Effective Date: October 1, 2025 Last Updated: October 1, 2025
Introduction
AuriMD ("we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered clinical documentation services (the "Services").
IMPORTANT: AuriMD operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We do not directly provide healthcare services to patients. We provide technology services to healthcare providers (Covered Entities) who use our platform to document patient encounters.
1. Information We Collect
1.1 Protected Health Information (PHI)
When healthcare providers use our Services, we process the following types of PHI on behalf of the healthcare provider:
- Audio recordings of doctor-patient conversations (processed in real-time, retention controlled by provider)
- Transcribed conversation text including patient-reported symptoms, medical history, and clinical findings
- Patient identifiers including name, date of birth, medical record number (MRN)
- Clinical data from EHR systems including:
- Current medications and allergies
- Vital signs (blood pressure, temperature, heart rate, etc.)
- Laboratory results
- Diagnoses and problem lists
- Immunization records
- Prior visit summaries
- Generated clinical notes (SOAP notes, consultation notes, etc.)
Data Minimization: We only access and process PHI that is strictly necessary to provide our AI documentation services. We adhere to the HIPAA "minimum necessary" standard.
1.2 Account and Business Information
We collect the following non-PHI information:
- Healthcare provider account information: Name, email address, phone number, medical license number (for verification), practice name and address
- Authentication data: Passwords (encrypted), security questions, multi-factor authentication tokens
- Billing information: Credit card details (processed through PCI-compliant third-party payment processors), billing address
- Usage data: Login timestamps, features accessed, session duration, error logs
- Technical information: IP address, device type, browser type, operating system
1.3 Cookies and Tracking Technologies
Our website uses:
- Essential cookies: Required for authentication and security
- Analytics cookies: To understand how providers use our Services (Google Analytics with IP anonymization)
- Preference cookies: To remember user settings
You can control cookie preferences through your browser settings. Note that disabling essential cookies may impair functionality.
2. How We Use Information
2.1 Use of PHI
We use PHI solely to provide the Services requested by the healthcare provider under our Business Associate Agreement:
- Transcription: Converting audio conversations to text using speech-to-text AI models
- Clinical note generation: Using AI to generate structured SOAP notes from conversation transcripts
- Clinical decision support: Providing real-time medication interaction alerts, dosing guidelines, and differential diagnosis suggestions
- EHR integration: Reading patient context from EHR systems and writing generated notes back to patient charts
- Quality improvement: Analyzing aggregated, de-identified data to improve AI model accuracy (only with explicit consent)
We do NOT use PHI for:
- Marketing or advertising
- Training our AI models (unless data is properly de-identified in compliance with HIPAA Safe Harbor method)
- Selling or renting to third parties
- Any purpose not authorized by the healthcare provider's Business Associate Agreement
2.2 Use of Non-PHI Information
We use non-PHI information for:
- Service delivery: User authentication, account management, billing
- Customer support: Responding to inquiries and technical issues
- Service improvement: Analyzing usage patterns to enhance features
- Security: Detecting and preventing fraud, unauthorized access, and security threats
- Legal compliance: Meeting regulatory requirements and responding to lawful requests
3. Information Sharing and Disclosure
3.1 PHI Disclosure
We disclose PHI only in the following circumstances:
To the Healthcare Provider (Covered Entity):
- We return all generated clinical notes and patient data to the healthcare provider
- Healthcare providers control all patient data and determine how it's used
To Subcontractors (Sub-Business Associates): We may engage third-party vendors who need access to PHI to provide our Services:
- Cloud infrastructure providers (e.g., Google Cloud, AWS) - HIPAA-compliant hosting
- AI model providers (e.g., Anthropic, Google, OpenAI) - for clinical AI processing
- Security and monitoring services - for threat detection and system monitoring
All subcontractors:
- Sign Business Associate Agreements
- Are SOC 2 Type II certified or equivalent
- Comply with HIPAA Security and Privacy Rules
- Use AES-256 encryption for data at rest and TLS 1.3 for data in transit
As Required by Law:
- Court orders or subpoenas
- Government investigations
- Public health reporting (when delegated by the healthcare provider)
We do NOT sell, rent, or trade PHI under any circumstances.
