Privacy Policy

3.1 Clinical and Health Information

Our primary function involves processing clinical conversations and generating structured documentation. In the course of providing these Services, we may process the following categories of health-related information:

• Audio recordings of physician-patient encounters, captured through our speech recognition interface with appropriate patient and clinician consent.
• Transcribed text of clinical encounters, including patient history, physical examination findings, assessment, and treatment plans.
• Structured clinical data extracted from narratives, such as diagnosis codes (ICD-10), procedure codes (CPT), medication names, lab values, and vital signs.
• Information received from integrated EHR systems, including demographic data, prior visit history, active problem lists, and existing medication records.
• Corrections and annotations made by physicians during the review and editing process.

All clinical information processed through the Clinex platform is treated as PHI and handled in strict accordance with our obligations under HIPAA and the terms of applicable Business Associate Agreements.

3.2 Account and Organizational Information

When a healthcare organization or individual clinician creates an account with Clinex, we collect:

• Full name, professional title, and medical license number.
• Business contact information including email address, phone number, and practice or organization name.
• Specialty designation and primary clinical setting (e.g., inpatient, outpatient, emergency medicine).
• Billing and payment information, processed through our PCI-DSS compliant payment processor.
• EHR system details and integration credentials necessary to establish secure connections.

3.3 Platform Usage Data

We automatically collect certain technical and behavioral data to support service delivery, performance optimization, and system security:

• IP address, browser type, operating system, and device identifiers.
• Session logs, feature interaction data, and navigation patterns within the platform.
• API request and response metadata, including timestamps, endpoint identifiers, and response latencies.
• Error logs and diagnostic information used to identify and resolve technical issues.

Usage data is collected through server logs, cookies, and embedded analytics tools. This data is not linked to PHI and is used exclusively for operational and improvement purposes.

4.1 Core Service Delivery

The information we collect is used primarily to provide, maintain, and improve the clinical documentation Services, including:

• Transcribing physician-patient encounters and generating structured clinical notes using artificial intelligence and natural language processing.
• Synchronizing completed documentation with integrated EHR systems in real time.
• Personalizing note templates and documentation preferences based on specialty, workflow patterns, and prior usage.
• Supporting physician review, editing, and approval of AI-generated content prior to EHR submission.

4.2 AI Model Training and Improvement

4.3 Security and Compliance Operations

We use collected information to maintain the security and integrity of our platform, including:

• Detecting, investigating, and responding to unauthorized access, data breaches, or other security incidents.
• Conducting access control audits and enforcing role-based permission policies.
• Meeting our obligations under HIPAA breach notification requirements (45 C.F.R. §§ 164.400–414).
• Fulfilling reporting obligations to regulatory authorities as required by applicable law.

4.4 Business Operations

Non-PHI information is used for legitimate business purposes, including:

• Billing, invoicing, and subscription management.
• Customer support and technical troubleshooting.
• Communication of product updates, feature announcements, and service notifications.
• Internal reporting, financial planning, and board-level analytics.

5.1 Authorized Disclosures

We do not sell, rent, or trade personal information or PHI. We disclose information only in the following circumstances:

• To the Covered Entity (e.g., the physician's employing healthcare organization) on whose behalf we are acting as a Business Associate, pursuant to an executed BAA.
• To authorized EHR systems for the purpose of completing clinical documentation workflows.
• To subcontractors and service providers who assist in delivering the Services, each of whom is bound by appropriate confidentiality and data processing agreements.
• As required by applicable law, court order, or regulatory directive, including disclosures mandated under the HIPAA Privacy Rule at 45 C.F.R. § 164.512.
• In connection with a merger, acquisition, or sale of substantially all assets, subject to advance notice and continuity of privacy protections for data subjects.

5.2 Subprocessors

5.3 Prohibited Disclosures

6.1 Technical Safeguards

Clinex maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all data processed through our platform. Technical safeguards include:

• End-to-end encryption of PHI in transit using TLS 1.3 or higher.
• Encryption of PHI at rest using AES-256 encryption.
• Multi-factor authentication required for all platform access.
• Role-based access controls limiting data access to the minimum necessary.
• Continuous intrusion detection and security event monitoring via a dedicated SIEM platform.
• Automated vulnerability scanning and semi-annual third-party penetration testing.
• Geographically distributed data centers with automated failover and disaster recovery.

6.2 Administrative Safeguards

• Annual HIPAA and security awareness training for all personnel.
• Background screening for all employees with access to PHI.
• Documented incident response plan with defined breach notification procedures.
• Quarterly internal compliance assessments and annual third-party audits.
• Formal vendor risk management process for all subprocessors.

6.3 SOC 2 Type II Certification

Registered users of the Clinex platform have the following rights with respect to their account and usage data:

• Access: You may request a copy of the personal account information we hold about you.
• Correction: You may request correction of inaccurate or incomplete account information.
• Deletion: You may request deletion of your account and associated personal data, subject to retention obligations under applicable law and our BAA obligations.
• Portability: You may request an export of your account data in a machine-readable format.
• Objection: You may object to specific uses of your data for non-essential purposes such as marketing communications.

To exercise any of these rights, submit a written request to our Privacy Officer at the contact information provided in Section 13 of this Policy. We will acknowledge receipt within five (5) business days and respond substantively within thirty (30) days.