Overview

What this policy covers

This Privacy Policy describes how ProDocNotes collects, uses, discloses, and protects information when healthcare organisations and authorised workforce members use our website and documentation platform.

Because ProDocNotes is designed for HIPAA-aware clinical documentation workflows, this policy covers both standard business information, such as account and billing data, and protected health information (PHI) that we may process on behalf of a healthcare customer acting as a covered entity.

If you are a patient, your provider or health plan remains the primary point of contact for rights relating to your medical record. See our Notice of Privacy Practices for more detail on how those requests are handled.

Section 01

Information we collect

We collect information in four primary categories:

  • Account information: name, work email address, username, organisation, and authentication data.
  • Platform usage information: audit events, session metadata, device and browser details, timestamps, and diagnostic logs.
  • Support and communications data: messages you send to support, implementation questionnaires, and contract records.
  • Customer PHI: patient notes, clinical context, and related information that our healthcare customers choose to store or process through the Service.

We do not intentionally collect consumer marketing profiles, sell personal information, or use PHI for advertising purposes.

Section 02

How we use information

We use information to operate and secure the Service, including to:

  • authenticate users and manage access controls;
  • store, retrieve, and display clinical documentation requested by authorised users;
  • maintain audit logs, backups, and security monitoring;
  • respond to support requests, incidents, and customer inquiries;
  • improve reliability, performance, accessibility, and product quality;
  • comply with contractual, legal, and regulatory obligations.

Where AI-assisted drafting features are enabled, customer content may be processed strictly for the purpose of generating or refining draft documentation within the controls described in our customer agreements.

Section 03

PHI, HIPAA, and customer responsibilities

When ProDocNotes processes PHI on behalf of a healthcare customer, we do so as a business associate and only under the instructions of that customer and the terms of the applicable agreement.

Our customers decide what PHI is entered into the Service, which users may access it, and how that information is used for treatment, payment, and healthcare operations. Customers are responsible for obtaining required consents, providing their own HIPAA notices, and responding to patient requests concerning designated record sets.

Our Business Associate Agreement page summarizes the safeguards and responsibilities that support this role.

Section 04

When we disclose information

We may disclose information only in limited circumstances, such as:

  • to authorised subprocessors or service providers who help us host, secure, or support the Service and who are bound by appropriate confidentiality and security terms;
  • to comply with applicable law, court order, subpoena, or lawful government request;
  • to investigate, prevent, or address security incidents, fraud, abuse, or other violations of our Terms;
  • as directed by the relevant customer in connection with their permitted use of the Service.

We do not sell PHI or personal data, and we do not disclose PHI for independent marketing use.

Section 05

Retention and deletion

We retain account and operational data for as long as reasonably necessary to provide the Service, meet our contractual obligations, resolve disputes, and satisfy legal or compliance requirements.

PHI retention is controlled primarily by customer instructions, applicable law, and the governing BAA or service agreement. When the relationship ends, we return or securely delete PHI in accordance with the executed agreement, unless law requires longer retention.

Audit logs and security records may be retained longer than user-facing content where necessary to preserve system integrity, investigate incidents, or demonstrate compliance.

Section 06

Security safeguards

We use administrative, technical, and physical safeguards designed to protect information, including:

  • encryption in transit and at rest;
  • role-based access controls and authentication controls;
  • audit logging and access monitoring;
  • incident response procedures and vendor risk management;
  • workforce training and least-privilege practices.

No system can guarantee absolute security. Customers are also responsible for securing their own credentials, endpoints, and internal workflows.

Section 07

Rights and choices

Workforce users may contact us to update account information, request contract materials, or raise privacy concerns. Patients or other individuals whose PHI is processed in ProDocNotes should usually direct requests for access, amendment, restriction, or disclosure accounting to the relevant healthcare provider or plan.

Additional information about rights related to PHI is available in our Notice of Privacy Practices.

Section 08

Changes and contact

We may update this Privacy Policy from time to time to reflect product, legal, or operational changes. When material changes are made, we will update the effective date on this page and, where appropriate, provide additional notice.

Questions about this policy can be directed to [email protected]. Security concerns should be directed to [email protected].