PRIVACY POLICY
Scribe4Me Ai
Effective Date: May 08, 2026
- 1. INTRODUCTION AND SCOPE
-
This Privacy Policy describes the collection, use, disclosure, and protection of
information by Scribe4Me AI, an AI-powered medical scribing platform and brand of
Physicians Angels, Inc. (“Company,” “we,” “us,” or “our”).
-
This Privacy Policy applies to:
- Healthcare providers, clinics, and healthcare organizations acting as Covered Entities under
HIPAA
- Authorized workforce members, contractors, and users of the Service
- Individuals whose information, including Protected Health Information (“PHI”), is processed
through the Service on behalf of Covered Entities
- Scribe4Me AI platform, including its applications, websites, and associated subdomains
(collectively, the “Service”).
-
Scribe4Me AI operates solely as a technology platform and Business Associate, providing
AI-assisted clinical documentation and related support services. The Company does not provide
medical advice, diagnosis, or treatment, and does not function as a healthcare provider, medical
device, or clinical decision support system.
-
By accessing or using the Service, you acknowledge that you have read and understood this
Privacy Policy and agree to the collection, use, storage, and disclosure of information as
described herein and in the applicable Terms of Service. All services are provided strictly in
accordance with applicable agreements, including the Terms of Use and any executed Business
Associate Agreement (“BAA”), and in compliance with applicable laws and regulations.
- 2. DEFINITIONS
-
For purposes of this Privacy Policy, all capitalized terms not otherwise defined herein shall
have the meanings assigned to them in the governing Terms of Use and applicable Business
Associate Agreement (“BAA”).
-
The following definitions are provided for clarity and shall be interpreted in accordance with
HIPAA and its implementing regulations:
-
Protected Health Information (PHI):
means individually identifiable health information, as defined under HIPAA, that is created,
received, maintained, or transmitted by the Company on behalf of a Covered Entity, including any
information that relates to the past, present, or future physical or mental health or condition
of an individual, the provision of healthcare to an individual, or payment for the provision of
healthcare, and that identifies or could reasonably be used to identify the individual.
-
Covered Entity:
means a healthcare provider, health plan, or healthcare clearinghouse that is subject to HIPAA
and that engages the Company to perform services involving PHI.
-
Business Associate:
means Physicians Angels, Inc., in its capacity as a service provider that creates, receives,
maintains, or transmits PHI on behalf of a Covered Entity in accordance with HIPAA and the
applicable BAA.
-
Minimum Necessary Standard:
means the HIPAA requirement that access to, use of, or disclosure of PHI shall be limited to the
minimum amount of information reasonably necessary to accomplish the intended purpose of such
use, disclosure, or request.
-
Customer Data:
means all data, content, and information submitted, uploaded, transmitted, or otherwise made
available by or on behalf of the Customer or its End Users through the Service, including PHI,
as more fully defined in the governing Terms.
-
Subprocessor:
means any third-party vendor, service provider, affiliate, or authorized internal resource
engaged by the Company to support the provision, maintenance, or improvement of the Service, and
that may create, receive, maintain, or transmit PHI, and is contractually bound to comply with
HIPAA and obligations no less stringent than those imposed on the Company.
- 3. INFORMATION WE COLLECT
-
We collects and processes information only to the extent necessary to provide, maintain, secure,
and improve the Service, and in accordance with applicable agreements.
- 3.1 Customer and Personal Information
-
We may collect and process personal and account-related information necessary for the
administration and operation of the Service, including:
- Account registration details (such as name, organization, email address, and contact
information)
- Billing, payment, and invoicing information
- User credentials, authentication data, and access control identifiers
- Administrative and support communications
-
Such information is used solely for account management, service delivery, security, and
contractual compliance purposes.
- 3.2 Protected Health Information (PHI)
-
In its capacity as a Business Associate, Physicians Angels, Inc. may create, receive, maintain,
or transmit Protected Health Information (“PHI”) on behalf of Covered Entities, strictly as
permitted under applicable agreements and in compliance with HIPAA.
