​

Healthcare Readiness

​

Our Approach

1. Technical controls (provided by Crew and configured by you)
2. Administrative safeguards (your policies and procedures)
3. Physical safeguards (your facilities and device management)
4. Organizational requirements (your contracts and training)

​

Technical Safeguards

​

Encryption

​

Access Controls

​

Audit Logging

​

Data Integrity

​

PHI Handling Considerations

​

Minimizing PHI Exposure

{
  "data_handling": {
    "store_transcripts": true,
    "redact_phi_from_transcripts": true,
    "store_recordings": false,
    "anonymize_after_days": 30
  }
}

​

PHI Redaction

{
  "phi_redaction": {
    "enabled": true,
    "patterns": [
      "ssn",
      "date_of_birth",
      "medical_record_number",
      "insurance_id"
    ],
    "replacement": "[REDACTED]"
  }
}

​

What Constitutes PHI

• Names
• Dates (birth, admission, discharge, death)
• Phone numbers, fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Device identifiers and serial numbers
• URLs, IP addresses
• Biometric identifiers
• Photographs

​

Business Associate Agreement

• Availability: Enterprise plan
• Request: Contact sales@usecrew.ai
• Scope: Covers Crew platform services
• Subcontractors: Includes BAAs with our service providers

​

Architecture Considerations

​

Recommended Healthcare Architecture

Patient Call → Crew Agent → Minimal Data Capture
                    ↓
              EMR Integration (via API)
                    ↓
              PHI Stays in EMR

​

Data Residency

​

Network Isolation

• Private endpoints
• VPN connectivity
• IP allowlisting
• Dedicated resources

​

Customer Responsibilities

​

Administrative Safeguards

• Designating a security officer
• Conducting risk assessments
• Developing policies and procedures
• Training workforce members
• Managing business associate relationships

​

Technical Configuration

• Enabling appropriate security settings
• Configuring data retention policies
• Setting up access controls
• Monitoring audit logs
• Managing user accounts

​

Organizational Requirements

• Executing BAA with Crew
• Maintaining documentation
• Conducting periodic reviews
• Reporting and investigating incidents

​

What Crew Provides vs. What You Provide

​

Risk Considerations

​

Third-Party Processors

​

Voice AI Limitations

• Speech recognition accuracy varies
• Critical information should be confirmed
• Agents should not provide medical advice
• Emergency situations require human routing

​

Recommended Guardrails

{
  "guardrails": {
    "healthcare": {
      "no_diagnosis": true,
      "no_treatment_advice": true,
      "emergency_detection": {
        "enabled": true,
        "keywords": ["emergency", "chest pain", "can't breathe"],
        "action": "immediate_escalation"
      },
      "defer_clinical": {
        "triggers": ["should I take", "is it safe"],
        "response": "For medical advice, please speak with your healthcare provider."
      }
    }
  }
}

​

Compliance Roadmap

​

Getting Started

​

Resources

• Security documentation: Available on request
• BAA template: Contact sales@usecrew.ai
• Security questionnaire: Pre-filled responses available
• Architecture review: Available for Enterprise

​

Questions

• Email: security@usecrew.ai
• Sales: sales@usecrew.ai

​

Next Steps

• Security Overview — Full security architecture
• Data Handling — Data processing details
• Customer Responsibilities — Your role