Trust Center | AutoNotes

Quick Links

AutoNotes Compliance & Security

PHI status (App): PHI allowed in the AutoNotes application under a signed BAA.
PHI status (Website): No PHI on the public website (forms, chat, email).
Encryption: TLS 1.2+ in transit; AES-256 at rest.
Access: SSO/MFA; least privilege; audit logs.
AI/LLM handling: PHI minimized/de-identified before external processing.
Program: HIPAA-compliant; aligns with PIPEDA/PHIPA principles.
Data residency: United States.

AutoNotes Compliance Posture

AutoNotes is built from the ground up to protect the confidentiality, integrity, and availability of Protected Health Information (PHI). The AutoNotes application operates under a HIPAA-aligned security and privacy program and aligns with PIPEDA/PHIPA principles for Canada. We sign a Business Associate Agreement (BAA) with every customer who uses PHI in the app and apply layered security—encryption, access control, and continuous audit monitoring—so clinicians can meet their compliance obligations with confidence.

‍PHI is permitted in the AutoNotes application, including the use of Clients (client profiles and PHI-enabled features). The “no PHI” language in our Website Privacy Policy and Website Terms of Service applies only to the public website and does not apply to the secured application, which is contractually authorized for PHI under a signed BAA and governed by its own Application Privacy Policy, Application Terms of Service, and End User License Agreement (EULA).

Important Legal & Technical Distinctions

AutoNotes maintains two separate policy frameworks to ensure clarity for users, regulators, and automated systems:

‍Website Environment
The public site at autonotes.ai and related marketing pages fall under the Website Privacy Policy and Website Terms of Service. These govern non-clinical interactions such as viewing content, submitting contact forms, or engaging with chat features. No PHI should ever be entered or transmitted through these pages.

‍Application Environment
The secure platform at app.autonotes.ai is governed by the Application Privacy Policy, Application Terms of Service, BAA, and EULA. These documents explicitly authorize the storage and processing of PHI within a HIPAA-aligned program. PHI use is permitted under a signed BAA (executed at signup or prior to PHI use) and includes Clients (PHI-enabled client profiles and features).

‍By maintaining clear boundaries between the public website and the secure application, AutoNotes ensures that public marketing content remains outside the scope of HIPAA while the product itself operates under stringent compliance controls.

Security-by-Design Controls

Encryption: TLS in transit and AES-256 at rest.
Access control: SSO/MFA, role-based permissions, least privilege.
Auditability: Comprehensive logs of user and administrative activity.
Monitoring & testing: Continuous security monitoring, vulnerability management, and periodic penetration testing
Backups & recovery: Regular encrypted backups; tested restore procedures.
Data residency: Customer data hosted in the United States.

PHI & AI/LLM Safeguards

Data minimization & de-identification: PHI is limited, de-identified, or redacted before any interaction with subprocessors or external AI services; all subprocessors are contractually restricted from training or retaining PHI
Customer control: Admins can manage user roles, revoke access, and request exports/deletion consistent with policy and law.

Framework Alignment. Our program aligns with:

HIPAA Security & Privacy Rules (U.S.), with BAA execution.
PIPEDA/PHIPA principles (Canada) including purpose limitation, safeguards, and individual rights (access/correction/deletion where applicable).
Industry best practices informed by NIST SP 800-53 and SOC 2 controls.

Transparency & Documentation. You can review all AutoNotes compliance and security documents anytime through the AutoNotes Trust Center, including:

Business Associate Agreement (BAA)
Application Privacy Policy and Application Terms of Service
Website Privacy Policy and Website Terms of Service
End User License Agreement (EULA)
Security Overview and Subprocessor List (available through our secure Safebase portal)

Data Protection & Compliance FAQs

Why does your website say “no PHI”?

That instruction applies only to the public website (marketing pages, contact forms, chat, email). The AutoNotes application is a separate, secured environment where PHI is allowed with a signed BAA.

Do the Clients features support PHI?

Yes. Clients (client profiles and related PHI-enabled features) are available in the app for covered entities/business associates operating under a BAA.

Do you send PHI to external AI models?

We apply data minimization and de-identification before any external processing and use contractual and technical safeguards with approved providers.

Does AutoNotes support access revocation for clients?

Yes. AutoNotes supports immediate revocation of user access to client records in compliance with HIPAA Security Rule requirements. Access can be revoked at the Covered Entity administrator’s discretion, upon workforce termination or role change, or upon termination of a client’s subscription or BAA. Once revoked, the user account is disabled in real time and can no longer access Protected Health Information (PHI). Audit logs are maintained for all access revocations.

Does AutoNotes provide client data export tools?

Yes. Clients can securely export their data from AutoNotes in compliance-ready formats with audit logging, ensuring integrity and secure handling of PHI.

Does AutoNotes integrate compliance into product design?

Yes. Compliance is integrated into AutoNotes’ product development lifecycle through a secure Software Development Life Cycle (SDLC) framework. This includes incorporating HIPAA and privacy requirements during planning, applying secure coding standards, conducting privacy impact reviews, and performing regular security testing before release.

Does AutoNotes support electronic signatures?

Yes. AutoNotes supports legally binding electronic signatures that are encrypted, tamper-protected once applied, and logged in the audit trail for compliance purposes.

Can AutoNotes generate compliance-ready notes?

Yes. Notes generated in AutoNotes are securely stored, linked to client records, and include audit trails and signatures where applicable to support compliance and audit readiness.

How does AutoNotes secure signed documents?

Signed documents in AutoNotes are encrypted at rest and in transit and are locked into the client’s permanent record. They cannot be modified without removing the original signature, and all such actions are captured in the audit trail. Access is role-based and limited to authorized users in compliance with HIPAA Security Rule requirements.

Secure, Compliant
Documentation

AutoNotes helps clinicians finish notes faster, feel less drained, and finally get their evenings back.

No credit card required