Skip to main content
HoopAI offers a HIPAA-compliant configuration for healthcare providers, health coaches, and other covered entities or business associates who handle Protected Health Information (PHI). When HIPAA mode is enabled, the platform activates additional security controls and data handling practices designed to support HIPAA compliance.
Enabling HIPAA mode in HoopAI is one component of a compliant workflow — it is not sufficient on its own. You must also execute a Business Associate Agreement (BAA) with HoopAI, train your staff, review your own internal policies, and ensure all other systems you use that touch PHI are also HIPAA-compliant. Consult qualified legal and compliance counsel to evaluate your full compliance posture.

Who needs HIPAA mode

HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates (vendors and partners who handle PHI on their behalf). If your use of HoopAI involves any of the following, you should consider HIPAA mode:
  • Storing patient names, contact details, appointment types, or health-related notes in contacts or conversations
  • Sending appointment reminders that reference a healthcare service
  • Collecting intake forms that include health information
  • Managing leads or clients in a health, wellness, or medical context where communications could reveal PHI
If you are unsure whether HIPAA applies to your business, consult a HIPAA compliance specialist or healthcare attorney.

Step 1 — Execute a Business Associate Agreement (BAA)

Before enabling HIPAA mode, you must sign a Business Associate Agreement with HoopAI. A BAA is a legally required contract that establishes how HoopAI will protect PHI on your behalf.
1

Contact HoopAI support

Reach out to HoopAI support at support@hoopai.com and request a BAA. Include your account name and the sub-accounts (locations) that will handle PHI.
2

Review and sign

HoopAI will provide the BAA document. Review it with your legal counsel, sign it, and return a copy. HoopAI countersigns and retains the agreement.
3

Keep a copy

Store the signed BAA securely. HIPAA requires you to retain BAAs for at least 6 years.
HIPAA mode can only be enabled on accounts with a signed BAA. If you enable HIPAA mode without a signed BAA in place, you remain legally exposed.

Step 2 — Enable HIPAA mode

Once your BAA is signed, enable HIPAA mode in the platform:
1

Open Trust Center

Go to Settings > Trust Center or Settings > Compliance.
2

Find HIPAA settings

Look for the HIPAA section. If your plan supports HIPAA, you will see an enable toggle.
3

Enable HIPAA mode

Click Enable HIPAA Mode and confirm. You may be prompted to confirm that a BAA is in place.
4

Verify activation

After enabling, the Trust Center should show HIPAA mode as Active. Some plan tiers require a plan upgrade before HIPAA mode becomes available — contact support if the option is greyed out.

What HIPAA mode changes

When HIPAA mode is active, the following security controls are enforced: Access and authentication:
  • Two-factor authentication (2FA) is required for all users — you cannot disable 2FA while HIPAA mode is on
  • Session timeouts are shortened — users are automatically logged out after a period of inactivity
  • Login activity is logged for audit purposes
Data handling:
  • Email and SMS message content is treated with additional access controls
  • Email notifications sent by the platform are modified to avoid including PHI in the notification body — instead, users receive a link to log in and view the message inside the platform
  • Data access logs are maintained for audit trails
Conversation restrictions:
  • Automated emails and SMS sent from workflows will not include PHI in the message preview or notification body — links to the platform are used instead
  • Some third-party email and SMS integrations may be restricted under HIPAA mode
Integrations:
  • Not all integrations are HIPAA-eligible. Before connecting a third-party tool to an account in HIPAA mode, verify that tool has its own BAA available and is HIPAA-compliant

Step 3 — Review and restrict integrations

HIPAA requires that every system or vendor that may access PHI has a signed BAA with you. Review all integrations connected to your HoopAI account:
IntegrationCheck needed
StripeStripe is PCI-DSS compliant; does not typically handle PHI
Google CalendarVerify Google Workspace BAA — Google offers a BAA for Workspace customers
Facebook / MetaMeta does not sign BAAs; avoid syncing PHI to Facebook integrations
Zapier / MakeBoth offer BAAs on enterprise plans
Email providersVerify your email sending provider offers a BAA
Disconnect any integration that cannot provide a BAA if PHI may flow through it.

Step 4 — Configure user access controls

1

Enable 2FA for all users

Go to Settings > My Staff and enforce 2FA. Under HIPAA mode this is required automatically, but confirm all users have completed their 2FA setup.
2

Apply minimum necessary access

HIPAA’s Minimum Necessary standard requires that users only access PHI they need for their job. Enable the Restrict to Assigned Data Only setting for any user who does not need to see all contacts. See User roles and permissions.
3

Remove inactive users

Deactivate accounts for staff who have left or no longer need access. Do not leave dormant accounts active.

Step 5 — Train your staff

Technical settings alone do not make an organisation HIPAA compliant. You must also:
  • Provide HIPAA training to all staff who access PHI through the platform
  • Document your training program and keep records of completion
  • Establish policies for how PHI is handled, who can access it, and what to do in the event of a breach
  • Designate a HIPAA Privacy Officer and a Security Officer for your organisation

Breach notification

If you discover that PHI stored in HoopAI has been improperly accessed or disclosed, you have obligations under HIPAA’s Breach Notification Rule:
  • Notify affected individuals within 60 days of discovering the breach
  • Notify HoopAI immediately — as your Business Associate, HoopAI is required to assist with breach investigation and notification
  • Notify the Department of Health and Human Services (HHS) according to HIPAA timelines
  • Notify local media if the breach affects more than 500 residents of a state
Contact HoopAI support immediately if you suspect a security incident involving PHI.

Frequently asked questions

HIPAA does not have an official certification program — there is no HIPAA certification body. HoopAI supports HIPAA compliance through technical safeguards and BAA availability, but ultimate compliance responsibility rests with your organisation. Consult your legal and compliance team.
Yes, enabling HIPAA mode changes how some features behave — particularly email notifications and integrations — to reduce the risk of PHI exposure. Some convenience features (such as full message previews in email notifications) are intentionally restricted.
You can technically disable HIPAA mode, but doing so removes the security controls protecting PHI. If you have PHI in the system, disabling HIPAA mode without first removing or de-identifying that data would likely create a HIPAA violation. Consult your compliance officer before disabling.
HIPAA mode is available on qualifying plans. Contact HoopAI support to confirm whether your current plan includes HIPAA mode or whether an upgrade is required.
The mobile app can be used with HIPAA mode enabled, but apply the same precautions: ensure devices are protected with screen locks, avoid leaving the app open on unattended devices, and enforce 2FA for all users. The app enforces the same session timeout and access restrictions as the desktop version.
Last modified on March 5, 2026