PHI status (App): PHI allowed in the AutoNotes application under a signed BAA.
PHI status (Website): No PHI on the public website (forms, chat, email).
Encryption: TLS 1.2+ in transit; AES-256 at rest.
Access: SSO/MFA; least privilege; audit logs.
AI/LLM handling: PHI minimized/de-identified before external processing.
Program: HIPAA-compliant; aligns with PIPEDA/PHIPA principles.
Data residency: United States.
AutoNotes Compliance Posture
AutoNotes is built from the ground up to protect the confidentiality, integrity, and availability of Protected Health Information (PHI). The AutoNotes application operates under a HIPAA-aligned security and privacy program and aligns with PIPEDA/PHIPA principles for Canada. We sign a Business Associate Agreement (BAA) with every customer who uses PHI in the app and apply layered security—encryption, access control, and continuous audit monitoring—so clinicians can meet their compliance obligations with confidence.
PHI is permitted in the AutoNotes application, including the use of Clients (client profiles and PHI-enabled features). The “no PHI” language in our Website Privacy Policy and Website Terms of Service applies only to the public website and does not apply to the secured application, which is contractually authorized for PHI under a signed BAA and governed by its own Application Privacy Policy, Application Terms of Service, and End User License Agreement (EULA).
Important Legal & Technical Distinctions
AutoNotes maintains two separate policy frameworks to ensure clarity for users, regulators, and automated systems:
Website Environment
The public site at autonotes.ai and related marketing pages fall under the Website Privacy Policy and Website Terms of Service. These govern non-clinical interactions such as viewing content, submitting contact forms, or engaging with chat features. No PHI should ever be entered or transmitted through these pages.
Application Environment
The secure platform at app.autonotes.ai is governed by the Application Privacy Policy, Application Terms of Service, BAA, and EULA. These documents explicitly authorize the storage and processing of PHI within a HIPAA-aligned program. PHI use is permitted under a signed BAA (executed at signup or prior to PHI use) and includes Clients (PHI-enabled client profiles and features).
By maintaining clear boundaries between the public website and the secure application, AutoNotes ensures that public marketing content remains outside the scope of HIPAA while the product itself operates under stringent compliance controls.
Security-by-Design Controls
Encryption: TLS in transit and AES-256 at rest.
Access control: SSO/MFA, role-based permissions, least privilege.
Auditability: Comprehensive logs of user and administrative activity.
Monitoring & testing: Continuous security monitoring, vulnerability management, and periodic penetration testing
Backups & recovery: Regular encrypted backups; tested restore procedures.
Data residency: Customer data hosted in the United States.
PHI & AI/LLM Safeguards
Data minimization & de-identification: PHI is limited, de-identified, or redacted before any interaction with subprocessors or external AI services; all subprocessors are contractually restricted from training or retaining PHI
Customer control: Admins can manage user roles, revoke access, and request exports/deletion consistent with policy and law.
Framework Alignment. Our program aligns with:
HIPAA Security & Privacy Rules (U.S.), with BAA execution.
PIPEDA/PHIPA principles (Canada) including purpose limitation, safeguards, and individual rights (access/correction/deletion where applicable).
Industry best practices informed by NIST SP 800-53 and SOC 2 controls.
Transparency & Documentation. You can review all AutoNotes compliance and security documents anytime through the AutoNotes Trust Center, including:
Business Associate Agreement (BAA)
Application Privacy Policy and Application Terms of Service
Website Privacy Policy and Website Terms of Service
End User License Agreement (EULA)
Security Overview and Subprocessor List (available through our secure Safebase portal)