Privacy Policy & HIPAA Notice

Effective date: August 1, 2025

Effective Date: January 31, 2025
Your privacy is paramount to us. Healthnotes AI, Inc. ("Healthnotes AI", "we", "us", or "our") is committed to protecting your personal information and health data in compliance with the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws, and international data protection regulations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform.

HIPAA Notice of Privacy Practices

As a Business Associate under HIPAA, we are required to maintain the privacy and security of Protected Health Information (PHI). This section serves as our Notice of Privacy Practices as required by HIPAA.

Our Legal Duties

We are required by law to:
  • Maintain the privacy and security of your PHI
  • Notify you promptly of any breach that may compromise your PHI
  • Follow the duties and privacy practices described in this notice
  • Not use or disclose your PHI except as described in this notice

Types of Information We Process

  • Protected Health Information (PHI): Medical records, clinical notes, diagnoses, treatment information, voice recordings of patient encounters
  • Personal Information: Name, email, professional credentials, contact information
  • Usage Data: Platform interactions, feature usage, performance metrics
  • Technical Data: IP addresses, browser type, device information

How We Collect Information

Information You Provide

  • Account Information: Name, email, professional credentials, healthcare organization affiliation
  • Clinical Documentation: Voice recordings, transcriptions, clinical notes, patient encounter data
  • Integration Data: EHR credentials, API keys for connected services
  • Communication Data: Support requests, feedback, correspondence

Information Collected Automatically

  • Technical Data: IP address, browser type, device information, operating system
  • Usage Data: Features used, time spent, interaction patterns
  • Performance Data: Error logs, latency metrics, system performance indicators
  • Voice Processing Metadata: Audio quality metrics, speaker identification confidence scores

How We Use Your Information

Permitted Uses Under HIPAA

As a Business Associate, we use and disclose PHI only as permitted by HIPAA and our Business Associate Agreement (BAA) with your healthcare organization:
  1. Treatment Activities: Processing voice recordings to generate clinical documentation
  2. Healthcare Operations: Quality improvement, training AI models on de-identified data
  3. As Required by Law: Compliance with legal obligations, court orders, or government requests
  4. With Authorization: Other uses with your explicit written authorization

Business Purposes

We use personal information for:
  1. Service Delivery
    • Providing voice transcription and documentation services
    • Generating AI-powered clinical notes and suggestions
    • Facilitating EHR integrations and data synchronization
  2. Account Management
    • Creating and managing user accounts
    • Authentication and access control
    • Billing and subscription management
  3. Platform Improvement
    • Analyzing usage patterns to enhance features
    • Training AI models on aggregated, de-identified data
    • Developing new healthcare documentation tools
  4. Communication
    • Sending service updates and notifications
    • Responding to support requests
    • Providing security alerts and breach notifications
  5. Legal Compliance
    • Meeting HIPAA requirements
    • Responding to legal requests
    • Conducting security audits and assessments

Legitimate Reasons for Processing Your Personal Information

We only collect and use your personal information when we have a legitimate reason for doing so. In which instance, we only collect personal information that is reasonably necessary to provide our services to you.

Collection and Use of Information

We may collect personal information from you when you do any of the following on our website:
  • Register for an account
  • Purchase a subscription
  • Use a mobile device or web browser to access our content
  • Contact us via email, social media, or on any similar technologies
  • When you mention us on social media
We may collect, hold, use, and disclose information for the following purposes, and personal information will not be further processed in a manner that is incompatible with these purposes:
  • to provide you with our platform's core features and services
  • for security and fraud prevention, and to ensure that our sites and apps are safe, secure, and used in line with our terms of use
We may combine voluntarily provided and automatically collected personal information with general information or research data we receive from other trusted sources. For example, If you provide us with your location, we may combine this with general information about currency and language to provide you with an enhanced experience of our site and service.

