Compliance And Data Security

HIPAA, PIPEDA, PIPA Compliant

Compliance with Data Protection Laws

Commitment to Data Privacy:

Empathia AI, Inc. is dedicated to the protection and confidentiality of client data. We conduct all operations in strict compliance with the Health Insurance Portability and Accountability Act (HIPAA) of the United States, ensuring the highest level of security for Personal Health Information (PHI).

HIPAA Compliance:

Our software services are designed to comply with HIPAA's rigorous security and privacy standards. We employ technical, administrative, and physical safeguards to protect the confidentiality, integrity, and accessibility of all PHI data. Our approach ensures not only top-tier protection for patient information but also underscores our commitment to upholding the utmost data privacy and security for our healthcare provider partners.

U.S. Privacy and Compliance Overview:

Empathia AI is a HIPAA-compliant, SOC 2-Type II and ISO 27001-certified platform that uses AI to transcribe and summarize clinical encounters into structured notes. It is designed to enhance clinician efficiency, accuracy, and workflow while maintaining the highest standards of privacy and security. Empathia AI operates under robust privacy, security, and breach-response frameworks aligned with HIPAA, HITECH, and U.S. federal healthcare IT requirements.

Additional Legislation:

In addition to HIPAA, we handle personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), along with all relevant provincial laws such as the Personal Information Protection Act (PIPA) of British Columbia.

Data Management Policies

Data Residency:

Our services are available exclusively to customers within Canada and the United States, supported by two distinct server clusters in each country. For our Canadian clients, certain features may involve third-party services with data processing and storage within Canada, in compliance with legal and contractual obligations.

Data Retention:

Encounter Recordings:User settings dictate the retention period, ranging from immediate deletion post-scribing to a maximum of 365 days.
Encounter Transcripts: These are either removed immediately after scribing or stored up to 365 days based on user preferences.
AI-generated Notes and Summaries: Retention varies from one day up to seven years, as specified by user settings.
User Profile/Data: Personal information is removed from our systems within 30 days after the end of a user's subscription.

Data Usage and Security

Use of Data:

Empathia AI, Inc. does not utilize original customer audio recordings or transcripts for AI model training or any external purposes. With user consent, our personnel may access encounter data solely for troubleshooting and enhancing the effectiveness of clinical care support services.

Data for Service Improvement:

We may use synthesized data for training and evaluating our systems to enhance service quality.

Privacy and Third-Party Restrictions

We maintain a strict policy against selling user or patient data and prohibit its use for any marketing or commercial activities outside of our stated services.

Privacy and Security Measures:

Encryption: All PHI and PII are encrypted both in transit (TLS 1.2+) and at rest (AES-256). Encryption keys are securely managed through AWS Key Management Service (KMS) and authorized Empathia administrators, ensuring continuous protection of sensitive data.

Access Controls: Access to PHI/PII is strictly limited to authorized personnel through role-based access controls. All administrative actions are logged and auditable, while strong password policies and automatic session timeouts are enforced to maintain system security.

Vendor Management: Empathia requires all third-party service providers to sign Business Associate Agreements (BAAs) and undergo regular security, privacy, and compliance reviews to uphold HIPAA and organizational standards.

Data Minimization & Purpose Limitation: Only the minimum personal data required for core functionality is collected. The AI system operates in a stateless mode, meaning no input or output data are stored without explicit consent.

De-Identification: Data used for limited quality assurance purposes are de-identified in accordance with HIPAA Safe Harbor standards, with re-identification strictly prohibited under company policy.

Certifications and Compliance:

Empathia AI maintains:

SOC 2 Type II Certification - covering Security, Availability, and Confidentiality
ISO 27001 Certification - Information Security Management System
HIPAA / HITECH Compliance Program

Annual independent audits and continuous monitoring of data security and privacy controls

See our current attestations and documentation at the Empathia Trust Center.

Common Questions