HIPAA Compliance

Our Commitment to HIPAA

Scrivano is designed with healthcare professionals in mind. We understand that medical practitioners — physicians, nurses, therapists, and other clinicians — may use our Service to document patient encounters. We are committed to implementing the technical and administrative safeguards required to support HIPAA compliance for our users who handle Protected Health Information (PHI). Users in covered entity roles are responsible for ensuring their use of Scrivano complies with all applicable HIPAA requirements.

What Constitutes PHI

Protected Health Information (PHI) under HIPAA includes any individually identifiable health information transmitted or maintained in any form. This may include:

• Patient names, dates of birth, addresses, or other demographic identifiers.
• Descriptions of medical conditions, diagnoses, medications, or treatments.
• Audio recordings of patient-provider conversations.
• Notes, summaries, or documents that identify an individual and relate to their health.
• Any combination of identifiers that could reasonably identify a specific individual.
• Users are advised to avoid including unnecessary PHI in recordings and to review all generated notes before storing or transmitting them.

Technical Safeguards

Scrivano implements technical controls to protect sensitive health information:

• AES-256 encryption for all data stored at rest — including transcripts, notes, and API keys.
• TLS 1.3 encryption for all data in transit between your device and our servers.
• Per-user encryption keys ensure complete data isolation between accounts.
• Access controls and authentication requirements for all data access.
• Secure, isolated processing of audio — recordings are not permanently retained beyond what the user explicitly saves.
• Regular security assessments and vulnerability monitoring.

Administrative Safeguards

Beyond technical controls, we maintain administrative practices to support HIPAA compliance:

• Designated privacy and security oversight for the Scrivano platform.
• Staff training on handling sensitive health data.
• Vendor and sub-processor agreements covering data confidentiality.
• Procedures for responding to data access requests and complaints.
• Documentation of security policies and regular review of safeguard effectiveness.

Business Associate Agreements (BAA)

If you are a Covered Entity or Business Associate under HIPAA and intend to use Scrivano to process PHI, you may require a Business Associate Agreement (BAA) with Scrivano. Enterprise customers and clinical organizations requiring a signed BAA should contact us at support@scrivano.net. We will work with you to put the appropriate agreements in place before any PHI is processed through the Service.

Your Responsibilities as a Covered Entity

While Scrivano provides tools designed to support HIPAA-compliant workflows, users who qualify as Covered Entities bear independent compliance obligations:

• Obtain patient authorization for recording and transcription where required.
• Review and verify all AI-generated notes before including them in the official medical record.
• Ensure your organization's HIPAA training and policies cover the use of AI transcription tools.
• Notify Scrivano promptly if you suspect a breach involving PHI.
• Configure your account to avoid storing PHI beyond your organization's retention policies.

Breach Notification

In the event of a security incident that affects your data, Scrivano will notify affected users in accordance with applicable breach notification requirements. We maintain an incident response plan that includes detection, containment, assessment, and notification procedures. If you become aware of any potential security issue involving your Scrivano account or PHI, please contact us immediately at support@scrivano.net.

Contact Our Privacy Team

For HIPAA-related questions, BAA requests, or to report a privacy concern:

• Email: support@scrivano.net
• Include "HIPAA" in your subject line for expedited handling.
• We respond to all compliance-related inquiries within 2 business days.