1. Information We Collect

Protected Health Information (PHI)

As a healthcare technology service, EmScribe processes the following types of protected health information:

• Audio recordings of patient-provider consultations and medical visits
• Transcribed medical conversations containing patient health information
• Generated SOAP notes including subjective, objective, assessment, and plan data
• Patient identifiers that may be mentioned in recordings (names, dates, medical record numbers)
• Medical history and symptoms discussed during patient visits
• Treatment plans and medications referenced in transcriptions

User Account Information

• Healthcare provider email addresses and account credentials
• Practice or organization information
• Usage analytics and system logs
• Billing and subscription information

2. How We Use Information

EmScribe uses collected information solely for the following purposes:

• Transcription Services: Converting audio recordings into accurate text transcriptions
• SOAP Note Generation: Creating structured medical documentation from transcribed content
• Service Improvement: Enhancing transcription accuracy and system performance
• Technical Support: Providing customer service and troubleshooting
• Security Monitoring: Detecting and preventing unauthorized access
• Legal Compliance: Meeting regulatory requirements and responding to legal requests

3. HIPAA Compliance

Security Safeguards

• Encryption: All PHI is encrypted both in transit and at rest using industry-standard AES-256 encryption
• Access Controls: Multi-factor authentication and role-based access restrictions
• Audit Logging: Comprehensive logging of all system access and PHI handling
• Staff Training: Regular HIPAA compliance training for all personnel
• Risk Assessments: Ongoing security evaluations and vulnerability testing

Minimum Necessary Standard

We limit access to PHI to the minimum amount necessary to accomplish the intended purpose, ensuring that only authorized personnel can access patient information relevant to their specific job functions.

4. Data Sharing and Disclosure

EmScribe does NOT sell, rent, or share PHI with third parties except in the following limited circumstances:

• Healthcare Providers: Returning processed transcriptions and SOAP notes to the originating healthcare provider
• Business Associates: Sharing with vetted third-party services that assist in our operations (all covered by HIPAA Business Associate Agreements)
• Legal Requirements: When required by law, court order, or regulatory authority
• Emergency Situations: To prevent serious harm to patient safety when legally permitted

Any third-party service providers we work with must sign comprehensive Business Associate Agreements and meet the same security standards we maintain.

5. Data Retention and Deletion

• Audio Recordings: Securely deleted within 30 days after transcription completion unless otherwise specified by the healthcare provider
• Transcriptions and SOAP Notes: Retained according to the healthcare provider's specified retention policy, typically 7-10 years
• System Logs: Maintained for 12 months for security and audit purposes
• Account Information: Deleted within 90 days of account closure

6. Your Rights

As a patient whose information may be processed through EmScribe, you have the following rights:

• Access: Request access to your PHI that we process
• Amendment: Request correction of inaccurate PHI
• Restriction: Request limitations on how your PHI is used
• Accounting: Receive an accounting of PHI disclosures
• Complaint: File complaints about our privacy practices

Note: These rights must typically be exercised through your healthcare provider, as they are the covered entity responsible for your medical records.

7. Secure and encrypted patient data

All PHI is processed and stored within our SHA-256 compliant database, including audio files, transcripts of patient encounters and SOAP notes. We follow HIPAA guidelines to ensure the confidentiality and security of information at all parts of the website.

8. Breach Notification

In the unlikely event of a data breach involving PHI, EmScribe will:

• Notify affected healthcare providers within 24 hours of discovery
• Assist healthcare providers in patient notification as required by law
• Report the breach to the Department of Health and Human Services as required
• Take immediate steps to mitigate harm and prevent future breaches

10. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. All healthcare provider clients will be notified of material changes at least 30 days in advance.