Security of Your Personal Information and PHI

We implement comprehensive security measures that meet or exceed HIPAA requirements to protect your PHI and personal information:

Technical Safeguards

  • Encryption: All PHI is encrypted using AES-256 at rest and TLS 1.3 in transit
  • Access Controls: Role-based access with multi-factor authentication required
  • Audit Controls: Complete logging of all PHI access and modifications
  • Integrity Controls: Mechanisms to ensure PHI is not improperly altered or destroyed
  • Transmission Security: Secure channels for all electronic PHI transmission

Administrative Safeguards

  • Security Officer: Designated HIPAA Security Officer responsible for security policies
  • Workforce Training: All personnel receive HIPAA training before accessing PHI
  • Access Management: Access granted on minimum necessary basis
  • Incident Response: Documented procedures for security incident response
  • Risk Assessments: Regular security risk assessments and mitigation

Physical Safeguards

  • Facility Access: Controlled access to data centers and offices
  • Workstation Security: Automatic logoff and encryption on all devices
  • Device Controls: Inventory and monitoring of all devices accessing PHI
  • Media Disposal: Secure destruction of electronic and physical media
While we implement industry-leading security measures, no method of electronic transmission or storage is 100% secure. We continuously monitor and improve our security posture to protect against evolving threats.

How Long We Keep Your Personal Information and PHI

We retain information in accordance with HIPAA requirements and healthcare industry standards:

PHI Retention Periods

  • Medical Documentation: Minimum 7 years from last patient interaction or as required by state law (whichever is longer)
  • Voice Recordings: 90 days unless incorporated into medical records
  • Transcription Data: 3 years from creation date
  • Audit Logs: 6 years as required by HIPAA
  • Billing Records: 7 years from date of service

Personal Information Retention

  • Account Information: Duration of account plus 7 years after closure
  • Usage Analytics: 2 years (anonymized after 90 days)
  • Support Communications: 3 years from last interaction
  • Marketing Preferences: Until withdrawn or account closure
Upon expiration of retention periods or upon request (where legally permissible), we will securely delete or de-identify your information. Some information may be retained longer if required for legal, regulatory, or legitimate business purposes.

Children’s Privacy

We do not aim any of our products or services directly at children under the age of 13, and we do not knowingly collect personal information about children under 13.

Disclosure of Personal Information and PHI to Third Parties

Business Associates

We may share PHI with Business Associates who perform services on our behalf. All Business Associates must sign a Business Associate Agreement (BAA) that requires them to:
  • Protect the confidentiality and security of PHI
  • Use PHI only for the purposes specified in the BAA
  • Report any breaches or security incidents
  • Ensure their subcontractors also sign BAAs
Our Business Associates include:
  • Cloud Infrastructure: Convex (primary database and backend)
  • AI Services: OpenAI, Anthropic (for clinical documentation generation)
  • Voice Processing: AWS/GCP (for transcription services)
  • EHR Integration Partners: Epic, Cerner, Medplum
  • Communication Services: For secure messaging and notifications
  • Analytics Providers: For aggregated, de-identified usage analytics

Disclosures Required or Permitted by HIPAA

We may disclose PHI without your authorization when required or permitted by law:
  1. To Healthcare Providers: For treatment purposes with your healthcare team
  2. For Payment: To process claims and obtain payment for services
  3. For Healthcare Operations: Quality improvement, training, accreditation
  4. Required by Law: Court orders, subpoenas, law enforcement (with proper authorization)
  5. Public Health Activities: Disease reporting as required by law
  6. Health Oversight: Audits, investigations, inspections, licensure
  7. Abuse or Neglect: Reporting suspected abuse, neglect, or domestic violence
  8. Serious Threat to Health or Safety: To prevent imminent harm
  9. Workers' Compensation: As required by workers' compensation laws
  10. Coroners and Medical Examiners: For identification and cause of death

Other Disclosures of Personal Information

For non-PHI personal information, we may disclose to:
  • Service providers who assist with non-healthcare services
  • Professional advisors (attorneys, accountants, auditors)
  • Payment processors (Stripe) for billing purposes
  • Analytics providers (Vercel Analytics) for service improvement
  • Potential acquirers in the event of a merger or acquisition

Marketing and Fundraising

We will not use or disclose your PHI for marketing purposes without your written authorization. We do not sell, rent, or trade PHI for any purpose.

