Orthia Trust Center
Real-time system status, security certifications, and compliance documentation for Orthia AI.
Core Services
AI Voice Receptionist
Inbound call answering and routing
Appointment Scheduling Engine
Real-time PMS booking and rescheduling
Insurance Verification
Real-time eligibility checks via carrier data
Website Chat & DMs
Patient messaging across web and social channels
Infrastructure
PMS Integration Layer
Connections to Dentrix, Dolphin, Cloud 9, Ortho2, and more
API Gateway
Authentication, rate limiting, and request routing
Orthia Dashboard
Practice analytics and Ask Orthia interface
orthia.io
Marketing website and documentation
Overall Uptime
100%
Last 7 days
99.99%
Last 30 days
99.98%
Last 90 days
SECURITY & COMPLIANCE
Enterprise-Grade Security
Orthia is built to meet the security and compliance requirements of healthcare organizations.
SOC 2 Type II
Orthia has completed a SOC 2 Type II audit covering security, availability, and confidentiality trust service criteria.
HIPAA Compliant
Orthia is designed with HIPAA-compliant workflows for handling protected health information. Business Associate Agreements are available for all customers.
Data Encryption
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Patient data never leaves encrypted environments.
HIPAA COMPLIANCE
Built for Healthcare Data
Orthia handles protected health information in every patient interaction. HIPAA compliance is not an add-on - it is foundational to how we build.
Administrative Safeguards
Risk Assessments
Comprehensive risk analyses conducted annually to identify and mitigate threats to ePHI. Findings are documented and remediation is tracked to completion.
Workforce Training
All employees complete HIPAA privacy and security training at onboarding and annually thereafter. Role-specific training for engineers handling PHI.
Business Associate Agreements
BAAs are executed with every customer and sub-processor before any PHI is transmitted. Available on request for all pricing tiers.
Policies & Procedures
Documented policies covering PHI access, use, disclosure, breach notification, and disposal. Reviewed and updated annually.
Technical Safeguards
Encryption Standards
All ePHI is encrypted in transit using TLS 1.2+ and at rest using AES-256. Encryption keys are managed through dedicated key management services with automatic rotation.
Access Controls & Authentication
Role-based access control with least-privilege enforcement. Multi-factor authentication required for all systems that process PHI. Session timeouts enforced.
Audit Logging
All access to PHI is logged with user identity, timestamp, and action performed. Audit logs are immutable, retained for a minimum of 6 years, and reviewed regularly.
Automatic Session Management
Inactive sessions are automatically terminated. Unique user identification ensures every action on PHI is attributable to a specific individual.
Physical Safeguards
Cloud Infrastructure
All infrastructure is hosted on SOC 2 Type II and HIPAA-compliant cloud providers with physical access controls, 24/7 monitoring, and environmental protections.
Workstation & Device Controls
Company devices are encrypted, remotely managed, and subject to automatic lock policies. No PHI is stored on local devices.
Breach Notification & Incident Response
Breach Notification
In the event of a breach involving unsecured PHI, affected individuals and the HHS are notified within the timeframes required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).
Incident Response Plan
Documented incident response procedures with defined roles, severity classification, containment steps, root cause analysis, and post-incident review. Tabletop exercises conducted annually.
Security Practices
Access Controls
Role-based access control with multi-factor authentication enforced for all team members.
Vulnerability Management
Continuous vulnerability scanning with automated patching. Penetration testing performed annually by third-party firms.
Incident Response
Documented incident response plan with defined escalation procedures and SLA-backed response times.
Data Retention
Configurable data retention policies. Patient data can be purged on request in compliance with practice requirements.
Vendor Security
All sub-processors undergo security review. Infrastructure hosted on SOC 2 certified cloud providers.
Employee Security
Background checks for all employees. Annual security awareness training and phishing simulations.
Incident History
No incidents reported in the last 90 days
All systems have been operating normally.
Have questions about our security practices or need compliance documentation?