-
PHI processed through the Service may include, but is not limited to:
- Clinical documentation, physician notes, and encounter summaries
- Audio recordings of patient encounters and corresponding transcripts
- Patient medical records and related healthcare information
- Data associated with clinical workflows, documentation processes, and care delivery
-
All PHI is processed solely for the purpose of providing AI-assisted medical documentation and
related services, and in accordance with the Minimum Necessary Standard.
- 3.3 Technical and Usage Data
-
We automatically collect certain technical and usage-related information to ensure the
performance, security, and reliability of the Service, including:
- Device identifiers, IP addresses, browser type, and system configuration data
- Access logs, authentication records, and audit trails
- System activity logs, error reports, and performance metrics
-
This information is used exclusively for:
- Security monitoring and threat detection
- System maintenance and troubleshooting
- Performance optimization and service improvement
-
To the extent such data includes or is associated with PHI, it is treated as PHI and protected
accordingly under applicable laws and agreements.
-
Where technical or usage data constitutes or is associated with Protected Health Information
(“PHI”), such data shall be treated as PHI and governed exclusively under HIPAA and applicable
agreements, and shall not be subject to CCPA or GDPR to the extent such laws exempt PHI.
- 4. PERMITTED USES AND DISCLOSURES OF PHI
-
We uses and discloses Protected Health Information (“PHI”) solely in its capacity as a Business
Associate and strictly in accordance with applicable agreements, including the Terms of Use and
any executed Business Associate Agreement (“BAA”), and in compliance with HIPAA.
-
Protected Health Information (“PHI”) may be de-identified or anonymized in accordance with HIPAA
and applicable law. The Business Associate may use such de-identified or anonymized health data
for lawful business purposes, including analytics, service enhancement, product development, and
artificial intelligence model training and improvement.
-
Any use of such de-identified or anonymized health data by the Business Associate for marketing,
advertising, or promotional activities, shall require the Covered Entity’s explicit prior
authorization.
- 4.1 Permitted Uses of PHI
-
The Company may use PHI only as necessary to:
- Provide AI-assisted medical documentation, transcription, and related healthcare support
services
- Perform functions or activities on behalf of Covered Entities related to treatment, payment,
and healthcare operations, as applicable
- Maintain, secure, troubleshoot, and improve the performance and functionality of the Service
- Conduct internal administrative functions, including system management, risk mitigation, and
compliance activities, provided that such use complies with HIPAA and applicable contractual
obligations
-
All uses of PHI are subject to the Minimum Necessary Standard, and access is restricted based on
role, function, and legitimate business need.
- 4.2 Permitted Disclosures of PHI
-
The Company may disclose PHI only:
- To the applicable Covered Entity or its authorized representatives
- To subcontractors, agents, or subprocessors engaged in providing services, provided that
such parties are bound by written agreements imposing obligations no less stringent than
those set forth under HIPAA and the BAA.
- As required by applicable law, regulation, legal process, or governmental authority, subject
to applicable safeguards and notice requirements
- For proper management and administration of the Company, provided that: The disclosure is
required by law; or The recipient agrees to maintain the confidentiality of the PHI and use
it only for the purpose for which it was disclosed
- 4.3 Prohibited Uses and Disclosures
-
The Company shall not:
- Use or disclose PHI in any manner that would violate HIPAA if performed by the Covered
Entity
- Use PHI for marketing, advertising, or promotional purposes.
- Sell, rent, or otherwise monetize PHI.
- Use PHI for artificial intelligence model training, machine learning model improvement, or
product development without explicit, prior written authorization from the Covered Entity.