De-identified and Aggregated Data

We may create de-identified data by removing all identifiable information. De-identified data may be used for research, analytics, and service improvement without restriction, as it is no longer considered PHI.

International Transfers of Personal Information

The personal information we collect is stored and/or processed in United States, or where we or our partners, affiliates, and third-party providers maintain facilities.
The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this privacy policy.

Your Rights Under HIPAA

As a patient whose information is processed through our Platform, you have the following rights under HIPAA:

Right to Access Your PHI

You have the right to inspect and obtain a copy of your PHI that we maintain. We will provide this within 30 days of your request in the format you specify (electronic or paper). We may charge a reasonable fee for copying and mailing costs.

Right to Amend Your PHI

If you believe your PHI is incorrect or incomplete, you may request that we amend it. We will respond within 60 days. If we deny your request, we will provide a written explanation and information about your right to submit a statement of disagreement.

Right to an Accounting of Disclosures

You may request a list of disclosures of your PHI made by us in the past six years, except for disclosures made for:
  • Treatment, payment, or healthcare operations
  • Disclosures you authorized
  • Disclosures for national security or intelligence purposes

Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. While we will consider all requests, we are not required to agree to them unless:
  • The disclosure is to a health plan for payment or healthcare operations
  • The PHI pertains solely to healthcare items or services you paid for out-of-pocket in full

Right to Request Confidential Communications

You may request that we communicate with you about your PHI in a specific way (e.g., only at a certain phone number) or at a specific location. We will accommodate reasonable requests.

Right to Notice of Breach

We will notify you within 60 days if there is a breach of your unsecured PHI that compromises the security or privacy of your information.

Right to Receive a Copy of This Notice

You have the right to receive a paper copy of this notice upon request, even if you agreed to receive it electronically.

How to Exercise Your Rights

To exercise any of these rights, contact our Privacy Officer:

Your Rights and Controlling Your Personal Information

In addition to your HIPAA rights, you have the following rights regarding your personal information:
Your choice: By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our Platform.
Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.
Marketing permission: If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.
Access: You may request details of the personal information that we hold about you.
Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.
Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information or PHI.
Notification of data breaches: We will comply with HIPAA breach notification requirements and all other applicable laws in respect of any data breach.
Complaints: If you believe that we have breached HIPAA or a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to file a complaint with the HHS Office for Civil Rights.
Unsubscribe: To unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details provided in this privacy policy, or opt-out using the opt-out facilities provided in the communication.

Breach Notification Procedures

In the event of a breach of unsecured PHI, we will follow HIPAA breach notification requirements:

Individual Notification

  • Timeline: Within 60 days of discovery of the breach
  • Method: Written notice by mail or email (if you have agreed to electronic communication)
  • Content: Description of what happened, types of PHI involved, steps you should take to protect yourself, what we are doing to investigate and mitigate, contact procedures

Healthcare Provider Notification

  • Timeline: Within 5 business days for breaches affecting your patients
  • Method: Secure communication to your designated contact

Media Notification

  • When Required: Breaches affecting 500+ individuals in a state or jurisdiction
  • Timeline: Within 60 days of discovery
  • Method: Prominent media outlets in affected areas

HHS Notification

  • Large Breaches (500+ individuals): Within 60 days
  • Smaller Breaches: Annual summary to HHS

Our Breach Response Includes:

  1. Immediate containment and investigation
  2. Risk assessment to determine notification requirements
  3. Mitigation measures to prevent future occurrences
  4. Documentation of all breach response activities
  5. Review and improvement of security measures

Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information and PHI, among the assets transferred to any parties who acquire us. Any acquirer would be required to:
  • Continue protecting PHI in accordance with HIPAA
  • Assume all obligations under existing BAAs
  • Honor the terms of this Privacy Policy
  • Notify affected individuals of any material changes

Limits of Our Policy

Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

Changes to This Policy

At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here at the same link by which you are accessing this privacy policy.
If the changes are significant, or if required by applicable law, we will contact you (based on your selected preferences for communications from us) and all our registered users with the new details and links to the updated or changed policy.
If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.

