Healthcare Readiness
Crew is designed with healthcare workflows in mind and uses a security-first architecture that can support regulated environments when deployed with appropriate controls. This page outlines our approach to healthcare security and the shared responsibilities involved.Our Approach
Crew provides HIPAA-aligned infrastructure and technical controls. However, we recognize that compliance is a shared responsibility that requires:- Technical controls (provided by Crew and configured by you)
- Administrative safeguards (your policies and procedures)
- Physical safeguards (your facilities and device management)
- Organizational requirements (your contracts and training)
Technical Safeguards
Encryption
| Control | Implementation |
|---|---|
| Data in transit | TLS 1.2+ for all connections |
| Data at rest | AES-256 encryption for all stored data |
| Key management | AWS KMS with customer-managed keys (Enterprise) |
| Recording encryption | Encrypted at rest and in transit |
Access Controls
| Control | Implementation |
|---|---|
| Authentication | MFA support, SSO integration |
| Authorization | Role-based access control (RBAC) |
| Session management | Configurable timeout, secure tokens |
| API security | Scoped API keys, JWT tokens |
Audit Logging
| Control | Implementation |
|---|---|
| Access logs | All data access logged with user, time, resource |
| Authentication logs | Login attempts, MFA events |
| Configuration changes | All settings changes logged |
| API access | All API calls logged |
| Retention | Configurable, minimum 12 months |
Data Integrity
| Control | Implementation |
|---|---|
| Database integrity | PostgreSQL with ACID compliance |
| Backup verification | Regular integrity checks |
| Version control | Configuration versioning |
| Audit trails | Immutable audit logs |
PHI Handling Considerations
Minimizing PHI Exposure
Configure Crew to minimize PHI handling:PHI Redaction
Automatic redaction of common PHI patterns:What Constitutes PHI
Protected Health Information includes:- Names
- Dates (birth, admission, discharge, death)
- Phone numbers, fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- URLs, IP addresses
- Biometric identifiers
- Photographs
Business Associate Agreement
For healthcare deployments, we offer a Business Associate Agreement (BAA):- Availability: Enterprise plan
- Request: Contact sales@usecrew.ai
- Scope: Covers Crew platform services
- Subcontractors: Includes BAAs with our service providers
A BAA is a contractual agreement, not a certification. It establishes responsibilities and does not guarantee compliance.
Architecture Considerations
Recommended Healthcare Architecture
Data Residency
| Option | Availability |
|---|---|
| US hosting | All plans |
| EU hosting | Professional+ |
| Dedicated infrastructure | Enterprise |
Network Isolation
Enterprise customers can configure:- Private endpoints
- VPN connectivity
- IP allowlisting
- Dedicated resources
Customer Responsibilities
To deploy Crew in a healthcare environment, you are responsible for:Administrative Safeguards
- Designating a security officer
- Conducting risk assessments
- Developing policies and procedures
- Training workforce members
- Managing business associate relationships
Technical Configuration
- Enabling appropriate security settings
- Configuring data retention policies
- Setting up access controls
- Monitoring audit logs
- Managing user accounts
Organizational Requirements
- Executing BAA with Crew
- Maintaining documentation
- Conducting periodic reviews
- Reporting and investigating incidents
What Crew Provides vs. What You Provide
| Responsibility | Crew | Customer |
|---|---|---|
| Infrastructure security | ✓ | |
| Encryption (transit/rest) | ✓ | |
| Access control mechanisms | ✓ | |
| Audit logging | ✓ | |
| BAA (Enterprise) | ✓ | |
| Access control configuration | ✓ | |
| User management | ✓ | |
| Retention policy decisions | ✓ | |
| Risk assessment | ✓ | |
| Workforce training | ✓ | |
| Incident response procedures | Shared | Shared |
| Breach notification | Shared | Shared |
Risk Considerations
Third-Party Processors
Crew uses third-party services that process data:| Provider | Data Processed | BAA Status |
|---|---|---|
| OpenAI | Conversation text | Covered under their terms |
| Twilio | Call audio, metadata | BAA available |
| Supabase | All stored data | BAA available |
| Vercel | Application data | DPA available |
Voice AI Limitations
Consider these factors for healthcare voice AI:- Speech recognition accuracy varies
- Critical information should be confirmed
- Agents should not provide medical advice
- Emergency situations require human routing
Recommended Guardrails
Compliance Roadmap
We are continuously enhancing our security and compliance posture:| Initiative | Status | Target |
|---|---|---|
| SOC 2 Type II | In progress | Q2 2024 |
| HITRUST assessment | Planned | Q4 2024 |
| Dedicated hosting | Available | Enterprise |
| Enhanced audit logging | Available | Now |
| Customer-managed keys | Available | Enterprise |
Getting Started
For healthcare deployments:1
Contact Sales
Reach out to sales@usecrew.ai to discuss your requirements
2
Security Review
We’ll provide documentation and answer security questionnaires
3
Execute BAA
Sign Business Associate Agreement (Enterprise)
4
Configure Environment
Set up with appropriate security settings
5
Train Team
Ensure your team understands proper usage
Resources
- Security documentation: Available on request
- BAA template: Contact sales@usecrew.ai
- Security questionnaire: Pre-filled responses available
- Architecture review: Available for Enterprise
Questions
For healthcare security questions:- Email: security@usecrew.ai
- Sales: sales@usecrew.ai
Next Steps
- Security Overview — Full security architecture
- Data Handling — Data processing details
- Customer Responsibilities — Your role