What we actually do — and won't do.

Three verticals we refuse outright.

We're a small firm with concentrated regulatory exposure. These three categories carry federal enforcement risk we're not equipped to underwrite — and so we don't take them, regardless of fee, scope, or relationship.

This list is non-negotiable. Every retainer contract includes it explicitly. If your work touches any of these categories, even adjacent, please don't book the call — we'd have to decline.

There is no such thing as "HIPAA certified."

We need to start here because so many vendors lie about it. HHS does not issue HIPAA certifications. No third party has authority to "certify HIPAA compliance." Anyone selling you a HIPAA-certification logo is selling you marketing collateral, not regulatory protection.

What actually exists is a posture: a set of administrative, physical, and technical safeguards a covered entity (your practice) and its business associates (us, our subprocessors) implement and document. The posture either holds up under an OCR audit or it doesn't. The certification logo doesn't help you in either case.

What we operate, by way of posture:

• BAA signed before any patient data flows. We sign one with you. We sign one with every subprocessor that touches PHI on our side. No data flows until paperwork is in place.
• HIPAA-aware tracking and analytics. No PHI in URL parameters, GA4, or marketing pixel events. Server-side conversion APIs configured against an explicit allow-list of fields.
• US healthcare attorney on retainer. For state-by-state escalation when the question is "is this allowed in [state]" — different states have different rules, especially for telehealth and corporate practice of medicine.
• Annual compliance review across our stack and our procedures. Re-reviewed every 12 months at minimum. Document version updated each cycle.
• Read-only access to client systems by default. Most of our work doesn't require write access to your booking system or EHR. We minimize access to what's needed.

If you're shopping vendors and want to compare postures: ask them to send you their BAA template, their subprocessor list, and the name of their healthcare counsel. Anyone who can't produce all three within 24 hours probably shouldn't have your patient data.

Every vendor that touches patient data, with BAA status.

Reviewed quarterly. We add, remove, and renegotiate based on enforcement signals and posture changes. If you're booked into a retainer or AI receptionist, you receive an updated copy any time this list changes.

Things our system doesn't do, regardless of client ask.

These aren't things we politely decline when asked — they're things our system structurally won't do. We've designed the architecture so that even if a junior team member tried, the action would fail. Defense-in-depth, not policy-on-paper.

• →
  Send PHI in URL parameters. Server-side conversion APIs are configured against an explicit allow-list. PHI in a URL gets stripped before any pixel fires.
• →
  Use AI training data containing patient interactions. Every model vendor has training-opt-out enabled at contract level. We don't fine-tune on PHI, ever.
• →
  Retain call recordings beyond 30 days. AI receptionist calls roll on a 30-day window with hard-delete. Specific retention extension available only by client written request.
• →
  Auto-share PHI across clients. Each client tenancy is isolated at infrastructure level. Cross-client visibility is structurally impossible.
• →
  Pay or accept referral kickbacks. No "patient finder fees," no "lead acquisition payments," no Stark/AKS-adjacent arrangements. Direct contract-only relationships.
• →
  Tell a caller in crisis to "leave a message." Crisis language detection patches through to a live human or schedules urgent callback within 2 hours. No crisis routing to voicemail.

When state law gets weird, who we call.

HIPAA is federal. State law often goes further — especially around telehealth scope, corporate practice of medicine, and consent for marketing communication. The right answer in Texas isn't always the right answer in California or New York.

For state-specific questions, we work with US-licensed healthcare counsel on retainer. The cost of that retainer is built into our fees — clients don't pay separately for legal review of marketing approach in a new state.

Common state-level questions we send to counsel:

• Telehealth scope and reciprocity. Which states allow practitioners to see clients across state lines, and on what terms.
• Corporate practice of medicine (CPOM). Which states require physician ownership, and how that interacts with marketing entities and management service organizations.
• State-specific advertising rules for healthcare practices, especially around testimonials, before/after imagery, and treatment outcome claims.
• Consent for SMS and call recording. One-party vs two-party consent states. Recording-disclosure requirements.
• State data breach notification timelines. Triggering events, reporting obligations, patient notification requirements.

If something here looks off, tell us.

We're a working operator. Documents drift. Posture changes. Vendors get acquired and BAAs need renegotiation. If you read this and something looks wrong, missing, or out of date — we'd genuinely like to know about it.

For compliance questions, vendor diligence requests, or counsel-to-counsel inquiries, the fastest path is to book a 15-minute call below — we'll route to the right person internally and respond on the call.