Privacy Policy
ScribbixAi LLC ("Scribbix," "we," "our," or "us") is committed to protecting the privacy and security of all information entrusted to us by our customers, their patients, and visitors to our website. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our AI-powered ambient clinical documentation platform and our website at scribbixai.com.
Scribbix provides services to healthcare providers who are Covered Entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Our handling of Protected Health Information (PHI) is governed by HIPAA, the HITECH Act, and the Business Associate Agreement (BAA) executed with each healthcare provider client.
1. Information We Collect
1.1 Protected Health Information (PHI)
When providing our ambient documentation services, Scribbix may process the following types of PHI on behalf of our healthcare provider clients:
- Audio recordings of surgeon-patient encounters (processed and deleted immediately after transcription)
- Transcribed text of clinical encounters
- Generated clinical notes, operative reports, and referral letters
- Patient demographic information as transmitted from the practice management system
- Clinical codes including CDT, ICD-10, and CPT codes
Scribbix processes PHI solely as a Business Associate on behalf of the Covered Entity (the healthcare practice). We do not own patient data. All PHI is processed in accordance with our BAA with each client.
1.2 Practice Account Information
When a healthcare practice subscribes to Scribbix, we collect:
- Practice name, address, and contact information
- Authorized user names and email addresses
- Billing and payment information (processed through our payment processor; we do not store full credit card numbers)
- Practice management system integration credentials (encrypted and stored securely)
1.3 Website Visitor Information
When you visit scribbixai.com, we may collect standard web analytics data including IP address, browser type, pages visited, and referring URL. We do not use this data to identify individuals.
2. How We Use Information
2.1 PHI
We use PHI exclusively for the purposes described in our BAA with each healthcare provider:
- Performing ambient transcription of clinical encounters
- Generating structured clinical documentation (operative notes, consult notes, referral letters)
- Inferring appropriate billing codes from encounter context
- Syncing generated documentation to the practice management system
We do not use PHI for marketing, advertising, or any purpose unrelated to the services described in the BAA.
2.2 De-Identified Data
We may de-identify PHI in accordance with HIPAA Safe Harbor or Expert Determination methods (45 CFR § 164.514) for the purpose of improving our AI models and product quality. De-identified data cannot be used to identify any individual patient.
2.3 Account and Website Data
We use practice account information to provide and improve our services, process payments, provide customer support, and communicate service updates. Website data is used for analytics and improving user experience.
3. Data Storage and Security
3.1 Local Inference Option
Scribbix offers on-premise deployment where all PHI processing (audio transcription, note generation, and AI inference) occurs on hardware located within the healthcare practice's local network. In this configuration, PHI never leaves the practice premises.
3.2 Security Measures
Whether deployed locally or via cloud infrastructure, Scribbix implements the following safeguards:
- Encryption of all ePHI at rest (AES-256) and in transit (TLS 1.2+)
- Role-based access controls with unique user authentication
- Audit logging of all access to PHI
- Immediate deletion of audio recordings after transcription
- Regular security assessments and vulnerability testing
- Employee training on HIPAA requirements and data handling
4. Data Sharing and Disclosure
We do not sell, rent, or trade PHI or personal information to any third party. We may disclose information only in the following circumstances:
- To the healthcare practice (Covered Entity) in accordance with our BAA
- To subcontractors bound by equivalent confidentiality and security obligations and a written agreement
- As required by law, including responses to valid legal process
- To the U.S. Department of Health and Human Services for HIPAA compliance purposes
5. Data Retention and Deletion
- Audio recordings: deleted immediately upon completion of transcription processing
- Generated clinical notes: retained in the practice's system; Scribbix retains copies only as long as necessary to provide services and as specified in the BAA
- Account data: retained for the duration of the subscription and deleted within 90 days of account termination, except as required by law
- Upon termination of services, all PHI is returned or destroyed in accordance with the BAA
6. Patient Rights
Patients whose PHI is processed by Scribbix retain all rights under HIPAA, including:
- Right to access their PHI
- Right to request amendment of their PHI
- Right to an accounting of disclosures
- Right to request restrictions on uses and disclosures
These rights are exercised through the healthcare practice (Covered Entity), which directs Scribbix to fulfill such requests in accordance with the BAA.
7. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to our healthcare provider clients via email and posted on our website with the updated effective date.
8. Contact Information
For questions about this Privacy Policy or our data practices, contact: