Trust Center | AutoNotes

Quick Links

AutoNotes Compliance & Security

Protected Health Information (PHI) is allowed in the AutoNotes application under a signed BAA.
Encryption: TLS 1.2+ in transit; AES-256 at rest.
Access: SSO/MFA; least privilege; audit logs.
AI/LLM handling: PHI minimized/de-identified before external processing.
Program: HIPAA-compliant; aligns with PIPEDA/PHIPA principles.
Data residency: United States.

AutoNotes Compliance Posture

AutoNotes is built from the ground up to protect the confidentiality, integrity, and availability of Protected Health Information (PHI). The AutoNotes application operates under a HIPAA-aligned security and privacy program and aligns with PIPEDA/PHIPA principles for Canada. We sign a Business Associate Agreement (BAA) with every customer who uses PHI in the app and apply layered security—encryption, access control, and continuous audit monitoring—so clinicians can meet their compliance obligations with confidence.

‍PHI is permitted in the AutoNotes application, including the use of Clients (client profiles and PHI-enabled features). The “no PHI” language in our Website Privacy Policy and Website Terms of Service applies only to the public website and does not apply to the secured application, which is contractually authorized for PHI under a signed BAA and governed by its own Application Privacy Policy, Application Terms of Service, and End User License Agreement (EULA).

Important Legal & Technical Distinctions

AutoNotes maintains two separate policy frameworks to ensure clarity for users, regulators, and automated systems:

‍Website Environment
The public site at autonotes.ai and related marketing pages fall under the Website Privacy Policy and Website Terms of Service. These govern non-clinical interactions such as viewing content, submitting contact forms, or engaging with chat features. No PHI should ever be entered or transmitted through these pages.

‍Application Environment
The secure platform at app.autonotes.ai is governed by the Application Privacy Policy, Application Terms of Service, BAA, and EULA. These documents explicitly authorize the storage and processing of PHI within a HIPAA-aligned program. PHI use is permitted under a signed BAA (executed at signup or prior to PHI use) and includes Clients (PHI-enabled client profiles and features).

‍By maintaining clear boundaries between the public website and the secure application, AutoNotes ensures that public marketing content remains outside the scope of HIPAA while the product itself operates under stringent compliance controls.

Security-by-Design Controls

Encryption: TLS in transit and AES-256 at rest.
Access control: SSO/MFA, role-based permissions, least privilege.
Auditability: Comprehensive logs of user and administrative activity.
Monitoring & testing: Continuous security monitoring, vulnerability management, and periodic penetration testing
Backups & recovery: Regular encrypted backups; tested restore procedures.
Data residency: Customer data hosted in the United States.

PHI & AI/LLM Safeguards

Data minimization & de-identification: PHI is limited, de-identified, or redacted before any interaction with subprocessors or external AI services; all subprocessors are contractually restricted from training or retaining PHI
Customer control: Admins can manage user roles, revoke access, and request exports/deletion consistent with policy and law.

Framework Alignment. Our program aligns with:

HIPAA Security & Privacy Rules (U.S.), with BAA execution.
PIPEDA/PHIPA principles (Canada) including purpose limitation, safeguards, and individual rights (access/correction/deletion where applicable).
Industry best practices informed by NIST SP 800-53 and SOC 2 controls.

Transparency & Documentation. You can review all AutoNotes compliance and security documents anytime through the AutoNotes Trust Center, including:

Business Associate Agreement (BAA)
Application Privacy Policy and Application Terms of Service
Website Privacy Policy and Website Terms of Service
End User License Agreement (EULA)
Security Overview and Subprocessor List (available through our secure Safebase portal)

Data Protection & Compliance FAQs

Why does your website say “no PHI”?

That instruction applies only to the public website (marketing pages, contact forms, chat, email). The AutoNotes application is a separate, secured environment where PHI is allowed with a signed BAA.

Do the Clients features support PHI?

Yes. Clients (client profiles and related PHI-enabled features) are available in the app for covered entities/business associates operating under a BAA.

Do you send PHI to external AI models?

We apply data minimization and de-identification before any external processing and use contractual and technical safeguards with approved providers.

Does AutoNotes support access revocation for clients?

Yes. AutoNotes supports immediate revocation of user access to client records in compliance with HIPAA Security Rule requirements. Access can be revoked at the Covered Entity administrator’s discretion, upon workforce termination or role change, or upon termination of a client’s subscription or BAA. Once revoked, the user account is disabled in real time and can no longer access Protected Health Information (PHI). Audit logs are maintained for all access revocations.

Does AutoNotes provide client data export tools?

Yes. Clients can securely export their data from AutoNotes in compliance-ready formats with audit logging, ensuring integrity and secure handling of PHI.

Does AutoNotes integrate compliance into product design?

Yes. Compliance is integrated into AutoNotes’ product development lifecycle through a secure Software Development Life Cycle (SDLC) framework. This includes incorporating HIPAA and privacy requirements during planning, applying secure coding standards, conducting privacy impact reviews, and performing regular security testing before release.

Does AutoNotes support electronic signatures?

Yes. AutoNotes supports legally binding electronic signatures that are encrypted, tamper-protected once applied, and logged in the audit trail for compliance purposes.

Can AutoNotes generate compliance-ready notes?

Yes. Notes generated in AutoNotes are securely stored, linked to client records, and include audit trails and signatures where applicable to support compliance and audit readiness.

How does AutoNotes secure signed documents?

Signed documents in AutoNotes are encrypted at rest and in transit and are locked into the client’s permanent record. They cannot be modified without removing the original signature, and all such actions are captured in the audit trail. Access is role-based and limited to authorized users in compliance with HIPAA Security Rule requirements.

AutoNotes Security Center

Compliance

AutoNotes supports HIPAA aligned workflows and international privacy frameworks.

HIPAA

PHIPA

Secure Infrastructure

Google Cloud

Cloudflare

OpenAI

Pentester

AutoNotes AI Overview

AutoNotes AI is production ready and governed by documented controls across privacy, security, and model quality.

Purpose and scope: AI features assist with clinical documentation including draft notes, summaries, plan suggestions, and workflow automation. AI outputs are assistive and the clinician remains the final reviewer.

Data handling and privacy: AI requests may contain PII or PHI. Data is processed under BAA and DPA, encrypted in transit and at rest, and protected by RBAC, SSO, and MFA. Customer data is not used to train models without explicit agreement.

Model providers and isolation: Requests are logically isolated per tenant. No cross customer data mixing occurs. Subprocessors are vetted, reviewed, and access is restricted and audited.

Logging and auditability: All AI invocations are audit logged with metadata while minimizing PHI exposure.

Quality and safety: Evaluation systems monitor accuracy, relevance, and safety. Clinicians must review outputs before finalizing.

Responsible AI: Monitoring is in place for bias and hallucination risk with reporting and incident response processes.

SDLC and change control: Prompts and pipelines follow structured testing, review, and controlled rollout processes.

Data retention: AI data follows customer retention settings with support for de-identified workflows.

Customer controls: Role based permissions, feature toggles, and export capabilities are available.

Configuration Management Program

The AutoNotes Configuration and Asset Management Policy establishes mandatory controls for asset inventory, ownership, baseline secure configurations, change authorization, and ongoing maintenance of all systems handling customer data or PHI.

This program ensures systems are consistently monitored, securely configured, and maintained in alignment with HIPAA, PHIPA, and SOC 2 requirements.