top of page

PRIVACY AND SECURITY POLICY

Document Medical

Both.png

DOCUMENT LLC

Privacy and Security Policy

Last Updated: January 1, 2025

Clinician and patient trust is of the highest priority at DOCUMENT. We hold ourselves accountable to a HIPAA-compliant data storage and processing protocol for all data captured and shared through our platform.

Internal Personnel Security
 

All DOCUMENT employees are required to:

  • Undergo background checks and drug screens before being hired.

  • Complete annual security awareness training on HIPAA, privacy, and information classification.


Compliance

  • DOCUMENT conducts regular risk assessments to ensure policies remain up-to-date and relevant.

  • Our CTO is responsible for Privacy and Security.
     

Secure Development Lifecycle

  • All software changes are reviewed for compliance.

  • DOCUMENT practices infrastructure-as-code. All infrastructure changes are reviewed before deployment.

  • All engineers complete secure development practices training.
     

Cloud Hosting and Availability

  • All hosting services and data is stored and processed within Microsoft’s Azure secure data centers.

  • DOCUMENT has a HIPAA-compliant Business Associate Agreement with Microsoft.

  • DOCUMENT leverages Azure’s high-availability infrastructure to ensure the data is always accessible.
     

Confidentiality and Data Encryption

  • All data is encrypted at-rest and in-transit using standard encryption schemes.
     

Vendor Management

  • All Vendors who may process patient information are required to be HIPAA compliant and sign BAAs with DOCUMENT.

  • DOCUMENT regularly reviews vendor security practices to ensure continued high standards.


Artificial Intelligence

  • All AI models are HIPAA-compliant and don’t retain data.

  • Protected health information is never used for AI training purposes.


Patient Information

  • Patient information is encrypted at-rest and in-transit.

  • Patient recordings are temporarily saved in a secure and HIPAA-compliant manner until note summaries and quality checks are complete, and then they are automatically deleted.

  • Patient notes can be manually deleted at any time or set to automatically delete after 30 days.
     

bottom of page