How we protect patient data.
Every technical and organizational control we have is documented below, and every document is downloadable. We built ScribeGo.ai so that the AI model never sees raw Protected Health Information, and we can prove it.
The AI model never sees real patient data, only placeholder tokens like [NAME_001].
All processing happens inside AWS, covered by the AWS Business Associate Agreement.
We do not store transcripts, do not share data with third-party AI vendors, do not use data for training.
Complete written compliance program: policies, procedures, Security Risk Analysis, and BAA.
Downloads
Shareable documents
PDF format. Send these to any prospective customer's compliance or IT reviewer.
Security & HIPAA Overview
For: Compliance officers, hospital IT teams, security reviewers
The complete ~20-page overview of how ScribeGo.ai handles Protected Health Information. Includes the data flow, BAA coverage, HIPAA compliance checklist, FAQ, and architecture summary.
Security One-Pager
For: Clinicians, clinic admins, doctor-to-doctor referrals
The 3-minute read: core promise, side-by-side vs ChatGPT, and the plain-English data flow. Designed to be emailed to a physician peer.
Business Associate Agreement (BAA)
For: Covered Entity customers, their legal counsel
Our Business Associate Agreement template, ready for a Covered Entity customer to review and counter-sign. Based on the HHS sample BAA with ScribeGo-specific provisions.
Notice of Privacy Practices
For: Individuals, patient advocates, regulators
ScribeGo.ai's public-facing privacy statement as a Business Associate. Describes what we do with PHI received from customer Covered Entities.
Compliance program
What's inside our HIPAA program
ScribeGo.ai operates as a HIPAA Business Associate. Our written compliance program covers every requirement under the HIPAA Security and Privacy Rules. The documents we make public are linked above. The remaining internal policies are available on request from any prospective customer's compliance team.
Information Security Policy
Technical, physical, and administrative safeguards
Access Control Policy
Who gets in, how, and how access is terminated
Incident Response Policy
8-phase response with severity ladder
Contingency & DR Plan
Backup, recovery, and emergency-mode operations
Breach Notification Procedure
72-hour internal target per §164.410
Workforce Training Policy
Initial + annual, with audit trail
Sanction Policy
Proportional, documented, and due-process respecting
Business Associate Management
Upstream (customers) and downstream (AWS)
Risk Management Plan
Quarterly review + annual full evaluation
Security Risk Analysis
12 risks identified, rated, and treated
What we're still improving
We believe honesty builds more trust than marketing. Here's the current state of our compliance maturity:
- ✅ Written HIPAA compliance program, Security Officer designated, workforce trained
- ✅ Business Associate Agreement ready for customer execution
- ⏳ SOC 2 Type II audit, planned when enterprise pipeline justifies the investment
- ⏳ Third-party penetration test, planned Q4 2026
- ⏳ Customer-facing audit log self-service, planned for enterprise tier
None of these gaps compromise the core controls. They represent the normal maturity path of an early-stage healthcare company.
Questions about our security or compliance?
hello@scribego.aiScribeGo.ai · All documents are drafts pending legal review; final customer-facing copies will be counter-signed.