3.2 Non-PHI Disclosure
We may share non-PHI information:
- With service providers: Payment processors, email services, analytics providers (with data processing agreements)
- For business transfers: In connection with merger, acquisition, or sale of assets (with continued privacy protections)
- With your consent: When you explicitly authorize sharing
4. Data Security
4.1 Technical Safeguards
We implement industry-leading security measures:
Encryption:
- At rest: AES-256 encryption for all stored data
- In transit: TLS 1.3 for all network communications
- Database: Encrypted PostgreSQL with column-level encryption for sensitive fields
Access Controls:
- Role-based access control (RBAC) with least privilege principle
- Multi-factor authentication (MFA) required for all user accounts
- Single Sign-On (SSO) integration available for enterprise customers
- Automatic session timeout after 15 minutes of inactivity
Network Security:
- Firewall protection and intrusion detection systems
- DDoS mitigation
- Regular vulnerability scanning and penetration testing
- Network segmentation and isolation
Application Security:
- Secure coding practices and code reviews
- Input validation and sanitization
- SQL injection and XSS protection
- Regular security patching and updates
4.2 Administrative Safeguards
Workforce Training:
- All employees complete annual HIPAA training
- Security awareness training on phishing, social engineering, and data handling
- Background checks for employees with PHI access
Policies and Procedures:
- Written information security policies
- Incident response plan
- Business continuity and disaster recovery plan
- Regular risk assessments
Access Management:
- Unique user IDs for all personnel
- Access revocation within 24 hours of termination
- Quarterly access reviews
4.3 Physical Safeguards
For On-Premise Deployments:
- Healthcare providers control physical security of their own servers
- We provide guidance on secure hardware configuration
For Cloud Deployments:
- SOC 2 Type II certified data centers
- 24/7 security monitoring and surveillance
- Biometric access controls
- Environmental controls (fire suppression, climate control)
4.4 Audit Controls
- Comprehensive audit logging of all PHI access
- Log retention for 7 years (HIPAA requirement)
- Automated log analysis for suspicious activity
- Quarterly audit log reviews
5. Data Retention and Deletion
5.1 PHI Retention
Audio Recordings:
- Cloud deployment: Deleted immediately after transcription (default)
- Custom retention: Healthcare providers can configure retention (up to 7 years)
- On-premise deployment: Retention controlled entirely by healthcare provider
Transcripts and Clinical Notes:
- Retained for the duration of the service agreement
- Minimum 6-year retention to comply with HIPAA
- Healthcare providers can request immediate deletion upon contract termination
EHR Data:
- We do not permanently store EHR data
- Patient context is fetched in real-time and cached temporarily (max 24 hours)
5.2 Account Data Retention
- Active accounts: Retained indefinitely while subscription is active
- Inactive accounts: Deleted after 3 years of inactivity (with 90-day notice)
- Canceled accounts: PHI deleted within 30 days, account data retained for 7 years for legal/audit purposes
5.3 Right to Deletion
Healthcare providers can request deletion of all data by contacting privacy@aurimd.com. We will:
- Confirm identity and authorization
- Delete all PHI within 30 days
- Provide written confirmation of deletion
- Delete data from all backups within 90 days
6. Individual Rights (For Patients)
Note: As a Business Associate, AuriMD does not directly interact with patients. All individual rights requests must be directed to your healthcare provider (the Covered Entity).
