Effective Date: May 08, 2026
  1. 1. INTRODUCTION AND SCOPE
  1. This Privacy Policy describes the collection, use, disclosure, and protection of information by Scribe4Me AI, an AI-powered medical scribing platform and brand of Physicians Angels, Inc. (“Company,” “we,” “us,” or “our”).
  2. This Privacy Policy applies to:
    • Healthcare providers, clinics, and healthcare organizations acting as Covered Entities under HIPAA
    • Authorized workforce members, contractors, and users of the Service
    • Individuals whose information, including Protected Health Information (“PHI”), is processed through the Service on behalf of Covered Entities
    • Scribe4Me AI platform, including its applications, websites, and associated subdomains (collectively, the “Service”).
  3. Scribe4Me AI operates solely as a technology platform and Business Associate, providing AI-assisted clinical documentation and related support services. The Company does not provide medical advice, diagnosis, or treatment, and does not function as a healthcare provider, medical device, or clinical decision support system.
  4. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, storage, and disclosure of information as described herein and in the applicable Terms of Service. All services are provided strictly in accordance with applicable agreements, including the Terms of Use and any executed Business Associate Agreement (“BAA”), and in compliance with applicable laws and regulations.
  1. 2. DEFINITIONS
  1. For purposes of this Privacy Policy, all capitalized terms not otherwise defined herein shall have the meanings assigned to them in the governing Terms of Use and applicable Business Associate Agreement (“BAA”).
  2. The following definitions are provided for clarity and shall be interpreted in accordance with HIPAA and its implementing regulations:
  3. Protected Health Information (PHI): means individually identifiable health information, as defined under HIPAA, that is created, received, maintained, or transmitted by the Company on behalf of a Covered Entity, including any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or payment for the provision of healthcare, and that identifies or could reasonably be used to identify the individual.
  4. Covered Entity: means a healthcare provider, health plan, or healthcare clearinghouse that is subject to HIPAA and that engages the Company to perform services involving PHI.
  5. Business Associate: means Physicians Angels, Inc., in its capacity as a service provider that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity in accordance with HIPAA and the applicable BAA.
  6. Minimum Necessary Standard: means the HIPAA requirement that access to, use of, or disclosure of PHI shall be limited to the minimum amount of information reasonably necessary to accomplish the intended purpose of such use, disclosure, or request.
  7. Customer Data: means all data, content, and information submitted, uploaded, transmitted, or otherwise made available by or on behalf of the Customer or its End Users through the Service, including PHI, as more fully defined in the governing Terms.
  8. Subprocessor: means any third-party vendor, service provider, affiliate, or authorized internal resource engaged by the Company to support the provision, maintenance, or improvement of the Service, and that may create, receive, maintain, or transmit PHI, and is contractually bound to comply with HIPAA and obligations no less stringent than those imposed on the Company.
  1. 3. INFORMATION WE COLLECT
  1. We collects and processes information only to the extent necessary to provide, maintain, secure, and improve the Service, and in accordance with applicable agreements.
  1. 3.1 Customer and Personal Information
  1. We may collect and process personal and account-related information necessary for the administration and operation of the Service, including:
    • Account registration details (such as name, organization, email address, and contact information)
    • Billing, payment, and invoicing information
    • User credentials, authentication data, and access control identifiers
    • Administrative and support communications
  2. Such information is used solely for account management, service delivery, security, and contractual compliance purposes.
  1. 3.2 Protected Health Information (PHI)
  1. In its capacity as a Business Associate, Physicians Angels, Inc. may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entities, strictly as permitted under applicable agreements and in compliance with HIPAA.
  2. PHI processed through the Service may include, but is not limited to:
    • Clinical documentation, physician notes, and encounter summaries
    • Audio recordings of patient encounters and corresponding transcripts
    • Patient medical records and related healthcare information
    • Data associated with clinical workflows, documentation processes, and care delivery
  3. All PHI is processed solely for the purpose of providing AI-assisted medical documentation and related services, and in accordance with the Minimum Necessary Standard.