- Access, use, or disclose PHI beyond what is required to perform the contracted services or
beyond the Minimum Necessary Standard
- 4.4 Safeguards and Access Controls
-
All uses and disclosures of PHI are subject to:
- Role-based access controls (RBAC)
- Least privilege principles
- Audit logging and monitoring
- Workforce confidentiality obligations
- Administrative, physical, and technical safeguards as required under HIPAA
- 4.5 Customer Direction and Responsibility
-
All uses and disclosures of PHI are performed on behalf of and under the direction of the
Covered Entity. The Covered Entity remains responsible for:
- Determining the permissibility of PHI disclosures
- Obtaining all required patient consents and authorizations
- Ensuring compliance with applicable laws governing PHI
- 5. HIPAA COMPLIANCE STATEMENT
-
Scribe4Me AI, operates in its capacity as a Business Associate under HIPAA and complies with all
applicable provisions of 45 CFR Part 160 (General Administrative Requirements) and 45 CFR Part
164, including the Privacy Rule, the Security Rule, the Breach Notification Rule.
-
The Company enters into Business Associate Agreements (“BAAs”) with Covered Entities, which
govern the permitted uses and disclosures of Protected Health Information (“PHI”) and establish
binding obligations with respect to privacy, security, and breach notification. In accordance
with HIPAA and applicable BAAs, the Company:
- Implements appropriate administrative, physical, and technical safeguards to protect the
confidentiality, integrity, and availability of PHI
- Limits the use and disclosure of PHI to those activities necessary to perform services on
behalf of Covered Entities and as otherwise permitted or required by law
- Applies the Minimum Necessary Standard to all uses, disclosures, and access to PHI
- Ensures that any subcontractors or agents that create, receive, maintain, or transmit PHI on
its behalf are contractually bound to comply with HIPAA and obligations no less stringent
than those applicable to the Company
- Complies with applicable breach notification obligations, including timely reporting of any
unauthorized use or disclosure of PHI
- The Company maintains ongoing compliance through documented policies, risk management processes,
workforce training, and continuous monitoring of its security and privacy controls.
- 6. DATA SECURITY SAFEGUARDS
- Scribe4Me AI, implements and maintains comprehensive administrative, physical, and technical
safeguards designed to ensure the confidentiality, integrity, and availability of Protected
Health Information (“PHI”), in accordance with HIPAA, industry best practices, and applicable
contractual obligations. All safeguards are designed to protect against reasonably anticipated
threats, unauthorized access, impermissible use or disclosure, and other security risks.
- 6.1 Administrative, Technical, and Physical Safeguards
- The Company maintains commercially reasonable administrative, technical, and physical safeguards
designed to protect Protected Health Information (“PHI”) against unauthorized access, use,
disclosure, alteration, destruction, loss, or misuse, and to support the confidentiality,
integrity, and availability of systems and data.
- Such safeguards include governance and risk management processes, workforce training and access
controls, incident detection and response procedures, oversight of relevant third parties and
service providers, secure system and user authentication measures, protection of data during
storage and transmission, monitoring and management of system activity, resilience and recovery
capabilities, secure and access-controlled infrastructure environments, environmental
protections, device and media management controls, and restricted physical access to systems and
facilities handling PHI, in accordance with applicable legal, regulatory, and contractual
obligations.
- 6.2 Cloud Infrastructure and Architecture
- PHI is stored within secure cloud infrastructure located in the United States, consistent with
contractual commitments
- The platform operates on a hybrid architecture, combining advanced AI models with proprietary
systems for medical context and workflow orchestration
- All infrastructure providers are required to meet strict security and compliance standards,
including execution of Business Associate Agreements (BAAs) where applicable
- Security controls are consistently enforced across all environments
- 6.3 Workforce and Subprocessor Security
- All personnel (including offshore workforce, where applicable) are bound by confidentiality
agreements, Subject to background checks (where applicable), Trained on HIPAA and data
protection obligations.
- Subprocessors and subcontractors are contractually bound to implement safeguards no less
stringent than those of the Company, Are restricted to accessing PHI only as necessary to
perform services, Are subject to ongoing monitoring and compliance enforcement
- 6.4 Offshore Access Controls
- Where limited access to PHI is provided from outside the United States (e.g., India), such
access is Restricted based on role and business necessity, Secured (via) encrypted connections
and MFA, Logged, monitored, and audited regularly, Subject to the same HIPAA-aligned safeguards
and contractual obligations.