However, we support healthcare providers in fulfilling patients' HIPAA rights:
6.1 Right to Access
Patients have the right to access their PHI. We provide healthcare providers with tools to:
- Export patient transcripts and generated notes
- Provide data in electronic format within 30 days
- Deliver copies via secure patient portal or encrypted email
6.2 Right to Amendment
Patients can request corrections to their PHI. Healthcare providers can:
- Edit generated clinical notes through our interface
- Add amendments to transcripts
- We maintain audit logs of all amendments
6.3 Right to Accounting of Disclosures
We provide healthcare providers with detailed audit logs showing:
- Who accessed patient data
- When access occurred
- What data was accessed
- Purpose of access (system-generated or user-initiated)
6.4 Right to Restriction
Patients can request restrictions on PHI use. Healthcare providers can:
- Disable specific features for individual patients
- Opt patients out of AI documentation entirely
- We honor all provider-configured restrictions
6.5 Right to Confidential Communications
Patients can request alternative communication methods. Our platform supports:
- Secure messaging within the application
- Encrypted email delivery of notes
- Customizable notification preferences
7. Breach Notification
7.1 Our Obligations
If we discover a breach of unsecured PHI, we will:
-
Investigate immediately (within 24 hours of discovery)
-
Notify the healthcare provider within 4 hours of breach discovery
-
Provide detailed breach report including:
- Date and time of breach
- Number of individuals affected
- Types of PHI involved
- Actions taken to mitigate harm
- Recommended actions for the healthcare provider
-
Cooperate fully with healthcare provider's breach response
-
Document all breach response activities
7.2 Healthcare Provider Obligations
The healthcare provider (Covered Entity) is responsible for:
- Notifying affected patients within 60 days
- Reporting to HHS Office for Civil Rights if breach affects 500+ individuals
- Reporting to media if breach affects 500+ individuals in a jurisdiction
- Providing credit monitoring if appropriate
7.3 What Constitutes a Breach
A breach is unauthorized acquisition, access, use, or disclosure of PHI that compromises security or privacy. Not all incidents are breaches:
- Low probability of compromise: Accidental access by authorized workforce member
- Limited access: Brief, inadvertent viewing by someone who couldn't retain information
- Good faith belief: Information cannot be retained or used
We conduct a risk assessment for every incident using the four-factor test.
8. International Data Transfers
8.1 Data Location
Cloud Deployment:
- Primary data centers: United States (AWS/Google Cloud US regions)
- Optional: Canada, EU regions (for international customers)
- Data does NOT leave the selected region without explicit consent
On-Premise Deployment:
- Data remains entirely on healthcare provider's infrastructure
- No data transmitted outside provider's network
8.2 International Compliance
For customers outside the United States:
- EU/UK: We comply with GDPR in addition to HIPAA (stricter standard applies)
- Canada: Compliance with PIPEDA (Personal Information Protection and Electronic Documents Act)
- Standard Contractual Clauses: Available for EU data transfers
9. Children's Privacy
Our Services are not directed to individuals under 18 years of age. However, pediatric patient data may be processed when pediatricians use our Services.
Parental Consent:
- Healthcare providers are responsible for obtaining parental consent
- We do not independently collect information from minors
- Parents have the same HIPAA rights on behalf of their children
10. Changes to This Privacy Policy
We may update this Privacy Policy to reflect:
- Changes in legal requirements
- New features or services
- Feedback from customers and regulators
How we notify you:
- Email notification to all account holders at least 30 days before changes take effect
- Prominent notice on our website and in the application
- For material changes affecting PHI use: explicit consent required
Your rights:
- Review previous versions at https://aurimd.com/privacy-history
- Object to changes (may require terminating service)
- Request data deletion before changes take effect
11. State-Specific Privacy Rights
11.1 California (CCPA/CPRA)
California residents have additional rights:
- Right to know: What personal information we collect and how it's used
- Right to delete: Request deletion of personal information
- Right to opt-out: Opt-out of sale of personal information (we don't sell PHI)
- Right to non-discrimination: Equal service regardless of privacy choices
Note: PHI is exempt from CCPA, but we extend these rights to non-PHI data.
11.2 Audio Recording Laws
Two-Party Consent States (require all parties' consent): California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington
One-Party Consent States: All others
Our approach:
- Healthcare providers must obtain patient consent before using AuriMD
- We provide customizable consent forms for each state
- Audio recording can be disabled on per-patient basis
12. Your Privacy Choices
12.1 For Healthcare Providers
You can:
- Choose cloud or on-premise deployment
- Select which AI provider to use (Anthropic, Google, OpenAI)
- Configure audio retention policies
- Disable specific features for privacy-sensitive patients
- Export all your data at any time
- Request account deletion
How to exercise choices:
- Account settings: https://app.aurimd.com/settings
- Email: privacy@aurimd.com
- Phone: +1 (XXX) XXX-XXXX
12.2 For Patients
Contact your healthcare provider to:
- Opt-out of AI documentation during visits
- Request access to your transcripts and notes
- Request corrections to generated documentation
- File a privacy complaint
13. Contact Us
13.1 Privacy Questions
Privacy Officer: Email: privacy@aurimd.com Phone: +1 (XXX) XXX-XXXX Mail: AuriMD Privacy Office, [Address]
Response time: Within 5 business days
13.2 Security Concerns
Security Team: Email: security@aurimd.com 24/7 Security Hotline: +1 (XXX) XXX-XXXX
For breach reports or security vulnerabilities, contact us immediately.