  1. 3.3 Technical and Usage Data
  1. We automatically collect certain technical and usage-related information to ensure the performance, security, and reliability of the Service, including:
    • Device identifiers, IP addresses, browser type, and system configuration data
    • Access logs, authentication records, and audit trails
    • System activity logs, error reports, and performance metrics
  2. This information is used exclusively for:
    • Security monitoring and threat detection
    • System maintenance and troubleshooting
    • Performance optimization and service improvement
  3. To the extent such data includes or is associated with PHI, it is treated as PHI and protected accordingly under applicable laws and agreements.
  4. Where technical or usage data constitutes or is associated with Protected Health Information (“PHI”), such data shall be treated as PHI and governed exclusively under HIPAA and applicable agreements, and shall not be subject to CCPA or GDPR to the extent such laws exempt PHI.
  1. 4. PERMITTED USES AND DISCLOSURES OF PHI
  1. We uses and discloses Protected Health Information (“PHI”) solely in its capacity as a Business Associate and strictly in accordance with applicable agreements, including the Terms of Use and any executed Business Associate Agreement (“BAA”), and in compliance with HIPAA.
  2. Protected Health Information (“PHI”) may be de-identified or anonymized in accordance with HIPAA and applicable law. The Business Associate may use such de-identified or anonymized health data for lawful business purposes, including analytics, service enhancement, product development, and artificial intelligence model training and improvement.
  3. Any use of such de-identified or anonymized health data by the Business Associate for marketing, advertising, or promotional activities, shall require the Covered Entity’s explicit prior authorization.
  1. 4.1 Permitted Uses of PHI
  1. The Company may use PHI only as necessary to:
    • Provide AI-assisted medical documentation, transcription, and related healthcare support services
    • Perform functions or activities on behalf of Covered Entities related to treatment, payment, and healthcare operations, as applicable
    • Maintain, secure, troubleshoot, and improve the performance and functionality of the Service
    • Conduct internal administrative functions, including system management, risk mitigation, and compliance activities, provided that such use complies with HIPAA and applicable contractual obligations
  2. All uses of PHI are subject to the Minimum Necessary Standard, and access is restricted based on role, function, and legitimate business need.
  1. 4.2 Permitted Disclosures of PHI
  1. The Company may disclose PHI only:
    • To the applicable Covered Entity or its authorized representatives
    • To subcontractors, agents, or subprocessors engaged in providing services, provided that such parties are bound by written agreements imposing obligations no less stringent than those set forth under HIPAA and the BAA.
    • As required by applicable law, regulation, legal process, or governmental authority, subject to applicable safeguards and notice requirements
    • For proper management and administration of the Company, provided that: The disclosure is required by law; or The recipient agrees to maintain the confidentiality of the PHI and use it only for the purpose for which it was disclosed
  1. 4.3 Prohibited Uses and Disclosures
  1. The Company shall not:
    • Use or disclose PHI in any manner that would violate HIPAA if performed by the Covered Entity
    • Use PHI for marketing, advertising, or promotional purposes.
    • Sell, rent, or otherwise monetize PHI.
    • Use PHI for artificial intelligence model training, machine learning model improvement, or product development without explicit, prior written authorization from the Covered Entity.
    • Access, use, or disclose PHI beyond what is required to perform the contracted services or beyond the Minimum Necessary Standard
  1. 4.4 Safeguards and Access Controls
  1. All uses and disclosures of PHI are subject to:
    • Role-based access controls (RBAC)
    • Least privilege principles
    • Audit logging and monitoring
    • Workforce confidentiality obligations
    • Administrative, physical, and technical safeguards as required under HIPAA
  1. 4.5 Customer Direction and Responsibility
  1. All uses and disclosures of PHI are performed on behalf of and under the direction of the Covered Entity. The Covered Entity remains responsible for:
    • Determining the permissibility of PHI disclosures
    • Obtaining all required patient consents and authorizations
    • Ensuring compliance with applicable laws governing PHI
  1. 5. HIPAA COMPLIANCE STATEMENT
  1. Scribe4Me AI, operates in its capacity as a Business Associate under HIPAA and complies with all applicable provisions of 45 CFR Part 160 (General Administrative Requirements) and 45 CFR Part 164, including the Privacy Rule, the Security Rule, the Breach Notification Rule.