- 6.5 Security Testing and Continuous Monitoring
- The Company maintains ongoing security assurance processes, including Regular vulnerability
assessments and system testing, Continuous monitoring of systems and infrastructure, Periodic
review of access controls and security configurations, Incident simulation and response
readiness testing
- 6.6 Security Incident Management
- In the event of a Security Incident involving PHI, Incidents are promptly identified, contained,
investigated, and remediated, impacted systems and data are secured to prevent further exposure,
detailed internal documentation and root cause analysis are conducted, and Notifications are
handled in accordance with applicable breach notification obligations.
- 7. DATA RETENTION AND DELETION
-
Scribe4Me AI, retains and disposes of Protected Health Information (“PHI”) in accordance with
applicable contractual obligations, including the Terms of Use and Business Associate Agreement
(“BAA”), and in compliance with HIPAA.
- 8. BREACH NOTIFICATION
-
We shall report any use or disclosure of Protected Health Information (“PHI”) not permitted
under applicable agreements, including any Security Incident or Breach of Unsecured PHI, as per
the BAA in accordance with HIPAA.
- 9. SUBCONTRACTORS AND SUBPROCESSORS
-
Scribe4Me AI, may engage subcontractors, agents, and subprocessors to support the provision,
maintenance, and improvement of the Service. Such parties may create, receive, maintain, or
transmit Protected Health Information (“PHI”) on behalf of the Company as mentioned in the term
of use and BAA.
- 10. INDIVIDUAL RIGHTS
-
Scribe4Me AI, supports Covered Entities in fulfilling their obligations under HIPAA with respect
to individuals’ rights concerning Protected Health Information (“PHI”).
- 10.1 Support for Individual Rights Requests
-
In its capacity as a Business Associate, the Company shall, to the extent required by applicable
agreements:
- Assist Covered Entities in responding to requests for access to PHI
- Assist in facilitating amendments or corrections to PHI
- Provide information necessary to support an accounting of disclosures of PHI
-
Such assistance shall be provided within a reasonable timeframe and in accordance with the
requirements specified in the applicable Business Associate Agreement (“BAA”).
- 10.2 Role of the Covered Entity
-
The Company acknowledges that:
- The Covered Entity retains primary responsibility for responding to and fulfilling
individual rights requests under HIPAA
- The Company does not independently determine the validity or scope of such requests
- All actions taken by the Company with respect to PHI are performed on behalf of and under
the direction of the Covered Entity
- 10.3 Restrictions on Direct Interaction
- The Company does not interact directly with patients or individuals regarding their PHI.
- The Company shall not respond directly to individual requests unless, required to do so by
applicable law; or explicitly authorized in writing by the Covered Entity.
- Where the Company receives a request directly from an individual, it may, Redirect the
request to the appropriate Covered Entity; and/or Notify the Covered Entity of such request
for appropriate action.
- 10.4 Safeguards and Compliance
-
All assistance provided in connection with individual rights requests shall be:
- Subject to appropriate verification and authorization controls
- Limited to the Minimum Necessary Standard
- Conducted in a manner that preserves the confidentiality, integrity, and security of PHI
- 11. DATA USE RESTRICTIONS (AI & COMPLIANCE)
-
Scribe4Me AI, processes Protected Health Information (“PHI”) strictly for the purpose of
providing contracted services
- 11.1 Restrictions on Use of PHI
-
The Company enforces strict limitations on the use of PHI, including:
- No AI Training: PHI shall not be used to train, fine-tune, or improve artificial
intelligence or machine learning models without explicit, prior written authorization from
the Covered Entity.
- No Commercialization of PHI: PHI shall not be sold, licensed, monetized, or otherwise used
for commercial purposes beyond the provision of contracted services.
- No Use Outside Service Scope: PHI shall not be accessed, used, or disclosed for any purpose
other than:
- Performing services on behalf of the Covered Entity
- Complying with applicable legal or regulatory obligations
- Minimum Necessary Enforcement: All access to PHI is limited to the minimum necessary to
perform authorized functions.
- 11.2 AI System Limitations and Intended Use
- The Service is designed solely as an AI-assisted documentation and workflow support tool
- The Service does not provide medical advice, diagnosis, or treatment recommendations
- The Service is not intended to function as a medical device or clinical decision support system
- 11.3 Clinical Responsibility and Output Validation
- All outputs generated by the Service are assistive and informational in nature only
- Outputs must be reviewed, verified, and approved by a qualified healthcare professional prior to
inclusion in patient records or use in patient care.
- The Covered Entity and its workforce retain sole responsibility for Clinical decision-making,
Patient care, Compliance with applicable medical and regulatory standards.
- 11.4 Data Segregation and Control
- PHI is logically segregated and access-controlled to prevent unauthorized use
- Any use of de-identified or aggregated data is performed in a manner that does not identify
individuals and does not constitute PHI under HIPAA.
- Re-identification of de-identified data is strictly prohibited.
- 12. CUSTOMER RESPONSIBILITIES
-
Customers of Scribe4Me AI (each, a “Covered Entity” or authorized user acting on its behalf) are
solely responsible for ensuring that their use of the Service complies with applicable laws,
regulations, and contractual obligations, including HIPAA.
- 12.1 Patient Consent and Authorization
-
Customers shall:
- Obtain all necessary patient consents, authorizations, and notices required for the
collection, use, and disclosure of Protected Health Information (“PHI”) in connection with
the Service
- Ensure that such consents and authorizations are valid, documented, and compliant with
applicable legal and regulatory requirements
- 12.2 Lawful Collection and Use of PHI
-
Customers are responsible for:
- Ensuring that all PHI provided to the Service is lawfully collected, used, and disclosed
- Complying with all applicable privacy and data protection laws, including HIPAA
- Determining the appropriateness of disclosing PHI to the Company for processing
- 12.3 Validation of AI-Generated Outputs
-
Consistent with the intended use of the Service:
- Customers shall review, verify, and approve all AI-generated outputs prior to use in
clinical documentation or patient care
- Customers acknowledge that outputs are assistive in nature and may contain inaccuracies or
omissions
- Customers retain sole responsibility for all clinical decisions, patient records, and
compliance with applicable medical standards
- 12.4 Credential Security and Access Control
-
Customers shall:
- Maintain the confidentiality and security of all user credentials and access mechanisms
- Restrict access to the Service to authorized personnel only
- Implement appropriate internal safeguards, including access controls and user management
practices
- Promptly notify the Company of any unauthorized access, misuse, or security incident
involving the Service
- 12.5 Compliance with Applicable Law and Agreements
-
Customers agree to:
- Use the Service in accordance with all applicable laws, regulations, and professional
obligations
- Comply with the terms of the governing agreements, including the Terms of Use and BAA
- Ensure that their workforce members are adequately trained and authorized to use the Service
- 13. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)
- 13.1 Scope and Applicability
-
This section applies to residents of the State of California and is provided in accordance with
the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”)
(collectively, “CCPA”). This section applies only to Personal Information that is not Protected
Health Information (“PHI”) regulated under HIPAA. PHI processed by the Company on behalf of
Covered Entities is expressly excluded from CCPA to the extent such data is governed by HIPAA.
