Hello Patient received its SOC 2 Type 2 report in June 2026, confirmed by an independent auditor. Over several months, that auditor tested whether our security controls actually work the way we say they do, and confirmed they do. Hello Patient is a healthcare AI company whose AI agents handle every patient conversation, inbound and outbound, across voice, text, and web chat, so those controls cover the systems where patient data lives. A SOC 2 Type 2 report is one of the things security teams check before approving a healthcare vendor, and this page explains what it covers and how to request a copy.
What a SOC 2 Type 2 report actually is
SOC 2 is an audit standard for how a company protects the data it handles. An independent auditor examines the security controls and reports what they found. There are two kinds of reports. A Type 1 report checks that the controls are designed correctly, at a single point in time. A Type 2 report watches the controls operate over a period of months and confirms they ran as designed. One checks that the locks are on the doors, the other confirms the doors stay locked.
Patient conversations run through our agents every day. So we think the point-in-time report is the wrong one to accept from a healthcare AI vendor. Ask for the Type 2.
How the report changes your security review
Clinics and health systems put vendors through a security review before an agent takes a single patient call, and they should. The review usually means a long questionnaire, weeks of back-and-forth, and a vendor answering questions about itself. The SOC 2 Type 2 report changes where the answers come from. Instead of taking our word for it, your reviewer reads what an independent auditor observed over months. Much of a standard security questionnaire is answered inside the report.
HIPAA and the BAA were already in place
Hello Patient was already HIPAA-compliant, with a BAA on every account. HIPAA is the legal floor for anyone handling patient information. The business associate agreement is the contract that holds us to it for your practice specifically. The SOC 2 Type 2 report is the layer on top. An outside auditor checked that the security controls behind the agents run the way they should. HIPAA-compliant, SOC 2 Type 2 certified, BAA on every account.
If your security review is underway, ask your Hello Patient contact for the SOC 2 Type 2 report. If you're earlier than that, book a call at hellopatient.com/schedule and bring your security questions.
Frequently asked questions
Is Hello Patient SOC 2 Type 2 certified?
Yes. Hello Patient received its SOC 2 Type 2 report in June 2026. An independent auditor observed the company's security controls operating over a period of months and confirmed they work in practice. Hello Patient is a healthcare AI company whose AI agents handle every patient conversation, inbound and outbound, across voice, text, and web chat. The systems the auditor examined are the ones that carry those conversations every day. Clinics and health systems can request the report as part of a vendor security review. It is ready to share.
What does a SOC 2 Type 2 report cover for a healthcare AI vendor?
A SOC 2 Type 2 report documents how a company protects the data it handles, and whether its security controls ran as designed over the audit period. An independent auditor tests areas such as access controls, change management, and incident response, then writes up what they observed. Hello Patient's report covers the platform its AI agents run on, the same systems that handle patient calls, texts, and web chats. For a clinic or health system, the report replaces a stack of self-reported questionnaire answers with an auditor's own findings.
Which SOC 2 report should a clinic ask a vendor for, Type 1 or Type 2?
The Type 2. A Type 1 report shows a vendor's security controls were designed correctly on the day the auditor looked. A Type 2 report shows the controls operated correctly over a period of months, which is the closer match to how patient data flows through a vendor. Patient data sits with a vendor every day, so the audit should cover more than a single day. Hello Patient holds a SOC 2 Type 2 report, received in June 2026, and shares it with clinics and health systems during security reviews. If a vendor offers a Type 1, ask when the Type 2 is coming.
Is Hello Patient HIPAA compliant?
Yes. Hello Patient is HIPAA-compliant, and was before the SOC 2 audit. HIPAA sets the legal rules for handling protected health information, which is what the agents hear on a call or read in a text, like names, appointment details, and balances. The platform is built to those rules, and every client relationship starts with a signed BAA. The SOC 2 Type 2 report sits on top of HIPAA. HIPAA says what a company must protect, and the SOC 2 audit is an outside check that the protections hold up. A clinic evaluating Hello Patient gets both.
Does Hello Patient sign a BAA with practices?
Hello Patient signs a business associate agreement with every client. The BAA is the HIPAA contract that makes a vendor legally responsible for protecting patient information, and it is the first thing to ask of any vendor whose product will hear patient calls or read patient messages. There is no Hello Patient account without one. The BAA, HIPAA compliance, and the SOC 2 Type 2 report together are the paperwork a security review usually asks for, and all three are in place.
How can a clinic or health system get Hello Patient's SOC 2 report?
Ask for it. Clinics and health systems evaluating Hello Patient can request the SOC 2 Type 2 report as part of their security review, and it is ready to share. If a review is already underway, tell your Hello Patient contact and they will send it. If you are earlier in the process, book a call at hellopatient.com/schedule and ask for the report there. The report gives your IT or compliance reviewer the auditor's findings directly, which usually shortens the back-and-forth of a vendor questionnaire.
How do AI agents for healthcare keep patient data secure?
Patient conversations carry protected health information, so the platform under the agent matters as much as the agent itself. Hello Patient's AI agents handle conversations across voice, text, and web chat on a platform that is HIPAA-compliant, SOC 2 Type 2 certified, and covered by a BAA on every account. Every interaction is logged, so your team has a record of what was said and done on each call, text, or chat. The SOC 2 Type 2 report describes the controls behind that, verified by an independent auditor over months of operation.
What happens when an AI agent's conversation with a patient needs a human?
When a conversation needs a human, the agent hands off with full context, never gives medical advice, and logs every interaction. That is how Hello Patient's agents run in a clinical setting. A question about symptoms, a complaint, or anything past the agent's lane goes to your staff with the whole conversation attached, so nobody starts cold. The handoff rule matters in a security review because it draws the boundary plainly. The agent works inside the rules your team sets, and the log shows what it did.

.jpeg)