Medichat is a communication workflow and automation tool built for licensed healthcare professionals. We are a technology provider — not a healthcare provider, medical practice, telemedicine service, or regulatory body. This page explains our role, what we do and do not provide, and how we approach healthcare-related compliance obligations.
1. What Medichat Is (and Is Not)
Medichat provides tools that help licensed healthcare professionals manage patient communication workflows via WhatsApp Business. Our platform generates AI-assisted draft messages for professional review, supports voice cloning with explicit consent, and helps organize communication history.
Medichat does not provide medical advice, diagnosis, clinical assessments, treatment recommendations, or prescriptions. Medichat is not a telemedicine provider, Electronic Health Record (EHR) system, or clinical decision support tool. Nothing in the platform constitutes the practice of medicine. All AI-generated content is a draft only — the licensed professional is solely responsible for reviewing, editing, and approving every message before it is sent to a patient.
2. Our Relationship to HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on Covered Entities (healthcare providers, health plans, and healthcare clearinghouses) and their Business Associates — vendors and service providers that handle Protected Health Information (PHI) on their behalf.
Rentesy Softwares Private Limited (operating Medichat) is not itself a Covered Entity. Where our platform is used by a Covered Entity or Business Associate in a manner that involves the processing of PHI, Medichat may serve in the capacity of a Business Associate under HIPAA. In such cases, we are prepared to enter into a Business Associate Agreement (BAA) with the customer.
Important limitations to understand
- We have not completed a formal HIPAA audit. We have not been assessed, certified, or verified by any government body or accredited third-party HIPAA auditor.
- HIPAA is not a certification. There is no official "HIPAA certified" designation issued by the U.S. Department of Health and Human Services (HHS) or any government agency. We do not claim to hold any such certification.
- We do not warrant regulatory compliance. Use of Medichat does not, by itself, make your practice or organization HIPAA compliant. Compliance is the responsibility of each Covered Entity and Business Associate.
- WhatsApp is not a HIPAA-covered platform. Meta Platforms does not enter into Business Associate Agreements for WhatsApp Business API usage. Transmission of PHI via WhatsApp may not meet HIPAA requirements depending on your use case. We recommend consulting your compliance officer before transmitting PHI through this channel.
3. How We Are Designed to Support Compliance
While we make no warranty of regulatory compliance, Medichat is designed and operated with measures aligned with recognized security and privacy frameworks, including the HIPAA Security Rule. These are voluntary organizational commitments, not legally verified certifications.
Technical Safeguards (aligned with HIPAA Security Rule)
- Encryption of data at rest using AES-256
- Encryption of data in transit using TLS 1.2 / 1.3
- Application-level encryption of access tokens and sensitive credentials before database storage
- Unique user authentication with session management and automatic timeout
- Row-level database security ensuring users access only their own data
- Audit logging of access to sensitive records
Administrative Safeguards
- Access to production data limited to personnel with a documented need to know
- Confidentiality obligations on all personnel with data access
- Internal security policies and incident response procedures
- Sub-processor due diligence and data processing agreements with vendors
Physical Safeguards
- Application and database infrastructure hosted on SOC 2 Type II certified providers (Vercel, Supabase / AWS)
- No on-premises storage of any user or patient data by Medichat
A formal independent compliance assessment has not yet been completed. We intend to conduct a third-party security review as the business matures. This page will be updated to reflect any material changes in our compliance posture.
4. Business Associate Agreements (BAA)
We offer Business Associate Agreements to subscribers who are HIPAA Covered Entities or Business Associates and use Medichat in a capacity that involves PHI. A BAA defines each party's obligations with respect to PHI and is a requirement under HIPAA before a Covered Entity may share PHI with a Business Associate.
To request a BAA:
Email hello@medichat.in with the subject line "BAA Request". Include your organization name, contact information, and current subscription plan. We will review and respond within 5 business days.
BAAs are available on Professional and Enterprise plans. Customers on free or starter plans must upgrade before a BAA can be executed.
Execution of a BAA does not guarantee that your organization's use of Medichat is HIPAA compliant. Covered Entities remain responsible for their own compliance policies, staff training, risk assessments, and all other HIPAA obligations under the Privacy Rule, Security Rule, and Breach Notification Rule.
5. Responsibilities of Healthcare Professional Users
As a licensed healthcare professional using Medichat, you are responsible for:
- Determining whether your use of Medichat involves PHI under HIPAA
- Obtaining and executing a BAA with us before transmitting PHI through the platform if you are a Covered Entity
- Obtaining appropriate patient authorization and consent before communicating via WhatsApp
- Reviewing all AI-generated draft content before sending to patients
- Maintaining compliance with all applicable laws in your jurisdiction, including HIPAA, state privacy laws, and India's Digital Personal Data Protection Act (DPDPA) where applicable
- Conducting your own risk assessments as required under the HIPAA Security Rule
6. Sub-Processors Relevant to PHI
| Sub-Processor | Role | BAA Available |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication | Yes (via Supabase) |
| Vercel, Inc. | Application hosting | Yes (via Vercel) |
| Meta Platforms (WhatsApp Cloud API) | Message delivery | No — Meta does not sign BAAs for WhatsApp API |
| AI text generation provider(s) | Draft message generation | Varies by provider; subject to our data processing agreements |
| ElevenLabs, Inc. | Voice synthesis | Subject to data processing agreement |
7. Breach Notification
In the event of a security incident that may constitute a breach of PHI as defined under HIPAA, we will notify affected Covered Entity customers without undue delay, and in any event within the timeframes required by applicable law or as agreed in the executed BAA. We will provide sufficient information to enable the Covered Entity to fulfill its own breach notification obligations under 45 CFR §§ 164.400–414.
8. No Warranty of Regulatory Compliance
MEDICHAT MAKES NO WARRANTY, EXPRESS OR IMPLIED, THAT USE OF THE PLATFORM WILL RESULT IN COMPLIANCE WITH HIPAA, STATE PRIVACY LAWS, THE DIGITAL PERSONAL DATA PROTECTION ACT, OR ANY OTHER APPLICABLE REGULATION. COMPLIANCE IS THE SOLE RESPONSIBILITY OF THE CUSTOMER. MEDICHAT'S LIABILITY IN CONNECTION WITH REGULATORY MATTERS IS GOVERNED EXCLUSIVELY BY THE TERMS OF SERVICE AND, WHERE APPLICABLE, THE EXECUTED BAA.
9. India Regulatory Context
For users in India, Medichat is subject to India's Digital Personal Data Protection Act (DPDPA) 2023 and applicable rules issued thereunder. Indian healthcare professionals using Medichat are also subject to the Information Technology Act 2000, the IT (Amendment) Act 2008, and applicable rules including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
Healthcare professionals in India are responsible for compliance with the regulations of the Medical Council of India (now the National Medical Commission) and any applicable state telemedicine guidelines, including the Telemedicine Practice Guidelines 2020.
10. Contact
For compliance inquiries, BAA requests, or to report a potential security incident:
Rentesy Softwares Private Limited
5-101/5/1/19 Ganga Avenue, Macha Bollaram, Alwal, Tirumalagiri
Hyderabad – 500010, Telangana, India
Email: hello@medichat.in (Subject: "HIPAA / Compliance Inquiry")
Phone: +91 6281-209-374