Book a Demo

Compliance support

HIPAA at PathwAI

PathwAI is built to serve health and wellness teams that collect protected health information during eligibility, intake, and checkout flows. This page explains how we support your HIPAA program—what safeguards are in place, what a BAA covers, and what your compliance team should know before and after signing.

Book a compliance review View security overview

What HIPAA means for intake flows

When patients answer eligibility questions, fill out health history, or enter demographic details before checkout, that data can qualify as protected health information (PHI) under HIPAA. The moment PHI touches your platform—or a vendor's platform on your behalf—both you and that vendor have compliance obligations.

Most form tools were not designed with this in mind. PathwAI is. The builder, routing engine, and data layer are structured to support the administrative, technical, and physical safeguard requirements that health-program operators need to document for their own HIPAA compliance programs.

Administrative safeguards

Documented policies, role-based access controls, workforce access review, and a BAA that establishes PathwAI's obligations as your business associate.

Technical safeguards

Encrypted data in transit (TLS), encryption at rest, audit-trail capabilities for data access, and access controls scoped to the minimum necessary.

Physical safeguards

PathwAI runs on enterprise cloud infrastructure with physical security, redundancy, and environmental controls managed by our hosting providers.

How PHI moves through a PathwAI flow

PathwAI acts as a conduit and processor—intake answers are collected through our builder, evaluated against your eligibility logic, and routed to the appropriate downstream step (checkout, booking, or a care-team queue). The platform is designed so that PHI is handled with the least-necessary footprint: we don't store it for advertising, we don't sell it, and we scope access to your team's authorized users.

Patient answer Encrypted transit Eligibility routing Your downstream system

Structured intake data

Intake fields are defined in your builder. Only fields you configure are collected—no unstructured free-text data pools that grow without oversight.

Downstream delivery

Outcomes and intake data are sent to your EHR, CRM, or care-ops queue via secure webhooks or native integrations, not held indefinitely in a reporting dashboard.

Consent capture

Consent and disclosure acknowledgements are built directly into the flow—timestamped and tied to the patient record from the moment of collection.

Access control

Access to collected data is scoped to users in your workspace. Enterprise customers can layer in SSO and role-based permissions to match their access governance policies.

Business Associate Agreements (BAAs)

Under HIPAA, a Business Associate Agreement is required whenever a covered entity or business associate shares PHI with a vendor that processes it on their behalf. PathwAI qualifies as a business associate for programs where intake flows collect PHI.

We offer a BAA to Enterprise plan customers. The BAA covers PathwAI's obligations under the HIPAA Security Rule and Privacy Rule—permitted uses of PHI, breach notification obligations, and return or destruction of PHI upon agreement termination.

What the BAA covers
  • Permitted and required uses of PHI PathwAI receives
  • Safeguards in place to prevent unauthorized use or disclosure
  • Breach and security incident reporting obligations
  • Subcontractor (sub-processor) obligations and flow-down
  • Return or secure destruction of PHI at termination
Talk to sales about Enterprise + BAA Read the BAA template

Subprocessors and HIPAA flow-down

PathwAI uses a small set of vetted third-party vendors to deliver the service—cloud hosting, payment processing, and analytics infrastructure. Where those vendors touch PHI, we have sub-processor agreements that flow down the same HIPAA obligations. A full list of subprocessors, their purpose, and region is available on the subprocessors page.

View subprocessors

What to expect in a compliance review

Security and compliance reviews for health-tech vendors can take days to weeks and involve IT, legal, and clinical leadership. We've been through this process with health-program operators and are set up to support it. Here is what we can typically provide:

Security questionnaire responses

We'll complete your security questionnaire with accurate, documented responses. We support standard formats including CAIQ, SIG, and custom vendor templates.

Architecture walkthrough

For sensitive programs, we'll walk through the data flow, hosting topology, and access control model with your security or IT team directly.

Documentation package

HIPAA summary, BAA (Enterprise), subprocessor list, and security overview—everything in one request so your team doesn't chase us for docs.

Procurement support

If your legal or procurement team needs additional representations or custom contract language, our Enterprise process is designed to accommodate that.

HIPAA FAQ

Is PathwAI HIPAA certified?
HIPAA does not have a formal third-party certification. PathwAI is designed to operate in HIPAA-regulated environments and we support the administrative, technical, and physical safeguards the Security Rule requires. We are not SOC 2 certified at this time, but our Enterprise review process is designed to provide your compliance team with the documentation they need.
Does PathwAI sign a BAA with all customers?
A BAA is available on the Enterprise plan. If your intake flows collect PHI and you are a covered entity or business associate, a signed BAA is a HIPAA requirement before going live with PHI-bearing workflows. Contact us to initiate the Enterprise review process.
What counts as PHI in a PathwAI flow?
Any individually identifiable health information collected by your flow can constitute PHI—health history answers, medication lists, symptoms, diagnoses, and related demographic data tied to a patient identity. Whether a given field counts as PHI depends on your specific flow design and your legal counsel's assessment; we can help you think through this in a review call.
Does PathwAI store PHI?
PathwAI processes intake data as patients complete flows and routes it downstream to your designated systems. We retain structured responses for operational purposes (e.g., analytics and audit logs) according to the retention policy in your BAA. We do not use PHI for advertising or sell it.
What happens to data if we cancel?
At termination, PathwAI will provide a data export and securely delete or return PHI according to the terms in your BAA and our data handling policy. Enterprise customers can request a documented destruction confirmation.
Can we use PathwAI for GLP-1, HRT, or mental health intake?
Yes—those are exactly the use cases PathwAI is built for. We have purpose-built templates and flow structures for GLP-1 eligibility, HRT intake, and other sensitive health program workflows, all designed with PHI handling in mind.
Ready to evaluate PathwAI for your HIPAA program?

Book a compliance review call. We'll walk through the architecture, answer your security team's questions, and provide documentation for your vendor review—usually within a business day.

Book a compliance review Trust & compliance hub Security overview