Scribe App Privacy Policy
Effective Date: Jan 16 2025
1. Introduction
Regard (“Company,” “we,” “us,” or “our”) provides a suite of healthcare software solutions, including a product called Regard (“Regard”) and the Scribe App (“Scribe” or “App”). This Privacy Policy (“Policy”) covers how the Scribe App collects, uses, discloses, and protects Protected Health Information (“PHI”) and other personal information. We act as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for our covered entity clients (health systems, hospitals, and other healthcare providers).
By using the Scribe App, you agree to the practices described in this Policy. If you do not agree, please discontinue your use of the Scribe App.
If you have any questions or concerns about this Policy or our privacy practices, please contact us at:
• Email: helpdesk@regard.com
2. Scope of the Scribe App
The Scribe App is designed to assist healthcare professionals in recording patient encounters, generating transcripts, and optionally merging those transcripts with patient notes in Regard. Specifically, Scribe:
- Captures Audio: Records audio of the healthcare provider’s conversations with patients.
- Transcribes Audio: Sends audio to Amazon Web Services (“AWS”) Transcribe (under a Business Associate Agreement) for transcription.
- Stores and Displays Transcripts: Stores resulting transcripts on secure AWS servers and displays them within Regard.
- Merges Transcripts with Notes (Optional): If a user chooses to “merge with note,” Scribe sends the transcript securely to OpenAI (under a Business Associate Agreement) to generate a merged note, which is then displayed in Regard.
Because these activities involve PHI, we employ stringent safeguards to protect patient privacy and comply with HIPAA and other applicable laws.
3. Collection of Information
3.1 Audio Recordings
- What We Collect: When you record patient encounters using the Scribe App, the audio may contain PHI, including personal details about patients and their health conditions.
- How We Collect It: The App stores the audio securely before storing it in AWS where it will be processed later.
3.2 Transcripts
- What We Collect: AWS Transcribe provides a text transcript of the audio recording. This transcript may contain PHI.
- How We Collect It: The audio is processed by AWS Transcribe, then we receive the transcript and store it on secure AWS servers. It is displayed within Regard for authorized users to access.
3.3 Merged Notes via OpenAI
- What We Collect: If you choose to merge the transcript with a patient note, the transcript is sent to OpenAI’s GPT model to produce a merged version of the note.
- How We Collect It: The transcript is transferred using secure encryption; the merged text is returned and stored within our secure AWS environment, accessible via Regard.
4. Use and Disclosure of PHI
We limit the use and disclosure of PHI to what is permissible under HIPAA and necessary to perform the Scribe App’s functionalities or to meet our legal obligations:
- Provision of Services:
- We use PHI solely to provide, maintain, and improve the Scribe App’s services for our healthcare provider clients.
- Authorized Disclosures:
- We disclose PHI to AWS for transcription and to OpenAI if you opt to merge transcripts with notes, under separate Business Associate Agreements that require these third parties to protect PHI to HIPAA standards.
- Business Purposes & Legal Responsibilities:
- We may use or disclose PHI for the proper management and administration of our company or to fulfill our legal obligations, but only if required by law or if we obtain necessary assurances of confidentiality.
- Subcontractors & Agents:
- Any agents or subcontractors who help us operate the Scribe App must agree to the same restrictions, conditions, and protections regarding PHI as we do.
- De-Identification and Aggregation:
- We may de-identify PHI or aggregate data for analytics or service improvements, provided it no longer can be used to identify an individual.
5. HIPAA Compliance and Safeguards
We maintain administrative, physical, and technical safeguards to protect PHI:
- Administrative Safeguards:
- We train our workforce on HIPAA requirements and have policies to prevent, detect, and correct any improper handling of PHI.
- Access to PHI is role-based; only those who need PHI to perform their job duties have access.
- Technical Safeguards:
- Encryption: We encrypt audio recordings and transcripts in transit and at rest where feasible.
- Secure Storage: We use AWS servers located in the United States, employing robust security measures to protect stored data.
- Physical Safeguards:
- Our data centers utilize controlled access points, security monitoring, and other physical protections to safeguard servers where PHI is stored.
- Breach Notification:
- In the event of a breach of Unsecured PHI, we will notify affected clients promptly, typically within two (2) days of discovery (or as required by law), and follow any additional notification procedures mandated by HIPAA or other applicable laws.
6. Data Retention and Disposal
Although HIPAA does not mandate a specific retention period for business associates, we recognize the importance of data retention in the healthcare industry. Our policy is as follows:
- Retention During Services:
- We retain data (including audio recordings, transcripts, and merged notes) as long as necessary to provide services to our healthcare provider clients, or as required by law.
- Customer Offboarding:
- When a client ceases to use our services, we will securely delete or destroy their data (including PHI) pursuant to our Business Associate Agreement with that client, unless otherwise required by law.
- Flexible Retention Periods:
- If our agreements specify a particular timeframe for retention or more stringent requirements, we will comply with those terms.
7. User Responsibilities
As a healthcare provider or an authorized user of the Scribe App, you are responsible for:
- Compliance with Recording Laws:
- Ensuring that audio recording of patient encounters complies with all relevant federal, state, and local laws (including consent requirements).
- Safeguarding Access Credentials:
- Keeping your Scribe App and/or Regard login information confidential and ensuring that only authorized personnel have access.
- Appropriate Use of PHI:
- Using the Scribe App solely for legitimate healthcare purposes and in accordance with HIPAA and other applicable privacy regulations.
8. Geographic Location of Data
All PHI that we process and store for the Scribe App is hosted or stored on servers located in the United States. We do not store or process PHI on servers located outside the United States.
9. Changes to This Privacy Policy
We may update this Policy from time to time to reflect changes in our practices, technologies, or legal obligations. When we make material changes, we will provide an appropriate notice (e.g., in-App notification or an email) and update the “Effective Date” at the top of this Policy. Your continued use of the Scribe App after any changes become effective indicates your acceptance of those changes.
10. Contact Us
For questions, concerns, or to request additional information about this Policy or our handling of PHI, please contact us:
- Email: helpdesk@regard.com
Disclaimer: This Privacy Policy is provided for informational purposes and does not constitute legal advice. You should consult with your legal counsel to ensure your organization’s privacy policies comply with all applicable laws and regulations.