  2. The Company enters into Business Associate Agreements (“BAAs”) with Covered Entities, which govern the permitted uses and disclosures of Protected Health Information (“PHI”) and establish binding obligations with respect to privacy, security, and breach notification. In accordance with HIPAA and applicable BAAs, the Company:
    • Implements appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI
    • Limits the use and disclosure of PHI to those activities necessary to perform services on behalf of Covered Entities and as otherwise permitted or required by law
    • Applies the Minimum Necessary Standard to all uses, disclosures, and access to PHI
    • Ensures that any subcontractors or agents that create, receive, maintain, or transmit PHI on its behalf are contractually bound to comply with HIPAA and obligations no less stringent than those applicable to the Company
    • Complies with applicable breach notification obligations, including timely reporting of any unauthorized use or disclosure of PHI
  3. The Company maintains ongoing compliance through documented policies, risk management processes, workforce training, and continuous monitoring of its security and privacy controls.
  1. 6. DATA SECURITY SAFEGUARDS
  1. Scribe4Me AI, implements and maintains comprehensive administrative, physical, and technical safeguards designed to ensure the confidentiality, integrity, and availability of Protected Health Information (“PHI”), in accordance with HIPAA, industry best practices, and applicable contractual obligations. All safeguards are designed to protect against reasonably anticipated threats, unauthorized access, impermissible use or disclosure, and other security risks.
  1. 6.1 Administrative, Technical, and Physical Safeguards
  • The Company maintains commercially reasonable administrative, technical, and physical safeguards designed to protect Protected Health Information (“PHI”) against unauthorized access, use, disclosure, alteration, destruction, loss, or misuse, and to support the confidentiality, integrity, and availability of systems and data.
  • Such safeguards include governance and risk management processes, workforce training and access controls, incident detection and response procedures, oversight of relevant third parties and service providers, secure system and user authentication measures, protection of data during storage and transmission, monitoring and management of system activity, resilience and recovery capabilities, secure and access-controlled infrastructure environments, environmental protections, device and media management controls, and restricted physical access to systems and facilities handling PHI, in accordance with applicable legal, regulatory, and contractual obligations.
  1. 6.2 Cloud Infrastructure and Architecture
  • PHI is stored within secure cloud infrastructure located in the United States, consistent with contractual commitments
  • The platform operates on a hybrid architecture, combining advanced AI models with proprietary systems for medical context and workflow orchestration
  • All infrastructure providers are required to meet strict security and compliance standards, including execution of Business Associate Agreements (BAAs) where applicable
  • Security controls are consistently enforced across all environments
  1. 6.3 Workforce and Subprocessor Security
  • All personnel (including offshore workforce, where applicable) are bound by confidentiality agreements, Subject to background checks (where applicable), Trained on HIPAA and data protection obligations.
  • Subprocessors and subcontractors are contractually bound to implement safeguards no less stringent than those of the Company, Are restricted to accessing PHI only as necessary to perform services, Are subject to ongoing monitoring and compliance enforcement
  1. 6.4 Offshore Access Controls
  • Where limited access to PHI is provided from outside the United States (e.g., India), such access is Restricted based on role and business necessity, Secured (via) encrypted connections and MFA, Logged, monitored, and audited regularly, Subject to the same HIPAA-aligned safeguards and contractual obligations.