13.3 Data Protection Officer (EU/UK)
For EU/UK customers: Email: dpo@aurimd.com
14. Complaints
14.1 File a Complaint with AuriMD
If you believe your privacy rights have been violated:
Online Form: https://aurimd.com/privacy-complaint Email: privacy@aurimd.com Mail: AuriMD Privacy Officer, [Address]
We will:
- Acknowledge receipt within 2 business days
- Investigate within 30 days
- Provide written response with findings and actions taken
- No retaliation: Filing a complaint will not affect your service
14.2 File a Complaint with HHS
You have the right to file a complaint with the U.S. Department of Health and Human Services:
HHS Office for Civil Rights (OCR) Online: https://www.hhs.gov/hipaa/filing-a-complaint/index.html Phone: 1-800-368-1019 TTY: 1-800-537-7697
Deadline: Must be filed within 180 days of when you knew or should have known of the violation.
15. Definitions
Business Associate: An entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI.
Covered Entity: Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
De-identified Data: Data that cannot reasonably be used to identify an individual (removes 18 HIPAA identifiers).
PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form.
Minimum Necessary: The smallest amount of PHI needed to accomplish the intended purpose.
16. Acknowledgment
By using AuriMD's Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
For Healthcare Providers: You confirm that you have the authority to enter into agreements on behalf of your organization and have executed a Business Associate Agreement with AuriMD.
For Patients: Your healthcare provider has provided you with notice of their privacy practices, which govern how they use AuriMD's Services to document your care.
Appendix A: Data Processing Activities
Summary of Processing Activities
| Activity | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Audio Recording | Real-time transcription | BAA, Provider Authorization | Immediate deletion (default) |
| Transcription | Generate text from audio | BAA, Provider Authorization | 6 years minimum |
| EHR Data Access | Provide patient context to AI | BAA, Provider Authorization | Real-time only (not stored) |
| Clinical Note Generation | Automate documentation | BAA, Provider Authorization | 6 years minimum |
| Audit Logging | HIPAA compliance, security | Legal Requirement | 7 years |
| Account Information | Service delivery, billing | Contract | Duration + 7 years |
Appendix B: Sub-Processors
Current sub-processors with access to PHI:
| Sub-Processor | Service | Location | Certification |
|---|---|---|---|
| Google Cloud Platform | Cloud hosting | United States | SOC 2 Type II, ISO 27001, HIPAA |
| Amazon Web Services | Cloud hosting (optional) | United States | SOC 2 Type II, ISO 27001, HIPAA |
| Anthropic | AI model (Claude) | United States | SOC 2 Type II, HIPAA BAA |
| Google AI | AI model (Gemini) | United States | SOC 2 Type II, HIPAA BAA |
| OpenAI | AI model (GPT) | United States | SOC 2 Type II, HIPAA BAA |
Updates: We will notify healthcare providers 30 days before adding new sub-processors.
Appendix C: International Privacy Frameworks
GDPR Compliance (EU/UK):
- Legal basis: Contract, Legitimate Interest
- Data subject rights: Access, Rectification, Erasure, Portability, Restriction, Objection
- Data Protection Impact Assessment (DPIA) available upon request
- EU Representative: [Contact info]
PIPEDA Compliance (Canada):
- Consent for collection, use, and disclosure
- Right to access and challenge accuracy
- Safeguards appropriate to sensitivity
END OF PRIVACY POLICY
Document Version: 1.0 Approved By: [Legal Counsel Name] Next Review Date: July 1, 2025
DISCLAIMER: This document is provided as a template and should be reviewed by qualified legal counsel before implementation. Privacy laws and regulations change frequently, and specific circumstances may require additional provisions. AuriMD is not responsible for legal compliance of entities using this template.