- 13.2 Categories of Personal Information Collected
-
The Company may collect the following categories of Personal Information:
- Identifiers (e.g., name, email address, IP address)
- Commercial information (e.g., billing and transaction data)
- Internet or network activity (e.g., usage logs, interaction data)
- Professional or employment-related information (e.g., organization, role)
- 13.3 Purpose of Collection and Use
-
Personal Information is collected and used solely for legitimate business purposes, including:
- Providing and maintaining the Service
- Account management and customer support
- Security monitoring, fraud prevention, and system integrity
- Billing, invoicing, and contractual compliance
- 13.4 Disclosure of Personal Information
-
The Company may disclose Personal Information to:
- Subprocessors and service providers supporting the Service
- Professional advisors (legal, compliance, auditors)
- Government authorities where required by law
- All disclosures are subject to contractual and confidentiality safeguards
- 13.5 Sale or Sharing of Personal Information
- The Company does not sell Personal Information and does not share Personal Information for
cross-context behavioral advertising
- 13.6 California Consumer Rights
-
California residents have the following rights:
- Right to Know (categories and specific data collected)
- Right to Access Personal Information
- Right to Delete Personal Information
- Right to Correct inaccurate information
- Right to Limit use of Sensitive Personal Information (if applicable)
- Right to Opt-Out of Sale or Sharing (not applicable)
- Right to Non-Discrimination
- 13.7 Exercising Your Rights
-
Requests may be submitted via Email: [email protected]
-
The Company will:
- Verify the identity of the requester
- Respond within 45 days (as required by law)
- Requests relating to PHI must be directed to the applicable Covered Entity.
- 13.8 Authorized Agents
-
California residents may designate an authorized agent to submit requests, subject to
verification.
- 14. INTERNATIONAL DATA PROTECTION (GDPR)
- 14.1 Scope and Applicability
-
This section applies to individuals located in the European Economic Area (EEA), United Kingdom,
and other jurisdictions with applicable data protection laws, in accordance with the General
Data Protection Regulation (“GDPR”).
-
This section applies only to Personal Data that is not PHI governed by HIPAA.
- 14.2 Role of the Company
- The Company acts as a Data Processor when processing Personal Data on behalf of customers
- Customers (Covered Entities) act as Data Controllers
- 14.3 Legal Basis for Processing
- Personal Data is processed based on:
- Performance of a contract
- Legitimate business interests
- Legal and regulatory obligations
- Where required, processing is based on user consent.
- 14.4 Data Subject Rights
- Individuals have the following rights under GDPR:
- Right of Access
- Right to Rectification
- Right to Erasure (“Right to be Forgotten”)
- Right to Restriction of Processing
- Right to Data Portability
- Right to Object to Processing
- Requests should be directed to the applicable Covered Entity unless otherwise required by law.
- 14.5 International Data Transfers
- Personal Data may be processed in the United States and other jurisdictions. Appropriate
safeguards are implemented, including contractual data protection obligations, Security and
confidentiality measures
- 14.6 Data Protection Safeguards
- The Company implements safeguards consistent with GDPR requirements, including Data
minimization, Purpose limitation, Access controls and security measures, Confidentiality
obligations.
- 14.7 Supervisory Authority
- Individuals have the right to lodge a complaint with a relevant data protection authority if
they believe their rights have been violated.
- 15. CHANGES TO THIS POLICY
-
Scribe4Me AI, reserves the right to update or modify this Privacy Policy from time to time
to reflect changes in legal, regulatory, operational, or service requirements.
-
Updates to this Privacy Policy may be made periodically at the Company’s discretion. The
“Effective Date” at the top of this Policy will indicate the date of the most recent
revision. The Company will posting an updated version on the Company’s website. Customers
and Authorized Users are encouraged to periodically review this Privacy Policy for any
updates or modifications posted on the Website or Platform.
-
Continued access to or use of the Service following the effective date of any updated
Privacy Policy constitutes acceptance of such changes, to the extent permitted by applicable
law. If a Customer does not agree to the updated Policy, the Customer must discontinue use
of the Service and may terminate the applicable agreement in accordance with its terms.
- 16. CONTACT INFORMATION
-
For any questions, requests, or concerns regarding this Privacy Policy, or the Company’s
handling of Personal Information or Protected Health Information (“PHI”), please contact:
-
Via Email: [email protected]
-
Via Phone Number: (419) 392-9679
-
Via this Link:
https://scribe4me.ai