  1. 6.5 Security Testing and Continuous Monitoring
  • The Company maintains ongoing security assurance processes, including Regular vulnerability assessments and system testing, Continuous monitoring of systems and infrastructure, Periodic review of access controls and security configurations, Incident simulation and response readiness testing
  1. 6.6 Security Incident Management
  • In the event of a Security Incident involving PHI, Incidents are promptly identified, contained, investigated, and remediated, impacted systems and data are secured to prevent further exposure, detailed internal documentation and root cause analysis are conducted, and Notifications are handled in accordance with applicable breach notification obligations.
  1. 7. DATA RETENTION AND DELETION
  1. Scribe4Me AI, retains and disposes of Protected Health Information (“PHI”) in accordance with applicable contractual obligations, including the Terms of Use and Business Associate Agreement (“BAA”), and in compliance with HIPAA.
  1. 8. BREACH NOTIFICATION
  1. We shall report any use or disclosure of Protected Health Information (“PHI”) not permitted under applicable agreements, including any Security Incident or Breach of Unsecured PHI, as per the BAA in accordance with HIPAA.
  1. 9. SUBCONTRACTORS AND SUBPROCESSORS
  1. Scribe4Me AI, may engage subcontractors, agents, and subprocessors to support the provision, maintenance, and improvement of the Service. Such parties may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of the Company as mentioned in the term of use and BAA.
  1. 10. INDIVIDUAL RIGHTS
  1. Scribe4Me AI, supports Covered Entities in fulfilling their obligations under HIPAA with respect to individuals’ rights concerning Protected Health Information (“PHI”).
  1. 10.1 Support for Individual Rights Requests
  1. In its capacity as a Business Associate, the Company shall, to the extent required by applicable agreements:
    • Assist Covered Entities in responding to requests for access to PHI
    • Assist in facilitating amendments or corrections to PHI
    • Provide information necessary to support an accounting of disclosures of PHI
  2. Such assistance shall be provided within a reasonable timeframe and in accordance with the requirements specified in the applicable Business Associate Agreement (“BAA”).
  1. 10.2 Role of the Covered Entity
  1. The Company acknowledges that:
    • The Covered Entity retains primary responsibility for responding to and fulfilling individual rights requests under HIPAA
    • The Company does not independently determine the validity or scope of such requests
    • All actions taken by the Company with respect to PHI are performed on behalf of and under the direction of the Covered Entity
  1. 10.3 Restrictions on Direct Interaction
    • The Company does not interact directly with patients or individuals regarding their PHI.
    • The Company shall not respond directly to individual requests unless, required to do so by applicable law; or explicitly authorized in writing by the Covered Entity.
    • Where the Company receives a request directly from an individual, it may, Redirect the request to the appropriate Covered Entity; and/or Notify the Covered Entity of such request for appropriate action.
  1. 10.4 Safeguards and Compliance
  1. All assistance provided in connection with individual rights requests shall be:
    • Subject to appropriate verification and authorization controls
    • Limited to the Minimum Necessary Standard
    • Conducted in a manner that preserves the confidentiality, integrity, and security of PHI
  1. 11. DATA USE RESTRICTIONS (AI & COMPLIANCE)
  1. Scribe4Me AI, processes Protected Health Information (“PHI”) strictly for the purpose of providing contracted services
  1. 11.1 Restrictions on Use of PHI
  1. The Company enforces strict limitations on the use of PHI, including:
    • No AI Training: PHI shall not be used to train, fine-tune, or improve artificial intelligence or machine learning models without explicit, prior written authorization from the Covered Entity.
    • No Commercialization of PHI: PHI shall not be sold, licensed, monetized, or otherwise used for commercial purposes beyond the provision of contracted services.
    • No Use Outside Service Scope: PHI shall not be accessed, used, or disclosed for any purpose other than:
      • Performing services on behalf of the Covered Entity
      • Complying with applicable legal or regulatory obligations
    • Minimum Necessary Enforcement: All access to PHI is limited to the minimum necessary to perform authorized functions.
