The honest constraint: ChatRaj is NOT HIPAA-compliant
Before anything else on this page, the disclosure that matters most. ChatRaj is not a HIPAA-compliant product. We do not sign Business Associate Agreements (BAAs) with covered entities. Our infrastructure was not designed against the HIPAA Security Rule's required administrative, physical, and technical safeguards. Our audit logging, access controls, and breach-notification posture are built for general SaaS use, not for protected health information.
That is a deliberate scope decision, not a roadmap gap we are quietly closing. Building a genuinely HIPAA-compliant chatbot infrastructure means a BAA-able cloud tier, end-to-end PHI segregation, a HIPAA-trained support organization, formal risk analyses, OCR-grade incident response, and pricing that reflects all of that. The market already has good vendors doing exactly that work (athenahealth's athenaCommunicator, NextGen Patient Engagement, HealthAtom Conversations, and a long tail of clinical-AI startups). We are not trying to be one of them.
So if you are reading this page because you are a clinic operator wondering whether ChatRaj is the right tool for your patient-engagement stack, here is the direct answer: it is not the right tool for anything involving patient records, symptoms, diagnoses, prescription questions, lab results, appointment details for specific patients, telehealth intake, or any other category of PHI. Use a HIPAA-compliant vendor for those.
What ChatRaj can be useful for, when scoped honestly, is the non-PHI half of your public marketing website. That is the rest of this page.
What that DOES allow (and doesn't)
The HHS Office for Civil Rights distinguishes between information that is PHI (protected health information about an identified or identifiable individual) and information that is general, non-identifying, and publicly published. The first category is what HIPAA protects; the second category is just ordinary marketing content.
Your clinic's hours of operation are not PHI. Your accepted insurance carriers are not PHI. The list of services you offer (general dentistry, orthodontics, pediatric exams, etc.) is not PHI. The driving directions to your front door are not PHI. The bios of your providers are not PHI. The general statement "yes, we accept new patients" is not PHI.
What IS PHI: any information that connects an individual to a clinical encounter. "Has John Smith confirmed his appointment for Tuesday at 2pm" is PHI. "What does my recent lab result mean" is PHI. "I have these symptoms, should I come in" creates PHI as soon as the visitor identifies themselves. "Can you refill my prescription" is PHI. Even the act of a logged-in patient saying "is my appointment still on for tomorrow" is PHI.
A chatbot scoped strictly to non-PHI marketing content is a tool a clinic can deploy without crossing the HIPAA line. A chatbot that lets a visitor talk about their health, look up their own appointments, or refill prescriptions is a HIPAA exposure event waiting to happen.
ChatRaj is in the first category. We make it easy to draw and enforce that line on a clinic marketing site. We do not make it easy (or safe) to handle the second category, and we tell you not to try.
The persona: Dr. Aditya Iyer, small dental practice
Dr. Aditya Iyer runs a two-chair general dentistry practice in suburban Cincinnati. He has a front-desk coordinator who answers the phone roughly 60 times a day, of which maybe 35 are not patients in active treatment. Those 35 calls are split, in his rough tally, into: 12 asking about hours, 9 asking whether the practice takes their insurance, 6 asking whether the practice is accepting new patients, 5 asking about the cost of a cleaning or whitening, and 3 miscellaneous (where do I park, do you have weekend appointments, do you do invisalign).
None of those 35 daily calls involve PHI. They are pure marketing-funnel questions that exist because his website's FAQ is buried three clicks deep, his Google Business Profile shows the wrong hours during holiday weeks, and visitors who land on the homepage from a Google search just call rather than read.
The front-desk coordinator's day would be substantially less interrupted if those 35 calls went to a chatbot on the website that answered them confidently and routed anything else to either the phone line or the existing patient portal. Aditya does not need (and explicitly does not want) the chatbot to handle patient records, symptoms, or anything clinical. He has Open Dental and an integrated patient portal for that. He just wants the non-clinical, non-PHI public Q&A to stop interrupting the front desk.
That is the use case this page is about. It is not the heroic "AI in medicine" use case. It is a small, honest, deflection-of-non-PHI-phone-calls use case that ChatRaj can serve safely.
Public-facing Q&A use case (hours, location, insurance accepted, services offered)
The core deployment is a chatbot on the marketing site, trained on the marketing site, scoped to answer only what is in the marketing site. The instruction prompt tells the bot in plain language: you are an information assistant for [practice name]. You answer questions about our hours, location, accepted insurance, services offered, provider bios, and general practice policies. You do NOT discuss specific patient appointments, symptoms, treatment recommendations, prescriptions, lab results, or anything that would constitute protected health information. If a visitor asks about any of those, respond with [the routing message] and direct them to call the practice or log in to the patient portal.
