Skip to main content
Amplify supports HIPAA-aligned workflows on all plans
This article is for general informational purposes only and does not constitute legal advice.
Always review your Business Associate Agreement (BAA) and consult your compliance or legal team to ensure your organization meets all HIPAA requirements.
Organizations that handle patient information need communication tools that prioritize privacy, security, and accountability. Amplify is designed to support HIPAA-aligned workflows by providing secure document delivery, access controls, and audit visibility across fax and secure communication channels. However, HIPAA compliance is a shared responsibility. While Amplify provides technical and administrative safeguards, your organization is responsible for how the platform is configured and used.

Business Associate Agreement (BAA)

To use Amplify in a HIPAA-compliant manner, your organization must have a Business Associate Agreement (BAA) in place. A signed BAA outlines Amplify’s responsibilities as a service provider and clarifies how protected health information (PHI) is handled, safeguarded, and reported.
HIPAA-aligned features are only intended for use once a BAA is executed and your internal policies support compliant usage.

Using Amplify in a HIPAA-compliant way

Once a BAA is active, Amplify can be used to support HIPAA’s Privacy Rule and Security Rule, provided your organization applies appropriate operational controls. Amplify helps by offering:
  • Secure fax delivery
  • Encrypted document access for recipients
  • Role-based user permissions
  • Audit logs and activity tracking
  • Secure portals for document viewing
Your organization remains responsible for user training, access management, and determining what information is shared through each channel.

What counts as PHI?

Understanding what qualifies as Protected Health Information (PHI) helps determine how and where information should be shared.
Always PHISometimes PHINot PHI
Patient name with identifiersAppointment reminders tied to a patientOffice hours
Medical records or test resultsFollow-up requestsGeneral announcements
Diagnoses or treatment detailsCare coordination messagesEducational content
Insurance or billing detailsContextual identifiersPublic contact information
If information can identify a patient in context, treat it as PHI.

Communication channels and compliance considerations

Amplify offers multiple delivery channels. Each has different compliance considerations depending on the type of information shared.

Fax and Secure Fax

  • Designed for healthcare document exchange
  • Supports secure transmission and audit visibility
  • Suitable for PHI when used according to internal policies
  • Documents are shared via encrypted access links
  • Recipients do not need an account
  • Access controls such as expiration and authentication can be applied

Secure SMS

  • Intended for notifications or limited document sharing
  • Requires patient consent
  • PHI should be minimized
Your organization is responsible for determining what information is appropriate for each channel.

AI-powered features and HIPAA considerations

Amplify includes AI-assisted features such as AI Chat, document summaries, and template generation to help teams work more efficiently. AI features can be used in HIPAA-aligned workflows when:
  1. Patient awareness
    Patients are informed when AI-assisted tools are used in document processing or communication.
  2. Minimum necessary use
    Only the required information is processed to complete a task.
  3. Access controls
    AI-generated outputs are only accessible to authorized users.
  4. Internal documentation
    Your organization documents the decision to use AI features and associated safeguards.
AI tools analyze document content but do not modify original records unless explicitly saved by a user.
Always consult your compliance or legal team before enabling AI features for workflows involving PHI.

Audit logs, visibility, and accountability

Amplify provides audit-friendly visibility to help organizations meet HIPAA accountability requirements, including:
  • Delivery status tracking
  • User activity logs
  • Timestamps for sent and received documents
  • Centralized access to fax and document history
These tools support internal audits, incident reviews, and compliance reporting.

Third-party integrations

Any third-party systems connected to Amplify—such as external storage, analytics tools, or downstream systems—are not automatically covered under your Amplify BAA. Your organization is responsible for ensuring:
  • Appropriate agreements are in place
  • Data shared with third parties is compliant
  • Risks are documented internally

Session management and access security

To help reduce unauthorized access, Amplify enforces session controls and supports secure access practices. Organizations may also apply:
  • Device-level auto-lock policies
  • Strong password requirements
  • Internal access reviews
Combine Amplify’s built-in safeguards with your organization’s device and identity policies for stronger compliance.

FAQs

Amplify provides HIPAA-aligned features, but compliance depends on having a signed BAA and using the platform according to your internal policies.
Yes, if used responsibly. Your organization must ensure patient awareness, limit data to the minimum necessary, and document safeguards internally.
HIPAA compliance is shared. Amplify provides technical safeguards, while your organization controls configuration, access, and usage.