Back to Home

Last updated: 2025

talk.med / Security

Security & Compliance at talk.med

talk.med is built from the ground up to support HIPAA-aligned communication for medical, dental, veterinary, and pharmacy practices. Every call, appointment request, and patient message is processed using encrypted, BAA-covered Microsoft infrastructure.

Security is not optional in healthcare — it's the core of our product.

HIPAA-Aligned AI Receptionist Infrastructure

talk.med operates entirely inside environments covered by Microsoft's Business Associate Agreement (BAA). This ensures all AI call handling, transcripts, and appointment requests remain inside a secure, compliant boundary.

Covered by Microsoft's BAA:

  • Azure Compute (Linux VMs)
  • Azure OpenAI (Foundry models)
  • Azure Storage (AES-256 encrypted)
  • Azure Functions / App Services
  • Azure Key Vault
  • Azure Network Security controls
  • Exchange Online (via Email.med inboxes)

No PHI ever leaves Microsoft's secure cloud boundary.

1.Azure-Hosted PHI Processing

All talk.med workflows run exclusively in US East (Virginia) to ensure HIPAA-aligned regional isolation.

PHI-related operations handled in Azure:

  • Voice processing
  • Transcripts
  • Patient messages
  • Appointment scheduling
  • Inbox delivery
  • Widget → backend communication

Benefits:

  • No third-party AI providers receive PHI
  • No PHI routed to OpenAI's consumer APIs
  • No PHI leaves the United States
  • No PHI used for model training

talk.med is engineered for privacy from the first line of code.

2.AI Processing (HIPAA-Safe)

talk.med uses Azure OpenAI "Foundry" models under Microsoft's BAA. This ensures:

  • Your voice data stays within Azure's private environment
  • Output is not logged outside the clinic's workflow
  • Models are not trained or fine-tuned on your PHI
  • No external vendors receive call content
  • All inference happens on HIPAA-supported infrastructure

This is the highest level of safe AI you can deploy for a healthcare business.

3.Voice, Calls & Transcription Security

talk.med's voice interactions use:

  • Encrypted WebRTC
  • TLS 1.2+ for all signaling
  • No raw audio storage unless a clinic enables it
  • Encrypted transcript processing
  • Zero-retention defaults

Calls are processed in real time, and any necessary summaries are delivered securely to the clinic inbox (Email.med).

We never store PHI longer than required to complete the workflow.

4.HIPAA-Compliant Email via Email.med

Every talk.med account includes a secure Microsoft 365 mailbox:

yourname@email.med

This inbox is:

  • Encrypted
  • MFA-protected
  • Covered by Microsoft's BAA
  • Hosted in the U.S.
  • Logged through Microsoft Purview
  • Delivered over TLS

All appointment requests and AI summaries are sent through this compliant channel. Email.med is a key part of keeping talk.med end-to-end safe.

5.Data Storage & Database Security

talk.med uses Microsoft Azure Storage for PHI-related content.

For directory and non-PHI practice data, we use Neon PostgreSQL.

Current status:

  • No PHI stored in Neon until a final BAA is signed
  • All PHI remains inside Azure systems
  • TLS enforced
  • Least-privilege database access

This ensures we never mix sensitive and non-sensitive data.

6.Encryption Standards

In Transit

  • TLS 1.2+
  • Secure WebRTC
  • OAuth-protected API calls
  • Encrypted widget communication

At Rest

  • AES-256 storage encryption (Azure)
  • Encrypted mailboxes
  • Azure Key Vault for secrets

7.Access Controls & Identity Protection

We enforce:

  • Multi-Factor Authentication
  • Role-Based Access Control
  • No shared logins
  • Automatic session timeouts
  • Administrative IP restrictions
  • Azure security hardening
  • Full audit logging

Only authorized staff can access systems containing PHI.

8.Logging, Monitoring & Auditing

We use Azure's built-in compliance stack:

  • Authentication logs
  • Access logs
  • Audit trails
  • Error monitoring
  • Automated intrusion alerts
  • Immutable log records

These controls help us maintain a HIPAA-aligned environment.

9.Data Minimization & Retention

talk.med adheres to HIPAA's "minimum necessary" principle:

  • Audio is not stored unless explicitly requested
  • Transcripts auto-delete after delivery
  • Clinics may request deletion at any time
  • Backups and replicas follow the same policies

We store only what is necessary to complete a booking.

10.Business Associate Agreement (BAA)

talk.med operates as a Business Associate to all medical and dental practices using our system.

We provide:

  • A Business Associate Agreement
  • System security documentation
  • Data flow diagrams
  • Azure service details
  • HIPAA compliance summaries

We believe in full transparency with healthcare partners.

ℹ️Demo vs Production Infrastructure

Our interactive demo runs on optimized infrastructure for the best user experience during evaluation. No real patient data should be entered during demos.

Production deployments are hosted exclusively in Microsoft Azure US East (Virginia) with full HIPAA technical safeguards and BAA coverage.

When you sign up, your AI receptionist and all PHI handling moves to our secure Azure environment.

talk.med

HIPAA-Aligned AI Receptionist

EncryptedAzure HostedMicrosoft BAA Covered

PHI-Safe Voice & Appointment Processing