See us at AAFP 2026 HIPAA compliant · BAA available Works with Athena, eClinicalWorks, Epic & more

Security & Privacy

Built for healthcare from the ground up.

Mari handles protected health information. We take that seriously. This page explains exactly how patient data is handled, stored, and protected — so you can share it with your office manager, your compliance team, or anyone else who needs to know.

At a glance

HIPAA compliant

Mari is designed and operated in compliance with HIPAA requirements for covered entities and business associates.

BAA available

We sign Business Associate Agreements with all practices before any patient data is exchanged.

EHR integration available

Mari can connect to your existing EHR when you're ready. Integration is optional — Mari works without it on day one.

Encrypted in transit and at rest

All patient data is encrypted using industry-standard protocols during transmission and storage.

HIPAA compliance

Hekavor is a HIPAA business associate

When Mari processes patient health information on behalf of a covered entity (your practice), Hekavor acts as a Business Associate under HIPAA. We operate in compliance with the Privacy Rule and Security Rule requirements for business associates.

Business Associate Agreement (BAA)

We sign a BAA with every practice before any protected health information (PHI) is transmitted. A BAA is not a separate process — it is part of the standard trial onboarding. Contact us at contact@hekavor.com if you need a BAA for procurement review before starting a trial.

Minimum necessary data

Mari collects only the patient information required to conduct the structured clinical interview. We do not collect payment information, insurance data, or demographic data beyond what is directly relevant to the clinical interview.

How patient data is handled

Data typeWhat is storedRetention
Patient interview responsesSymptom descriptions and clinical interview answers provided by the patient through MariUsed only to generate the pre-visit summary; stored on HIPAA BAA-covered infrastructure.
Generated clinical summaryHPI and DDx output generated by Mari for physician reviewDelivered to the physician for review; becomes part of your practice's record on delivery.
Patient identifiersName and appointment reference used to deliver the summary to the correct physicianUsed only to route the summary to the correct physician.

Note: Patient responses are not used to train AI models. Mari's clinical logic is deterministic — it does not learn from individual patient interactions. Interview data is used only to generate the pre-visit summary for the treating physician.

EHR integration

When you choose to connect Mari to your EHR, integration is handled through a secure, standardized integration layer that supports bi-directional data exchange and meets healthcare data exchange standards including HL7 FHIR.

Access is scoped to the fields Mari needs for the interview — nothing extra is stored. Supported EHR systems include Epic, Cerner, Athenahealth, Elation, eClinicalWorks, NextGen, and others.

EHR integration is not required to begin your trial — Mari works without it on day one. We'll scope the details with you during onboarding.

Access controls and encryption

Encryption in transit

All data transmitted between patients, Mari, and your practice is encrypted using TLS 1.2 or higher.

Encryption at rest

Patient data stored by Hekavor is encrypted at rest using AES-256.

Access controls

Access to patient data within Hekavor systems is role-based and limited to personnel who require it for operational or support purposes. Access logs are maintained.

Patient data is not accessible to other practices

Each practice's patient data is logically separated. Data from one practice is not accessible to users of another practice.

Security questions

If you have specific questions about Hekavor's security practices, data handling, or compliance posture — including requests for our BAA or documentation for procurement review — contact us directly.

contact@hekavor.com