Skip to main content
Security and data

HIPAA, BAA, and what Nextvisit does with your patient data

How patient data is encrypted, stored, and used. BAA coverage, ISO/IEC 42001, SOC 2, and the parts of the workflow that never see PHI.

Security and data 4 min

Nextvisit is HIPAA-compliant, SOC 2 Type II certified, and ISO/IEC 42001 certified. A Business Associate Agreement is signed by default with every customer. This article covers what those certifications actually mean for how your patient data is handled.

What gets stored, and where

Patient data lives in three places:

  • The encrypted patient record (demographics, encounters, notes, codes, billing data, screener scores). Stored in a HIPAA-compliant data center in the United States with encryption at rest using AES-256 and in transit using TLS 1.2 or higher.
  • Audio recordings of encounters. Stored in the same encrypted environment, with retention configurable per workspace. Default retention is 90 days; many practices set it shorter.
  • Generated artifacts (transcripts, drafted notes, peer reviews, AI Timeline entries, Treatment Pulse outputs). Stored alongside the encounter record with the same encryption posture.

No patient data leaves the United States. No patient data is shared with model providers in a way that could be used for training a global model.

What the AI sees, and what it does not

When AriaMD processes a recording, the audio is sent to the speech-to-text and language model components inside the Nextvisit infrastructure. The processing happens under the BAA. The model providers we work with are themselves under BAA with us, and the prompts and responses for clinical processing are not used to train any global model. This is documented in our ISO/IEC 42001 management system and audited annually.

The personalization layer that adapts AriaMD to your charting style operates on style features only. It does not store raw patient text in a way that could be reverse-engineered to a specific encounter.

What the BAA covers

The standard BAA we sign covers the full HIPAA stack:

  • Permitted uses and disclosures of PHI.
  • Safeguards required to prevent unauthorized use or disclosure.
  • Reporting of security incidents.
  • Access for the patient under the right of access provision.
  • Subcontractor agreements for any downstream processors.
  • Breach notification timelines.

The BAA is signed at workspace creation. Enterprise customers can sign a custom BAA with negotiated terms; the standard is appropriate for most practices.

ISO/IEC 42001

ISO/IEC 42001 is the international standard for AI management systems, focused on AI governance: risk assessment, data lineage, model lifecycle, human oversight, and incident response. Nextvisit is certified, which means our AI subsystems are under documented governance, change management, and audit. The certification is renewed annually.

This matters specifically because behavioral-health AI documentation is the highest-stakes ambient AI use case in healthcare. The chart contains direct quotes about suicidal ideation, substance use, and trauma history. The 42001 management system is what makes the AI behavior auditable, not just compliant.

SOC 2 Type II

SOC 2 Type II is an attestation that the security, availability, processing integrity, confidentiality, and privacy controls described in our Trust Services Criteria are operating effectively over a defined period (typically twelve months). The audit is performed by a third-party CPA firm and renewed annually.

The current SOC 2 report is available under NDA from the trust center (https://trust.nextvisit.ai). Procurement teams typically request it during contracting; we can provide it within a few business days.

Data deletion and retention

When you delete a patient record in Nextvisit, the record is soft-deleted for 30 days, then permanently removed. Audio recordings follow the configured retention policy.

When you cancel a Nextvisit subscription, the workspace data is retained for 90 days to allow export, then permanently removed. We can extend the retention window on request.

A patient’s right of access request (under HIPAA or state law) is supported through the patient profile export. Workspaces can produce the export themselves, or request that the support team produce it.

Where to ask security questions

For specific security or compliance questions, email security@nextvisit.ai. The trust team responds within one business day. Complex procurement questionnaires (commercial payer security reviews, hospital system vendor onboarding) typically take three to five business days for a complete response.

Did this help?

If something is still not working, the team is one email away.

Email hello@nextvisit.ai with the encounter ID, your workspace, and what you were trying to do. Real responses in hours, not days.

Email support Book a 15-min demo
Live in 2 weeks or less BAA signed by default 30-day money back