The bot's source content is the practice's existing public pages: the homepage, the About page, the Services page (with the list of treatments offered and general descriptions), the Insurance and Payment page, the Providers page, the FAQ, and the directions page. The bot does not have access to Open Dental, to the patient portal, to the appointment system, or to any clinical data. It is reading marketing copy, full stop.
Within that scope, the bot can answer questions like: "Are you open on Saturdays" (yes, monthly first-Saturday clinic until noon), "Do you take Delta Dental PPO" (yes, in-network), "How much does a cleaning cost for a new patient" (the practice's published new-patient special is $179 including exam and X-rays), "Where do I park" (parking lot behind the building, ADA-accessible entry on the south side), "Do you do Invisalign" (yes, both Dr. Iyer and Dr. Park are certified providers), "Are you accepting new patients" (yes, current new-patient wait time is roughly two weeks for a routine cleaning).
Those are all marketing answers. None of them touch PHI. The chatbot deflects them away from the phone line and back to the website where they belong.
Appointment-request handoff (NOT booking inside the chat)
This is the boundary that matters most and that small clinics get wrong most often. The chatbot does NOT book appointments. The chatbot does NOT confirm appointment times. The chatbot does NOT access the practice's scheduling system. What the chatbot does is route the visitor to the existing booking surface, which is the practice's HIPAA-compliant booking system or patient portal.
The flow looks like this. Visitor asks "can I book a cleaning for next week." The bot responds: "Yes, we have new-patient and recall openings most weeks. You can book online at [practice patient portal link] or call us at [phone] during business hours. Want me to text you the portal link?" The bot captures the visitor's preferred contact method (a phone number for SMS, or just sends them to the link) and the visitor completes the actual booking in the practice's existing system.
Why this matters: an appointment for a specific patient is PHI as soon as the patient identifies themselves. A chatbot that handles "yes I want to come in for a cleaning, my name is John Smith, my date of birth is 1985-03-12, I have Delta Dental insurance, member ID 1234" has just collected a chunk of PHI in a non-HIPAA-compliant tool. That is the exact compliance violation OCR enforces against. The bot must refuse to collect that information and must route the visitor to a system that can.
ChatRaj's lead-capture feature, on a healthcare clinic deployment, is configured to capture only what the practice has explicitly said is safe (typically: name and phone number for a callback, no insurance details, no clinical context, no date of birth). The handoff to the actual booking system is a link, not a form fill. The patient identifies and confirms themselves in the practice's HIPAA-compliant portal, not in the chatbot.
Insurance-coverage Q&A (general info, NOT specific patient records)
The dental and medical office's most repeated question is some variant of "do you take my insurance." The answer in marketing terms is a list of in-network carriers. The answer in PHI terms is "let me look up your specific plan, your deductible, and your remaining annual maximum." The chatbot handles the first answer. The chatbot must refuse the second.
The safe pattern: the bot maintains the practice's published list of accepted carriers (Delta Dental PPO, Cigna, Aetna PPO, BCBS, MetLife, Guardian, etc.) and answers general questions about in-network status. When a visitor asks "what will my cleaning cost under Delta Dental," the bot responds with the published in-network rate (which is public information the practice has explicitly chosen to publish), and routes anything specific to: "Your actual coverage depends on your specific plan and benefits. We'd be happy to verify your benefits before your appointment. You can submit your insurance info securely through our patient portal at [link], or call us at [phone]."
The bot does not ask for member IDs, group numbers, dates of birth, or any other identifier that would constitute PHI. The verification step happens in the HIPAA-compliant system, and the chatbot's job ends at the handoff.
What ChatRaj does NOT do
To be explicit. ChatRaj is not configured to:
Accept patient identifiers or PHI in any conversation. The Instructions prompt actively refuses to collect names plus health context, dates of birth, member IDs, or any combination that would be identifying.
Book appointments inside the chat. The handoff is always a link to the practice's existing scheduling system or patient portal.
Diagnose, recommend treatment, or interpret symptoms. Any symptom-shaped question gets the same refusal pattern: "I'm not able to give medical advice. Please call us at [phone] for an urgent question or book an appointment through [portal link]. For emergencies call 911."
Access patient records, lab results, prescriptions, or appointment history. The bot has zero connection to the practice's EHR or scheduling system.
Replace your patient portal. athenaCommunicator, NextGen Patient Engagement, HealthAtom Conversations, and the patient-portal feature of your EHR exist precisely to handle PHI conversations. ChatRaj sits in front of those, not in place of them.