Additional Disclosures for Australian Privacy Act Compliance (AU)

International Transfers of Personal Information

Where the disclosure of your personal information is solely subject to Australian privacy laws, you acknowledge that some third parties may not be regulated by the Privacy Act and the Australian Privacy Principles in the Privacy Act. You acknowledge that if any such third party engages in any act or practice that contravenes the Australian Privacy Principles, it would not be accountable under the Privacy Act, and you will not be able to seek redress under the Privacy Act.

Additional Disclosures for General Data Protection Regulation (GDPR) Compliance (EU)

Data Controller / Data Processor

The GDPR distinguishes between organisations that process personal information for their own purposes (known as “data controllers”) and organizations that process personal information on behalf of other organizations (known as “data processors”). We, /CompanyName/, located at the address provided in our Contact Us section, are a Data Controller with respect to the personal information you provide to us.

Legal Bases for Processing Your Personal Information

We will only collect and use your personal information when we have a legal right to do so. In which case, we will collect and use your personal information lawfully, fairly, and in a transparent manner. If we seek your consent to process your personal information, and you are under 16 years of age, we will seek your parent or legal guardian’s consent to process your personal information for that specific purpose.
Our lawful bases depend on the services you use and how you use them. This means we only collect and use your information on the following grounds:

Consent From You

Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place. When you contact us, you may consent to your name and email address being used so we can respond to your enquiry. While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

Performance of a Contract or Transaction

Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to our entering into a contract or transaction with you. For example, if you purchase a product, service, or subscription from us, we may need to use your personal and payment information in order to process and deliver your order.

Our Legitimate Interests

Where we assess it is necessary for our legitimate interests, such as for us to provide, operate, improve and communicate our services. We consider our legitimate interests to include research and development, understanding our audience, marketing and promoting our services, measures taken to operate our services efficiently, marketing analysis, and measures taken to protect our legal rights and interests.

Compliance with Law

In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations. If you have any further enquiries about how we retain personal information in order to comply with the law, please feel free to enquire using the details provided in the Contact Us section of this privacy policy.

International Transfers Outside of the European Economic Area (EEA)

We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means.

Your Rights and Controlling Your Personal Information

Restrict: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.
Objecting to processing: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, in order to proceed with the processing of your personal information.
Data portability: You may have the right to request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may also have the right to request that we transfer this personal information to a third party.
Deletion: You may have a right to request that we delete the personal information we hold about you at any time, and we will take reasonable steps to delete your personal information from our current records. If you ask us to delete your personal information, we will let you know how the deletion affects your use of our website or products and services. There may be exceptions to this right for specific legal reasons which, if applicable, we will set out for you in response to your request. If you terminate or delete your account, we will delete your personal information within 30 days of the deletion of your account. Please be aware that search engines and similar third parties may still retain copies of your personal information that has been made public at least once, like certain profile information and public comments, even after you have deleted the information from our services or deactivated your account.

Additional Disclosures for California Compliance (US)

Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes.
To make such a request, please contact us using the details provided in this privacy policy with “Request for California privacy information” in the subject line. You may make this type of request once every calendar year. We will email you a list of categories of personal information we revealed to other organisations for their marketing purposes in the last calendar year, along with their names and addresses. Not all personal information shared in this way is covered by Section 1798.83 of the California Civil Code.

Do Not Track

Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser “Do Not Track” signals.
We adhere to the standards outlined in this privacy policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate, legal reasons for doing so.

