Skip to content
CliniLoom
Thread live
Compliance

Designed to support
HIPAA-aligned workflows.

CliniLoom is built so clinical staff stay in control of every patient-affecting action. We position ourselves as a workflow layer for administrative work — not as an autonomous clinical decision-maker.

SOC 2 Type II · Mar 2025ISO 27001 · Jun 2025HIPAA-designed · BAA v1.2
Posture

HIPAA-designed. SOC 2 Type II and ISO 27001 certified.

CliniLoom is designed to be HIPAA compliant and operates under a Business Associate Agreement (BAA v1.2, available since January 2024) with every customer processing PHI. Our primary data center is SOC 2 Type II certified (March 2025) for security, availability, and confidentiality controls, and ISO 27001 certified (June 2025) for its information security management system. Reports and certificates are available under NDA.

Human-reviewed workflows

Drafts only by default

AI prepares the work — staff approve, edit, or reject before anything reaches a patient or payer.

Required reviewer roles

Clinical-sensitive items route to providers; administrative items route to staff with the right permissions.

Escalation paths

Urgent clinical concerns surface to a clinician within minutes, with clear audit of who was notified.

No silent actions

CliniLoom never auto-sends messages, auto-submits PAs, or auto-signs notes.

No autonomous clinical decision-making

CliniLoom does not diagnose, prescribe, code claims, or finalize clinical documentation on its own. Every output is a draft attached to a reviewable record with sources, a confidence indicator, and required reviewer roles.

  • No diagnostic determinations
  • No automatic prescribing or refill approval
  • No automatic claim submission
  • No autonomous sending of patient communication

Audit logs

Every AI draft, every human action, and every system event is captured with timestamp, actor, entity, and source references. Clinic admins can export audit logs as CSV or JSON for internal compliance review and incident response.

  • Per-entity audit trail (intake packet, message, PA, note, code review)
  • Actor identity and role at the time of action
  • AI source references retained alongside outputs
  • Configurable retention windows on Enterprise

Staff-controlled patient communication

Approval before send

Patient-facing drafts require explicit human approval — no scheduled auto-sends.

Clinical voice preserved

Drafts adopt clinic templates and tone. Edits are tracked side-by-side with the original draft.

Send log retained

Final sent text, sender, and recipient retained in the patient timeline.

Administrative support boundaries

CliniLoom supports the administrative side of clinic operations: intake, triage, prior authorization preparation, follow-ups, note assembly, and coding documentation review. Clinical judgment, prescribing, and the decision to send always belong to the clinic.

Ready to review the details?

Request our security one-pager, the BAA template, and a walkthrough of the audit log.