  1. 11.2 AI System Limitations and Intended Use
  • The Service is designed solely as an AI-assisted documentation and workflow support tool
  • The Service does not provide medical advice, diagnosis, or treatment recommendations
  • The Service is not intended to function as a medical device or clinical decision support system
  1. 11.3 Clinical Responsibility and Output Validation
  • All outputs generated by the Service are assistive and informational in nature only
  • Outputs must be reviewed, verified, and approved by a qualified healthcare professional prior to inclusion in patient records or use in patient care.
  • The Covered Entity and its workforce retain sole responsibility for Clinical decision-making, Patient care, Compliance with applicable medical and regulatory standards.
  1. 11.4 Data Segregation and Control
  • PHI is logically segregated and access-controlled to prevent unauthorized use
  • Any use of de-identified or aggregated data is performed in a manner that does not identify individuals and does not constitute PHI under HIPAA.
  • Re-identification of de-identified data is strictly prohibited.
  1. 12. CUSTOMER RESPONSIBILITIES
  1. Customers of Scribe4Me AI (each, a “Covered Entity” or authorized user acting on its behalf) are solely responsible for ensuring that their use of the Service complies with applicable laws, regulations, and contractual obligations, including HIPAA.
  1. 12.1 Patient Consent and Authorization
  1. Customers shall:
    • Obtain all necessary patient consents, authorizations, and notices required for the collection, use, and disclosure of Protected Health Information (“PHI”) in connection with the Service
    • Ensure that such consents and authorizations are valid, documented, and compliant with applicable legal and regulatory requirements
  1. 12.2 Lawful Collection and Use of PHI
  1. Customers are responsible for:
    • Ensuring that all PHI provided to the Service is lawfully collected, used, and disclosed
    • Complying with all applicable privacy and data protection laws, including HIPAA
    • Determining the appropriateness of disclosing PHI to the Company for processing
  1. 12.3 Validation of AI-Generated Outputs
  1. Consistent with the intended use of the Service:
    • Customers shall review, verify, and approve all AI-generated outputs prior to use in clinical documentation or patient care
    • Customers acknowledge that outputs are assistive in nature and may contain inaccuracies or omissions
    • Customers retain sole responsibility for all clinical decisions, patient records, and compliance with applicable medical standards
  1. 12.4 Credential Security and Access Control
  1. Customers shall:
    • Maintain the confidentiality and security of all user credentials and access mechanisms
    • Restrict access to the Service to authorized personnel only
    • Implement appropriate internal safeguards, including access controls and user management practices
    • Promptly notify the Company of any unauthorized access, misuse, or security incident involving the Service
  1. 12.5 Compliance with Applicable Law and Agreements
  1. Customers agree to:
    • Use the Service in accordance with all applicable laws, regulations, and professional obligations
    • Comply with the terms of the governing agreements, including the Terms of Use and BAA
    • Ensure that their workforce members are adequately trained and authorized to use the Service
  1. 13. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)
  1. 13.1 Scope and Applicability
  1. This section applies to residents of the State of California and is provided in accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”) (collectively, “CCPA”). This section applies only to Personal Information that is not Protected Health Information (“PHI”) regulated under HIPAA. PHI processed by the Company on behalf of Covered Entities is expressly excluded from CCPA to the extent such data is governed by HIPAA.
