HIPAA & Business Associate Agreement (BAA) Position Statement – iGlowly Assistant

Last updated: 30 March 2026

1. Purpose of This Document

This document explains how the iGlowly Assistant is designed in relation to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and whether iGlowly acts as a Business Associate when providing the iGlowly Assistant.

This document is intended for clinics, compliance officers, and IT/security reviewers.

2. Overview of the iGlowly Assistant

The iGlowly Assistant is an informational software tool that provides general information about treatments, services, and clinic-related topics such as opening hours, pricing information, and general treatment information.

The iGlowly Assistant is:

• Not an Electronic Health Record (EHR) system;
• Not a patient portal;
• Not a telemedicine platform;
• Not a medical device;
• Not a diagnostic tool;
• Not a system for storing or transmitting medical records;
• Not intended for patient-specific communication;
• Not intended for emergency communication.

The Assistant is designed for general informational use only.

3. Definition of Protected Health Information (PHI)

Under HIPAA, Protected Health Information (PHI) generally means individually identifiable health information that relates to:

• A person’s past, present, or future physical or mental health;
• The provision of healthcare to an individual;
• Payment for healthcare;

and that identifies the individual or can reasonably be used to identify the individual.

Examples include:

• Name + medical condition;
• Email + treatment information;
• Phone number + appointment or treatment;
• Photos of a patient;
• Medical records;
• Patient intake forms;
• Any health information linked to an identifiable person.

4. Zero-PHI Architecture

The iGlowly Assistant is designed according to a Zero-PHI architecture, meaning the system is specifically designed not to store Protected Health Information.

Key architectural principles:

• Chat messages are processed ephemerally in memory (RAM);
• Chat messages are not stored in databases;
• Chat messages are not written to logs;
• Chat messages are not included in backups;
• Chat messages are not visible to clinics;
• Chat messages are not accessible to iGlowly staff;
• Personal identifiers are automatically detected and redacted where possible;
• Only anonymous, non-identifying usage analytics are stored;
• The system does not create user profiles;
• The system does not store patient records;
• The system does not store conversation history;
• The system does not store IP addresses;
• The system does not use cookies or tracking identifiers.

Messages are processed temporarily only to generate a response and are then discarded.

This architecture is designed to prevent the system from storing or maintaining PHI.

5. No Storage of PHI

The iGlowly Assistant does not:

• Store patient names;
• Store contact details;
• Store medical information;
• Store medical records;
• Store chat transcripts;
• Store conversation history;
• Store uploaded files;
• Store photos;
• Store IP addresses linked to medical topics;
• Store any data that identifies a patient together with health information.

The only data stored by the system is anonymous, aggregated topic analytics, such as:

• Treatment topic requested (e.g., Botox);
• Concern topic requested (e.g., wrinkles);
• Question type (e.g., pricing, recovery);
• Language;
• Date and time;
• Clinic identifier;
• Anonymous session identifier.

This data does not identify individuals.

6. Personal Data Sanitisation

If a user enters personal information into the chat, the system applies automated detection and redaction before any AI processing.

This includes detection and masking of:

• Names;
• Email addresses;
• Phone numbers;
• Addresses;
• Identification numbers.

Personal identifiers are replaced with anonymised placeholders (e.g., “[name removed]”) before the message is processed.

Sanitised messages are processed temporarily and are not stored.

7. Business Associate Determination

Under HIPAA, a Business Associate is generally an entity that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity.

The iGlowly Assistant is designed so that it does not create, receive, maintain, or store PHI in persistent form.

• Messages are processed ephemerally;
• Messages are sanitised;
• Messages are not stored;
• The system is not used to manage patient records;
• The system is not used for patient communication;
• The system does not maintain PHI databases.

Because of this architecture, and when the Assistant is used as intended, iGlowly is generally not considered to be acting as a Business Associate under HIPAA with respect to the iGlowly Assistant.

However, each clinic is responsible for its own HIPAA compliance obligations and should consult its legal or compliance advisors to confirm whether a Business Associate Agreement (BAA) is required for its specific use case.

8. Intended Use and Customer Responsibilities

The iGlowly Assistant is intended for general informational use only.

Clinics must not use the Assistant to:

• Collect patient information;
• Collect medical history;
• Collect intake forms;
• Communicate with patients about their personal medical condition;
• Send prescriptions or treatment plans;
• Store or transmit medical records;
• Handle post-procedure complications;
• Handle urgent or emergency communication.

Use of the Assistant for these purposes would be outside the intended use of the system and may change the regulatory assessment.

Clinics are responsible for how they configure and use the Assistant on their website.

9. Business Associate Agreements (BAA)

Because the iGlowly Assistant is designed under a Zero-PHI architecture and is not intended to store or maintain PHI, a Business Associate Agreement (BAA) is generally not required for the use of the iGlowly Assistant as an informational tool.

If a clinic intends to use iGlowly services in a way that involves the storage or processing of Protected Health Information outside the Assistant’s intended use, this must be discussed with iGlowly separately to determine whether a BAA is required and whether such use is permitted.

10. Summary

In summary:

• The iGlowly Assistant is an informational tool;
• The system is designed to avoid storing PHI;
• Chat messages are processed ephemerally and not stored;
• Personal identifiers are sanitised where possible;
• Only anonymous analytics are stored;
• The system is designed to operate under a Zero-PHI architecture;
• When used as intended, iGlowly is generally not acting as a Business Associate for the iGlowly Assistant.

11. Contact

For HIPAA, security, or compliance questions:

trust@iglowly.com