ImplicitifyAI
🔒 Trust & security

HIPAA Compliance & Data Security

How ImplicitifyAI protects clinical data with a zero-PHI patient link architecture, deterministic peer-reviewed scoring, encrypted transit and storage, and a formal BAA process for licensed clinicians.

Architecture: Zero-PHI Design

ImplicitifyAI is built around the principle that the platform should never need to see, touch, or store identifiable patient information in order to do its job. Assessment delivery, response capture, and scoring are all handled on the basis of opaque tokens — not patient identities.

Opaque Token Links

Each patient assessment is delivered via a randomly generated UUID token. No name, no date of birth, no identifying information is embedded in or associated with the link on our servers.

Alias-Only Profiles

Clinicians may optionally create a client profile using a self-chosen alias (e.g., 'Client A'). The platform never prompts for or stores the patient's real name.

Auto-Purge at 30 Days

Completed assessment response data is automatically scheduled for deletion 30 days after completion. Clinicians export or review reports before that window closes.

Deterministic Scoring Engine

No AI is used in the measurement chain. Scores are computed by a deterministic, peer-reviewed algorithm — fully reproducible and auditable, with no LLM inference in scoring logic.

Encryption in Transit & at Rest

All data is encrypted in transit via TLS 1.2+ and encrypted at rest using industry-standard key management. Access logs are retained for 90 days.

Role-Based Access Control

Clinician accounts have access only to their own client tokens and reports. No cross-clinician data access is possible by default.

What ImplicitifyAI is — and is not

ImplicitifyAI is an automated assessment software platform used by licensed clinicians as an administration and scoring tool. It is not a covered entity under HIPAA by default — it operates as a business associate when clinicians who are covered entities use it to administer assessments to their patients.

  • The platform does not provide clinical services. Scores and reports are professional outputs used by clinicians in their practice.
  • The administering clinician retains clinical and legal responsibility for patient data under their applicable privacy regulations.
  • Assessment data sent to patients via token links is not visible to ImplicitifyAI staff unless a clinician expressly opens a support ticket referencing a specific token.

✓ Business Associate Agreement (BAA)

A BAA is available to licensed clinicians who are covered entities under HIPAA. Contact us at support to initiate the BAA process. BAA execution is required before using the clinician-access tier for US patients in covered practice contexts.

Scope & limitations

This page is a description of our current technical posture, not a formal legal claim. Final wording of any BAA or data-processing addendum governs. This page was last updated May 1, 2026. If you have specific compliance questions, contact your institutional legal or compliance team.

  • ImplicitifyAI is hosted on US-based cloud infrastructure.
  • Database servers are located in the US.

Questions about our security posture or BAA process?

Contact us →

Page last updated: May 1, 2026