Security & Privacy
Mari handles protected health information. We take that seriously. This page explains exactly how patient data is handled, stored, and protected — so you can share it with your office manager, your compliance team, or anyone else who needs to know.
Mari is designed and operated in compliance with HIPAA requirements for covered entities and business associates.
We sign Business Associate Agreements with all practices before any patient data is exchanged.
Mari can connect to your existing EHR when you're ready. Integration is optional — Mari works without it on day one.
All patient data is encrypted using industry-standard protocols during transmission and storage.
When Mari processes patient health information on behalf of a covered entity (your practice), Hekavor acts as a Business Associate under HIPAA. We operate in compliance with the Privacy Rule and Security Rule requirements for business associates.
We sign a BAA with every practice before any protected health information (PHI) is transmitted. A BAA is not a separate process — it is part of the standard trial onboarding. Contact us at contact@hekavor.com if you need a BAA for procurement review before starting a trial.
Mari collects only the patient information required to conduct the structured clinical interview. We do not collect payment information, insurance data, or demographic data beyond what is directly relevant to the clinical interview.
| Data type | What is stored | Retention |
|---|---|---|
| Patient interview responses | Symptom descriptions and clinical interview answers provided by the patient through Mari | Used only to generate the pre-visit summary; stored on HIPAA BAA-covered infrastructure. |
| Generated clinical summary | HPI and DDx output generated by Mari for physician review | Delivered to the physician for review; becomes part of your practice's record on delivery. |
| Patient identifiers | Name and appointment reference used to deliver the summary to the correct physician | Used only to route the summary to the correct physician. |
Note: Patient responses are not used to train AI models. Mari's clinical logic is deterministic — it does not learn from individual patient interactions. Interview data is used only to generate the pre-visit summary for the treating physician.
When you choose to connect Mari to your EHR, integration is handled through a secure, standardized integration layer that supports bi-directional data exchange and meets healthcare data exchange standards including HL7 FHIR.
Access is scoped to the fields Mari needs for the interview — nothing extra is stored. Supported EHR systems include Epic, Cerner, Athenahealth, Elation, eClinicalWorks, NextGen, and others.
EHR integration is not required to begin your trial — Mari works without it on day one. We'll scope the details with you during onboarding.
All data transmitted between patients, Mari, and your practice is encrypted using TLS 1.2 or higher.
Patient data stored by Hekavor is encrypted at rest using AES-256.
Access to patient data within Hekavor systems is role-based and limited to personnel who require it for operational or support purposes. Access logs are maintained.
Each practice's patient data is logically separated. Data from one practice is not accessible to users of another practice.
If you have specific questions about Hekavor's security practices, data handling, or compliance posture — including requests for our BAA or documentation for procurement review — contact us directly.