Health Insurance Portability and Accountability Act (HIPAA) Compliance Documentation for SCRIVANO


Introduction


At SCRIVANO, safeguarding the privacy and security of patient data is a cornerstone of our operations. Our unwavering commitment to the confidentiality, ​integrity, and availability of all medical information entrusted to our platform is reflected in our adherence to the stringent requirements of the Health ​Insurance Portability and Accountability Act (HIPAA). This document delineates our comprehensive approach to ensuring that our data handling practices ​are in full compliance with HIPAA guidelines.


Security Measures


To protect the sensitive medical information of our users, SCRIVANO has implemented an array of robust security controls and protocols. These include:


  • Access Control: We have instituted sophisticated access control measures, including password protections, biometric identification such as Face ID, ​and leveraging the inherent security features of mobile devices, to ensure that only authenticated users can access the application.


  • Data Management: Our policy ensures that no medical information is permanently stored on our servers. Transcriptions are encrypted, processed, and ​then immediately purged once they are sent back to the client’s device. This extends to medical notes generated from the transcripts, which are ​similarly not stored beyond their transmission back to the client.


  • Data Transfer and Retention: A specialized "Submit" function is provided for users needing to temporarily store their records for EMR transfer. This data ​is securely held for a 15-minute window before being permanently deleted, emphasizing our no-storage policy for patient data.


  • Encryption Standards: We ensure the security of all data exchanges between client devices and our servers by employing the most advanced and up-to-​date encryption technologies available. This approach guarantees that data is protected during its transmission, upholding the highest standards of ​confidentiality and integrity.


Compliance and Risk Management


To ensure the utmost security and privacy of patient data, our organization adheres to the latest and most comprehensive standards for data encryption ​and protection. Recognizing the dynamic landscape of cybersecurity threats, we continuously monitor and update our security protocols to align with ​federal guidelines and industry best practices, as outlined by the U.S. Department of Health & Human Services on their Health IT Privacy and Security ​Resources for Providers page at:


([HealthIT.gov](https://www.healthit.gov/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers)).


This commitment includes the deployment of cutting-edge encryption technologies to secure data exchanges between client devices and our ​infrastructure. Our approach is holistic, encompassing not only the protection of data in transit but also ensuring the safety of information at rest. By ​implementing a multi-layered security strategy, we address potential vulnerabilities and safeguard against unauthorized access or data breaches. This ​proactive stance on privacy and security underscores our dedication to maintaining trust and confidentiality in all aspects of patient data handling, ​reflecting a collective and organization-wide responsibility.



Patient Information Security


We take extraordinary measures to secure patient information. This includes full encryption of patient data, both at rest and in transit, and ensuring that ​patient recordings are directly deleted after processing, without any storage on physical media. We adopt additional security measures to protect patient ​information beyond the immediate requirements of processing, demonstrating our commitment to data privacy and security.



Data Hosting and Processing


We utilize state-of-the-art, HIPAA-compliant cloud hosting services to manage and process data, ensuring its availability and resilience. Our hosting ​solutions are designed to provide maximum security and reliability for all stored data.



Internal Personnel Security


To ensure the integrity of our operations and the safety of patient data, we mandate comprehensive security and privacy training for all personnel, ​supplemented by rigorous background checks prior to employment. Our continuous education program includes annual updates on HIPAA regulations, ​cybersecurity best practices, and data privacy protocols.



Secure Development Lifecycle


Our commitment to security is embedded in our development lifecycle. Each software update undergoes a thorough compliance review. We practice ​infrastructure-as-code to maintain consistency and security in our deployments, with all changes subject to stringent review. Moreover, our engineering ​team is trained in secure coding practices, ensuring the development of safe and reliable software.



Use of Artificial Intelligence


Our AI technologies are developed and deployed in compliance with HIPAA guidelines. We ensure that these systems do not retain patient data post-​processing and that protected health information (PHI) is never utilized for AI training purposes.



Vendor Management


Our dedication to adhering to HIPAA standards is reflected not only in our internal practices but also in the meticulous selection and management of our ​partners. We ensure that every vendor with potential access to patient data undergoes a thorough compliance check against HIPAA requirements and ​enters into a Business Associate Agreement (BAA) with us. To maintain the integrity and confidentiality of patient information, we routinely evaluate our ​vendors' security protocols through comprehensive audits. This rigorous process guarantees that our data protection measures meet the highest possible ​standards, safeguarding patient information across all touchpoints.