  1. 13.2 Categories of Personal Information Collected
  1. The Company may collect the following categories of Personal Information:
    • Identifiers (e.g., name, email address, IP address)
    • Commercial information (e.g., billing and transaction data)
    • Internet or network activity (e.g., usage logs, interaction data)
    • Professional or employment-related information (e.g., organization, role)
  1. 13.3 Purpose of Collection and Use
  1. Personal Information is collected and used solely for legitimate business purposes, including:
    • Providing and maintaining the Service
    • Account management and customer support
    • Security monitoring, fraud prevention, and system integrity
    • Billing, invoicing, and contractual compliance
  1. 13.4 Disclosure of Personal Information
  1. The Company may disclose Personal Information to:
    • Subprocessors and service providers supporting the Service
    • Professional advisors (legal, compliance, auditors)
    • Government authorities where required by law
  2. All disclosures are subject to contractual and confidentiality safeguards
  1. 13.5 Sale or Sharing of Personal Information
    • The Company does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising
  1. 13.6 California Consumer Rights
  1. California residents have the following rights:
    • Right to Know (categories and specific data collected)
    • Right to Access Personal Information
    • Right to Delete Personal Information
    • Right to Correct inaccurate information
    • Right to Limit use of Sensitive Personal Information (if applicable)
    • Right to Opt-Out of Sale or Sharing (not applicable)
    • Right to Non-Discrimination
  1. 13.7 Exercising Your Rights
  1. Requests may be submitted via Email: [email protected]
  2. The Company will:
    • Verify the identity of the requester
    • Respond within 45 days (as required by law)
  3. Requests relating to PHI must be directed to the applicable Covered Entity.
  1. 13.8 Authorized Agents
  1. California residents may designate an authorized agent to submit requests, subject to verification.
  1. 14. INTERNATIONAL DATA PROTECTION (GDPR)
    1. 14.1 Scope and Applicability
    1. This section applies to individuals located in the European Economic Area (EEA), United Kingdom, and other jurisdictions with applicable data protection laws, in accordance with the General Data Protection Regulation (“GDPR”).
    2. This section applies only to Personal Data that is not PHI governed by HIPAA.
    1. 14.2 Role of the Company
    • The Company acts as a Data Processor when processing Personal Data on behalf of customers
    • Customers (Covered Entities) act as Data Controllers
    1. 14.3 Legal Basis for Processing
    1. Personal Data is processed based on:
      • Performance of a contract
      • Legitimate business interests
      • Legal and regulatory obligations
    2. Where required, processing is based on user consent.
    1. 14.4 Data Subject Rights
    1. Individuals have the following rights under GDPR:
      • Right of Access
      • Right to Rectification
      • Right to Erasure (“Right to be Forgotten”)
      • Right to Restriction of Processing
      • Right to Data Portability
      • Right to Object to Processing
    2. Requests should be directed to the applicable Covered Entity unless otherwise required by law.
    1. 14.5 International Data Transfers
      • Personal Data may be processed in the United States and other jurisdictions. Appropriate safeguards are implemented, including contractual data protection obligations, Security and confidentiality measures
    1. 14.6 Data Protection Safeguards
    1. The Company implements safeguards consistent with GDPR requirements, including Data minimization, Purpose limitation, Access controls and security measures, Confidentiality obligations.
    1. 14.7 Supervisory Authority
    1. Individuals have the right to lodge a complaint with a relevant data protection authority if they believe their rights have been violated.
    1. 15. CHANGES TO THIS POLICY
      • Scribe4Me AI, reserves the right to update or modify this Privacy Policy from time to time to reflect changes in legal, regulatory, operational, or service requirements.
      • Updates to this Privacy Policy may be made periodically at the Company’s discretion. The “Effective Date” at the top of this Policy will indicate the date of the most recent revision. The Company will posting an updated version on the Company’s website. Customers and Authorized Users are encouraged to periodically review this Privacy Policy for any updates or modifications posted on the Website or Platform.
      • Continued access to or use of the Service following the effective date of any updated Privacy Policy constitutes acceptance of such changes, to the extent permitted by applicable law. If a Customer does not agree to the updated Policy, the Customer must discontinue use of the Service and may terminate the applicable agreement in accordance with its terms.
    1. 16. CONTACT INFORMATION
    1. For any questions, requests, or concerns regarding this Privacy Policy, or the Company’s handling of Personal Information or Protected Health Information (“PHI”), please contact:
    2. Via Email: [email protected]
    3. Via Phone Number: (419) 392-9679
    4. Via this Link: https://scribe4me.ai