Wellistic

HIPAA Compliance

Last updated: February 28, 2026

Our Approach: De-Identified by Design

Wellistic takes a fundamentally different approach to healthcare data privacy. Rather than collecting Protected Health Information (PHI) and then securing it, we designed the system so that PHI never enters the platform in the first place.

There are no fields in the Wellistic interface for patient names, dates of birth, Social Security numbers, addresses, phone numbers, or any other identifying information. The inputs are clinical descriptions only: chief complaint, treatment performed, clinical findings, and treatment plan.

When data is de-identified in accordance with 45 CFR § 164.514 — meaning it cannot reasonably be used to identify an individual — it is not considered PHI under HIPAA. This is the safest possible architecture for an AI documentation tool.

What This Means in Practice

  • No patient names — The input form does not have a patient name field. A prominent disclaimer reminds users not to include identifying information.
  • No PII in AI processing — The clinical details sent to the AI model contain no patient-identifying information. A session input like "Client presents with chronic lower back pain, treated with deep tissue massage to lumbar paraspinals" cannot be tied to any individual.
  • No PII in storage — Saved notes in your Wellistic account contain de-identified clinical content only. They are associated with your practitioner account, not with any patient identity.
  • Practitioner responsibility — You add patient-identifying details to the final note after exporting it from Wellistic, within your own HIPAA-compliant record-keeping system.

Security Measures

  • All data encrypted in transit (TLS 1.2+)
  • All data encrypted at rest
  • Row-level security ensuring users access only their own data
  • Secure authentication with password hashing
  • API rate limiting to prevent abuse
  • No clinical data used for AI model training
  • Regular security reviews and monitoring

User Responsibilities and Liability

As a Wellistic user, you are responsible for:

  • Not entering patient names or identifying information into the system
  • Reviewing all AI-generated notes before including them in patient records
  • Maintaining HIPAA compliance in your own record-keeping practices
  • Securing your Wellistic account credentials

Important: The de-identified design of Wellistic depends on users not entering Protected Health Information (PHI) into the system. If you enter patient names, dates of birth, or other identifying information into the free-text fields despite the system design and warnings, you do so at your own risk. Wellistic is not liable for any HIPAA violations resulting from a user voluntarily entering PHI into the system in contravention of our terms and usage guidelines.

AI Processing

Wellistic uses Anthropic's Claude AI for note generation. Your de-identified clinical inputs are sent to the Anthropic API, processed, and returned as a formatted note. Per Anthropic's data usage policy, API inputs are not used to train their models and are not retained after processing is complete.

Business Associate Agreements (BAAs)

Because Wellistic is designed so that PHI never enters the platform, a Business Associate Agreement is generally not required for standard use of the Service. The data processed by Wellistic is de-identified clinical content, which falls outside the scope of HIPAA's BAA requirements.

However, if your compliance program requires a BAA as an additional safeguard, we are willing to discuss your specific needs. Contact us at privacy@wellistic.com.

Incident Response

In the unlikely event of a data security incident, Wellistic will:

  • Promptly investigate and contain the incident
  • Notify affected users within 72 hours of discovery
  • Provide a clear description of what occurred, what data was affected, and what steps are being taken
  • Cooperate with any applicable regulatory inquiries

Because Wellistic does not process PHI, a security incident involving Wellistic data would not constitute a HIPAA breach requiring notification under the Breach Notification Rule (45 CFR §§ 164.400-414). Nonetheless, we are committed to transparency and will notify users of any incident affecting their data.

Questions

For questions about our privacy practices, HIPAA compliance, or to discuss a Business Associate Agreement, contact us at privacy@wellistic.com.