Yes, Sully.ai is HIPAA-compliant, supports HIPAA-compliant deployments and will sign a Business Associate Agreement (BAA). Sully.ai focuses heavily on security measures like encryption, access controls, and audit logging, and it provides independent security attestations (SOC 2 Type II and ISO 27001) through its trust portal.

What Security Measures Does Sully.ai Provide?

• HIPAA-compliant deployments: Sully.ai is HIPAA-compliant and supports HIPAA-compliant deployments

• Business Associate Agreement (BAA): Sully.ai provides a BAA for covered entities and business associates to execute before using Sully.ai with ePHI.

• Encryption, Access Controls & Audit Logging: All ePHI is encrypted in transit and at rest. Sully.ai applies role-based access controls and maintains audit logs across integrations.

• Independent Attestations: Sully.ai’s security program is independently assessed. SOC 2 Type II and ISO 27001 attestations are available through the Sully.ai trust portal, upon request.

• Data Processing Agreement (DPA): Sully.ai’s DPA outlines security measures aligned with the HIPAA Security Rule.

How Does Sully.ai Protect Patient Data?

• Data Protection: Encryption in transit and at rest, with strong key management practices.

• Identity & Access Management: Role-based access, provisioning/deprovisioning processes, session controls, and audit logging with retention policies.

• Agreements & Transparency: A signed BAA, clear Data Processing Agreement, visibility into subprocessors, breach notification commitments, and assurances that your PHI isn’t used for model training unless explicitly permitted.

• Independent Security Assessments: SOC 2 Type II and ISO 27001 attestations covering the platform and hosting environment, accessible via the trust portal.

Sully.ai is fully HIPAA-compliant and focuses on key safeguards such as encryption, access controls, and audit logging. Independent attestations further validate our security practices.