ever.
• We do not use PHI to train models for any other customer.
• We do not process PHI outside the U.S. or share PHI with non-BAA-bound third parties.
• Wilma does not provide medical or dental advice. Clinical questions are routed to your designated provider.

Email our HIPAA team. We'll send the executable BAA, the latest Security Risk Assessment summary, and our standard security-questionnaire response within one business day.