ScribeMD

Legal

Privacy Policy &
HIPAA Notice

Last updated: March 1, 2025

Jump to section

Privacy PolicyHIPAA Notice of Privacy PracticesTerms of ServiceData RetentionYour RightsContact Us

Privacy Policy

ScribeMD, Inc. ("ScribeMD," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the ScribeMD platform and associated services (collectively, the "Services").

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please do not access or use the Services.

Information We Collect

Account Information. When you register, we collect your name, email address, professional credentials (e.g., NPI number, specialty), and practice information.

Audio and Transcript Data. When you use our transcription features, we temporarily process audio recordings and the resulting transcripts to generate clinical documentation. Audio files are deleted within 24 hours of transcription unless you explicitly save them.

Protected Health Information (PHI). Our Services may process PHI as defined under HIPAA. PHI is processed solely to provide the Services you have requested and is governed by our Business Associate Agreement (BAA) with covered entities.

Usage Data. We automatically collect information about how you interact with our Services, including log data, IP addresses, browser type, device identifiers, and feature usage patterns.

How We Use Your Information

  • To provide, maintain, and improve the Services
  • To generate clinical documentation, billing codes, and care gap alerts
  • To communicate with you about your account and service updates
  • To ensure compliance with applicable laws and regulations
  • To detect and prevent fraud, abuse, or security incidents
  • To conduct aggregate, de-identified analytics to improve our AI models

We do not use PHI to train machine learning models without explicit patient authorization and applicable legal permissions.

Disclosure of Information

We do not sell your personal information or PHI. We may disclose information:

  • Service Providers: Vendors who assist us in operating the Services (e.g., cloud hosting, analytics) under appropriate data processing agreements.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate privacy protections.
  • Legal Requirements: When required by law, subpoena, or to protect the rights, property, or safety of ScribeMD or others.
  • With Your Consent: For any other purpose with your explicit consent.

Data Security

We implement industry-leading security measures including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and regular third-party penetration testing. We are SOC 2 Type II certified. However, no method of transmission over the Internet is 100% secure.

HIPAA Notice of Privacy Practices

This Notice describes how medical information about you (as a patient whose provider uses ScribeMD) may be used and disclosed, and how you can get access to this information. Please review it carefully.

Our Obligations

ScribeMD is a Business Associate under HIPAA. We are required by law to:

  • Maintain the privacy and security of your PHI
  • Follow the duties and privacy practices described in this Notice
  • Notify your covered entity provider of a breach of unsecured PHI

Permitted Uses and Disclosures

As a Business Associate, ScribeMD processes PHI only as directed by your healthcare provider (the covered entity). This includes:

  • Generating SOAP notes and clinical documentation from visit recordings
  • Suggesting billing and diagnostic codes
  • Surfacing care gap and preventive care alerts
  • Transmitting finalized notes to your provider's EMR system

Business Associate Agreement (BAA)

Any covered entity or business associate that uses ScribeMD must execute a BAA with us prior to accessing Services that process PHI. To request a BAA, email compliance@scribemd.co.

Terms of Service

By using the ScribeMD platform, you agree to these Terms of Service. These Terms constitute a legally binding agreement between you and ScribeMD, Inc.

Acceptable Use

You agree to use ScribeMD only for lawful purposes and in compliance with all applicable laws, including HIPAA, state privacy laws, and professional licensing regulations. You must not:

  • Use the Services to document encounters where you are not the treating provider
  • Submit false or misleading information
  • Attempt to reverse-engineer or extract our AI models
  • Share your credentials with unauthorized users

Clinical Disclaimer

ScribeMD is a documentation tool, not a clinical decision support system. All AI-generated content — including SOAP notes, billing code suggestions, care gap alerts, and E&M code recommendations — must be reviewed, verified, and approved by a licensed healthcare provider before use in patient care or billing submission. ScribeMD makes no warranty regarding the clinical accuracy of generated content.

Subscription and Billing

Subscription fees are billed in advance on a monthly or annual basis. Cancellations take effect at the end of the current billing period. Refunds are provided at our discretion for annual plans cancelled within 14 days of purchase.

Limitation of Liability

To the fullest extent permitted by law, ScribeMD shall not be liable for indirect, incidental, consequential, or punitive damages arising from your use of the Services. Our total liability shall not exceed the fees paid by you in the 12 months preceding the claim.

Data Retention

  • Audio recordings: Deleted within 24 hours of transcription
  • Transcripts and notes: Retained for the life of your account
  • Audit logs: Retained for 7 years per HIPAA requirements
  • Account data: Deleted within 30 days of account closure
  • Billing records: Retained for 7 years per financial regulations

Your Rights

Depending on your location, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Delete your personal information (subject to legal retention obligations)
  • Port your data in a machine-readable format
  • Object to certain processing activities
  • Withdraw consent for processing where consent is the legal basis

To exercise these rights, email privacy@scribemd.co. We will respond within 30 days.

Contact Us

Questions about this Privacy Policy or our practices?

ScribeMD, Inc.
We will update this page when we make material changes to our privacy practices. Continued use of the Services after changes constitutes your acceptance of the updated policy.

← Back to ScribeMDLast updated March 1, 2025