Sign a BAA with your practice. We do not offer Business Associate Agreements. If you need a BAA, you need a different vendor.
Compliance posture: ChatRaj for the marketing site only
The deployment we recommend, and the only deployment we support for healthcare clinics, is on the public marketing site, scoped to non-PHI content, with explicit refusal patterns for PHI-shaped questions, and with a clear visible disclaimer that the chatbot is an information assistant, not a medical or appointment-management tool.
The patient portal stays where it is. The EHR stays where it is. The appointment-scheduling system stays where it is. The chatbot lives on chatraj.com-hosted infrastructure (or your marketing site's CDN with the script tag embed), it reads only public marketing pages, it never sees the inside of a HIPAA-protected system, and it routes any PHI-shaped intent to those systems via a link.
In OCR's framework, the chatbot in this scope is operating on information that is not PHI. The clinic is not creating a Business Associate relationship with us because no PHI is being transmitted. Foley & Lardner's 2025 privacy-officer guidance on HIPAA for AI is helpful reading here: the key trigger for HIPAA's applicability is whether the vendor receives, maintains, or transmits PHI on behalf of a covered entity. A chatbot scoped to public marketing content does none of those things.
That said, we are not your compliance counsel. Your practice's privacy officer or compliance attorney should sign off on the deployment scope before launch, the disclaimer placement, and the routing patterns. We have a sample privacy-officer review checklist linked from the install steps below.
When to use a HIPAA-compliant alternative
If the use case crosses the PHI line at all, pick a different vendor. The serious options in 2026, in rough order of fit for a small clinic:
athenaCommunicator (part of athenaOne). For practices already on athenahealth's EHR, this is the integrated patient-engagement tool. It handles secure messaging, appointment reminders, and the recently launched agentic patient communication tools that provide patients with 24/7 access to front-office AI agents. It is built around a BAA and against the full HIPAA Security Rule.
NextGen Patient Engagement. The patient-engagement layer on top of NextGen's ambulatory EHR. Includes the patient portal, secure messaging, and AI-assisted intake. Same compliance posture: BAA-able, PHI-handling, integrated with the EHR.
HealthAtom Conversations. A standalone HIPAA-compliant chatbot vendor focused on dental and small medical practices. Signs BAAs, integrates with common practice-management systems, and is the cleanest fit for the practice that wants a chatbot AND wants it to handle PHI safely.
The pricing comparison is honest: those tools cost meaningfully more than ChatRaj because they are doing meaningfully more work (BAA program, HIPAA-trained support, PHI segregation, OCR-grade audit logging). A small dental practice deploying athenaCommunicator is typically in the $200 to $500 per month range bundled with the EHR. HealthAtom standalone is in a similar bracket. ChatRaj Pro at $29/mo handles the marketing-site use case described above and explicitly does not handle the PHI use case.
ROI: deflect phone calls about hours and insurance
The honest ROI for a small clinic is the front-desk time saved. If the chatbot deflects 25 of the 35 daily non-PHI calls Dr. Iyer's front desk currently fields, that is roughly 50 to 75 minutes of front-desk time recovered per day. Over a month, that is 20 to 30 hours of staff time the practice gets back for work that actually requires a human (insurance verification calls, treatment plan follow-ups, scheduling around clinical complexity, patient relationship care).
At a fully loaded front-desk cost of roughly $25 per hour, the chatbot pays for itself in front-desk time savings within the first week of operation. Most small clinics also see a modest lift in new-patient conversions, because website visitors who would have bounced rather than call instead get their question answered and then click through to the portal to book.
The ROI is not in patient outcomes, clinical efficiency, or any of the heroic AI-in-medicine framing. It is in administrative deflection of non-clinical questions on the marketing site. That is the use case. That is what we are honest about.
Disclaimer footer placement
The chatbot widget on a clinic's site should always be deployed with a visible disclaimer in the widget's welcome message and a persistent footer line. The recommended copy: "This chat is an information assistant for our practice website. It does not access patient records and cannot give medical advice. For appointments, lab results, or clinical questions, please use our patient portal or call us at [phone]. For medical emergencies, call 911."
The disclaimer is not just a CYA gesture; it sets expectations correctly with the visitor. Most patients understand the distinction between "the website's FAQ bot" and "my doctor's office" if you draw the line clearly. The failure mode is when the bot's framing is ambiguous and the visitor starts treating it like the patient portal. The disclaimer prevents that.
The install steps below walk through the full deployment, with the disclaimer copy and the PHI-refusal Instructions text. The whole thing is one afternoon of work, plus the privacy-officer sign-off.