Cerbo EHR · Governance
HIPAA Controls for Cerbo AI Practices
Privacy posture for Cerbo practices — cash-pay, DPC, and functional medicine.
Section 1
HIPAA applies even when there's no insurance
Cash-pay and DPC practices sometimes assume HIPAA is primarily an insurance billing concern. It isn't. HIPAA's Privacy Rule applies to any covered entity — which includes any practice that transmits health information electronically, regardless of payment model.
AI receptionist deployments require a Business Associate Agreement (BAA) with MedReception AI, and your existing Cerbo BAA with cer.bo (Cerbo's operator) must be reviewed to ensure AI-generated data flows are covered.
Section 2
Key HIPAA controls for AI phone systems
The three controls that matter most for AI phone deployments are: minimum necessary standard (AI only captures what's needed for the specific call purpose), access controls (who can see AI transcripts and Cerbo logs), and breach notification (what happens if AI-captured data is exposed).
- Minimum necessary: AI scripts capture only the PHI required for the call type
- BAA: Business Associate Agreement in place with MedReception AI
- Access controls: AI transcript access restricted to care team members in Cerbo
- Retention: call recordings and transcripts retained per your HIPAA retention policy
- Breach protocol: documented procedure for AI-related PHI exposure
- SMS controls: no PHI in SMS message body — only in authenticated portal links
Section 3
HIPAA documentation for AI deployments
MedReception AI provides a HIPAA documentation package for Cerbo practices: BAA template, risk assessment addendum for AI phone systems, and a staff training checklist covering AI data handling.
For functional medicine practices subject to additional state privacy laws (California CMIA, New York SHIELD Act), the documentation package includes state-specific addenda.
Ready to implement this for your Cerbo practice?
Book a demo and we'll walk through your specific Cerbo workflow — scheduling rules, Chart Parts templates, and after-hours coverage — and show you exactly how MedReception AI handles it.