We protect the health information your clinic shares with us.

Key security features

How we protect PHI.

• Encryption

  Encrypted in transit and at rest within Helose systems. US-based infrastructure only. Standard patient texts may not be encrypted by the mobile carrier on the last mile to the device.

• Privacy by design

  Minimum data to run texting and briefs. No selling. No training on your PHI.

• Access controls

  Least privilege. Clinic data stays in your tenant. Audited access.

• Your data, your clinic

  Export on cancel. Delete within 30 days. Audit logs per your BAA.

PHI surfaces

Where PHI can show up.

One BAA covers check-in texts, portal refill and lab flows, staff queues, and the pre-visit summary. Same tenant isolation, encryption, and audit logging.

• Patient-facing

  Patient texts

  PHI in scope

  Message bodies and replies live in the patient thread on your practice number. Helose sends on the schedule your team set at the visit. Texts stay short: reminders and simple replies. Richer detail, when needed, can open on a secure HTTPS page. Not for diagnoses or emergency triage.

• Clinic-facing

  Pre-visit summary

  PHI in scope

  The summary your team opens before the visit combines the last visit plan, check-in replies, and portal activity (refill confirms). Lab status comes from draw reminders and vendor/EHR results in your clinic queue. Refill and lab queues live in QuickBooks at pilot (Shopify, Square, WordPress, Charm, or email). Clinical interpretation stays with your clinicians.

Your responsibilities

Clinic obligations.

Helose is your business associate. You remain the covered entity. You are responsible for obtaining patient consent before sending health-related texts, keeping message content appropriate, and honoring STOP requests promptly. Helose provides the platform; your clinic owns the patient relationship.

• Obtain patient consent before sending health-related texts (TCPA and clinic policy).
• Keep message content appropriate: short reminders and care-plan support, not diagnoses or emergency triage over SMS.
• Use secure web pages for detailed instructions when offered; keep texts as brief as practical.
• Honor STOP and opt-out requests promptly.
• Own the patient relationship. Helose provides the platform; your clinic is the covered entity.
• Maintain accurate patient phone numbers and update records when patients change numbers.

SMS & TCPA

Consent & messaging rules.

Helose is your business associate for messaging technology. TCPA consent and message content remain your responsibility as the covered entity.

• Document consent before the first health-related text, written or electronic per your counsel's guidance.
• Include STOP/HELP instructions in your enrollment flow; Helose supports carrier-standard keywords.
• Do not use SMS for marketing without separate express consent.
• Share our SMS Terms with patients at opt-in (/sms-terms).

This is operational guidance, not legal advice. Consult your counsel for TCPA and state-specific requirements.

Your data

Lifecycle, step by step.

• What we receive

  Patient identifiers, SMS content and replies, reminder schedule metadata, and the context your team needs in the pre-visit summary. Only what is required to run texting and summaries for your clinic.

• What we use it for

  Check-in texts, portal refill confirms, lab draw reminders, and staff queues. Pre-visit brief for your team. Audit trail for your compliance team. Nothing else.

• Where it lives

  PHI stays in US-based infrastructure. It does not leave the United States. Encrypted in transit and at rest within Helose systems.

• If you leave

  Cancel anytime. We export your data in a portable format and delete it from our systems within 30 days. Audit logs are retained per your BAA, then destroyed per your agreement.

De-identified data. We may use properly de-identified, aggregated data to improve product accuracy and publish benchmarks. Details are in your BAA and available on request.

Patient-facing detail: Data & privacy · SMS terms

In place today

Controls on every workflow.

• HIPAA security program

  Administrative, physical, and technical safeguards aligned to the HIPAA Security Rule. BAA required before PHI is in scope.

• Encryption

  Industry-standard encryption in transit and at rest within Helose systems. Patient SMS uses standard cellular messaging; the carrier path to the phone is not end-to-end encrypted.

• Tenant isolation

  Clinic data is isolated by tenant. One clinic cannot access another's patients.

• Audit logging

  Reads and automated actions are logged for compliance review.

• HIPAA Security Risk Assessment

  Completed and maintained on a regular review cycle. Summary available on procurement request.

Business Associate Agreement

BAA at signup.

Helose is a business associate when your clinic uses follow-up texting or pre-visit summaries. PHI workflows require a current BAA on file.

• Click-through BAA at clinic signup, before any PHI moves.
• Counter-signed BAA on Helose letterhead for paid annual contracts.
• BAA template and security documentation available on procurement request.

Roadmap

Dated, not decorative.

• Late 2026

  SOC 2 Type I

  Policies mapped to the Trust Services Criteria. We publish the report when it exists, not before.

• 2027

  SOC 2 Type II

  Follows Type I observation period.

• Before general availability

  External penetration test

  Third-party assessment scheduled ahead of broader rollout. Results shared with customers under NDA.

• In progress

  Incident response runbook

  Documented response procedures before broader production rollout.

• When a contract requires it

  HITRUST

  Not actively pursued today. Available when a customer contract requires it.

FAQ

Questions procurement asks first.

Does Helose sell our data?

No. Not to anyone. Not in aggregate. Not ever.

Does Helose use our PHI to train models?

No. Not our systems. Not our subprocessors. Prohibited contractually in writing with every vendor that touches PHI.

When is the BAA signed?

Click-through BAA at signup, before any PHI moves. You can try 2 weeks for free on your real panel under that BAA. Paid annual contracts can include a counter-signed BAA on Helose letterhead.

Where does our data live?

All PHI stays in US-based infrastructure. It does not leave the United States. Encrypted in transit and at rest within Helose systems.

Are patient texts encrypted end to end?

Within Helose and our messaging vendors under BAAs, PHI is encrypted in transit and at rest. Standard SMS to a patient phone is not encrypted by the mobile carrier on the last mile. We keep texts brief, disclose limits in SMS Terms, and use secure HTTPS pages when richer content is needed.

What happens to our data if we cancel?

Cancel anytime. We export your data in a portable format and delete it from our systems within 30 days. Audit logs are retained per your BAA, then destroyed per your agreement.

Can we get detailed security documentation?

Yes. HIPAA SRA summary, BAA template, subprocessor list, and questionnaire responses are available on procurement request, often under NDA.