Wellistic

HIPAA Compliance

Last updated: March 7, 2026

Our Approach: De-Identified by Design

Wellistic takes a fundamentally different approach to healthcare data privacy. Rather than collecting Protected Health Information (PHI) and then securing it, we designed the system so that PHI never enters the platform in the first place.

There are no fields in the Wellistic interface for patient names, dates of birth, Social Security numbers, addresses, phone numbers, or any other identifying information. The inputs are clinical descriptions only: chief complaint, treatment performed, clinical findings, and treatment plan.

When data is de-identified in accordance with 45 CFR § 164.514 — meaning it cannot reasonably be used to identify an individual — it is not considered PHI under HIPAA. This is the safest possible architecture for an AI documentation tool.

What This Means in Practice

  • No patient names — The input form does not have a patient name field. A prominent disclaimer reminds users not to include identifying information.
  • No PII in AI processing — The clinical details sent to the AI model contain no patient-identifying information. A session input like "Client presents with chronic lower back pain, treated with deep tissue massage to lumbar paraspinals" cannot be tied to any individual.
  • No PII in storage — Saved notes in your Wellistic account contain de-identified clinical content only. They are associated with your practitioner account, not with any patient identity.
  • Practitioner responsibility — You add patient-identifying details to the final note after exporting it from Wellistic, within your own HIPAA-compliant record-keeping system.

Patient Tracking

Wellistic includes an optional patient tracking feature that allows practitioners to organize notes by patient and view visit history. This feature is designed with the same de-identified principles as the rest of the platform:

  • No patient name field — Patients are identified by a practitioner-assigned label (e.g., initials, chart number, or internal identifier). The interface explicitly instructs users to avoid entering full names or identifying information.
  • No PII collected — The patient record contains only the label and optional practitioner notes. There are no fields for date of birth, address, phone number, insurance information, or any other patient-identifying data.
  • User responsibility — Practitioners are responsible for using non-identifying labels in accordance with our Terms of Service. If a user enters identifiable patient information despite the system design and warnings, they do so at their own risk.
  • Data isolation — Patient records are protected by row-level security. Each practitioner can only access their own patient records.

PDF Export

Wellistic's PDF export feature generates downloadable PDF documents entirely within your browser. No clinical data is transmitted to any server during PDF generation. The PDF includes your clinic branding (business name, practitioner name, license number) pulled from your account settings, along with the note content and a disclaimer footer. Because PDF generation is client-side only, no additional data processing or storage occurs.

Voice Dictation

Wellistic offers optional voice dictation for input fields using your browser's built-in Web Speech API. Voice data is processed locally by your browser and is not transmitted to Wellistic's servers. This feature is subject to your browser's privacy policy (e.g., Chrome's speech recognition may send audio to Google for processing). Wellistic does not receive, store, or process any audio data.

Security Measures

  • All data encrypted in transit (TLS 1.2+)
  • All data encrypted at rest
  • Row-level security ensuring users access only their own data
  • Secure authentication with password hashing
  • API rate limiting to prevent abuse
  • No clinical data used for AI model training
  • Regular security reviews and monitoring

User Responsibilities and Liability

As a Wellistic user, you are responsible for:

  • Not entering patient names or identifying information into the system
  • Reviewing all AI-generated notes before including them in patient records
  • Maintaining HIPAA compliance in your own record-keeping practices
  • Securing your Wellistic account credentials

Important: The de-identified design of Wellistic depends on users not entering Protected Health Information (PHI) into the system. If you enter patient names, dates of birth, or other identifying information into the free-text fields despite the system design and warnings, you do so at your own risk. Wellistic is not liable for any HIPAA violations resulting from a user voluntarily entering PHI into the system in contravention of our terms and usage guidelines.

AI Processing

Wellistic uses Google's Gemini AI models via a secure gateway for note generation. Your de-identified clinical inputs are sent to the AI model, processed, and returned as a formatted note. Your inputs are not used to train AI models and are not retained by the AI provider after processing is complete.

Business Associate Agreements (BAAs)

Because Wellistic is designed so that PHI never enters the platform, a Business Associate Agreement is generally not required for standard use of the Service. The data processed by Wellistic is de-identified clinical content, which falls outside the scope of HIPAA's BAA requirements.

However, if your compliance program requires a BAA as an additional safeguard, we are willing to discuss your specific needs. Contact us at privacy@wellistic.com.

Incident Response

In the unlikely event of a data security incident, Wellistic will:

  • Promptly investigate and contain the incident
  • Notify affected users within 72 hours of discovery
  • Provide a clear description of what occurred, what data was affected, and what steps are being taken
  • Cooperate with any applicable regulatory inquiries

Because Wellistic does not process PHI, a security incident involving Wellistic data would not constitute a HIPAA breach requiring notification under the Breach Notification Rule (45 CFR §§ 164.400-414). Nonetheless, we are committed to transparency and will notify users of any incident affecting their data.

Questions

For questions about our privacy practices, HIPAA compliance, or to discuss a Business Associate Agreement, contact us at privacy@wellistic.com.