CCPA-permitted financial incentives

In accordance with your right to non-discrimination, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels for the goods or services we provide.
Any CCPA-permitted financial incentive we offer will reasonably relate to the value of your personal information, and we will provide written terms that describe clearly the nature of such an offer. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

California Notice of Collection

In the past 12 months, we have collected the following categories of personal information enumerated in the California Consumer Privacy Act:
  • Identifiers, such as name, email address, phone number account name, IP address, and an ID or number assigned to your account.
  • Customer records, such as billing and shipping address, and credit or debit card data.
For more information on information we collect, including the sources we receive information from, review the “Information We Collect” section. We collect and use these categories of personal information for the business purposes described in the “Collection and Use of Information” section, including to provide and manage our Service.

Right to Know and Delete

If you are a California resident, you have rights to delete your personal information we collected and know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us:
  • The categories of personal information we have collected about you;
  • The categories of sources from which the personal information was collected;
  • The categories of personal information about you we disclosed for a business purpose or sold;
  • The categories of third parties to whom the personal information was disclosed for a business purpose or sold;
  • The business or commercial purpose for collecting or selling the personal information; and
  • The specific pieces of personal information we have collected about you.
To exercise any of these rights, please contact us using the details provided in this privacy policy.

Shine the Light

If you are a California resident, in addition to the rights discussed above, you have the right to request information from us regarding the manner in which we share certain personal information as defined by California’s “Shine the Light” with third parties and affiliates for their own direct marketing purposes.
To receive this information, send us a request using the contact details provided in this privacy policy. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code.

Contact Us

Privacy Officer

For questions about this Privacy Policy, to exercise your rights, or for privacy concerns:
Healthnotes AI Privacy Officer
Email: privacy@healthnotes.ai
Phone: 1-800-XXX-XXXX
Mail: Healthnotes AI, Inc.
Attn: Privacy Officer
[Your Business Address]

HIPAA Complaints

If you believe your privacy rights have been violated, you may file a complaint with:
  1. Healthnotes AI: Contact our Privacy Officer using the information above
  2. U.S. Department of Health and Human Services:
    • Online: www.hhs.gov/ocr/privacy/hipaa/complaints
    • Phone: 1-877-696-6775
    • Mail: Office for Civil Rights, U.S. Department of Health and Human Services
      200 Independence Avenue, S.W.
      Washington, D.C. 20201
We will not retaliate against you for filing a complaint.

Request for Information

To request a copy of this Privacy Policy or our Notice of Privacy Practices, contact our Privacy Officer.
Effective Date: January 31, 2025
Last Updated: January 31, 2025

Ready to Simplify Care for Everyone?

Join a smarter way to document and deliver care. No more being held back by the past.

anthem logo

Anthem

cvsHealth logo

CvsHealth

geHealthcare logo

GeHealthcare

abbot logo

Abbot

hca logo

Hca

aetna logo

Aetna

molina logo

Molina

anthem logo

Anthem

cvsHealth logo

CvsHealth

geHealthcare logo

GeHealthcare

abbot logo

Abbot

hca logo

Hca

aetna logo

Aetna

molina logo

Molina

labcorp logo

Labcorp

optum logo

Optum

cigna logo

Cigna

mayoClinic logo

MayoClinic

pfizer logo

Pfizer

abbot logo

Abbot

quest logo

Quest

labcorp logo

Labcorp

optum logo

Optum

cigna logo

Cigna

mayoClinic logo

MayoClinic

pfizer logo

Pfizer

abbot logo

Abbot

quest logo

Quest

gilead logo

Gilead

cigna logo

Cigna

geHealthcare logo

GeHealthcare

hca logo

Hca

humana logo

Humana

kaiser logo

Kaiser

cigna logo

Cigna

gilead logo

Gilead

cigna logo

Cigna

geHealthcare logo

GeHealthcare

hca logo

Hca

humana logo

Humana

kaiser logo

Kaiser

cigna logo

Cigna

Healthnotes AI