Compliance

HIPAA & BAA

Med spas handle sensitive information, so we built Relco to touch as little of it as possible. Here is exactly how Relco fits into your HIPAA obligations.

Last updated: June 17, 2026

The short version

Relco is scoped to scheduling and lead qualification only. It never gives medical, dosing, or treatment-suitability advice, and it does not request or store clinical records. Where Relco processes protected health information (PHI) on your behalf, we act as your Business Associate and will sign a Business Associate Agreement (BAA).

Who is responsible for what

Your clinic is the Covered Entity under HIPAA. You are responsible for your own HIPAA program - notices, patient consents, and the clinical record. Relco is a Business Associate for the limited data it handles to answer and book on your behalf. We are not a Covered Entity and do not deliver healthcare.

The data Relco touches

To answer and book, Relco processes only the minimum necessary: a person's name, contact number or handle, the channel they used, the treatment they asked about, and appointment details. Relco does not ask for or store medical histories, diagnoses, lab results, photos, or payment-card data. When a question turns clinical, Relco hands it to your team rather than answering it.

Our safeguards

  • Encryption - data is encrypted in transit and at rest.
  • Access controls - least-privilege access, with administrative and technical controls limiting who can see conversation data.
  • Minimum necessary - the AI is configured to collect only what a booking needs and nothing more.
  • Scope guardrails - the assistant is instructed never to give clinical advice and to escalate medical questions to your staff.
  • Breach notification - if a reportable breach affecting your PHI occurs, we will notify you without unreasonable delay, as required by the BAA and HIPAA.

Getting a signed BAA

If your clinic requires a BAA before going live, we provide and sign one as part of onboarding. Ask for it on your setup call or email hello@relcoai.com, and we will send our standard BAA for your review.

You can also tell us during onboarding - the intake form asks whether you require a signed BAA, so we have it ready before your front desk goes live.

Text messaging and consent

Appointment and reminder texts are sent under your clinic's consent and our Messaging Terms, which follow TCPA and carrier (A2P/10DLC) requirements. People can opt out at any time by replying STOP. We never sell or share phone numbers or opt-in data - see the Privacy Policy.

A note, not legal advice

This page explains how Relco is designed to support your compliance. It is not legal advice and does not replace your own HIPAA program or counsel. Your obligations as a Covered Entity remain yours.

Contact

Compliance questions, or want the BAA? Email hello@relcoai.com or message +92 323 798 9871.

More from Relco

Privacy Policy Terms of Service Messaging Terms Acceptable Use About Contact