Privacy and Compliance
PatientNotes meets the regulations set out by HIPAA, GDPR, UK GDPR, UK Data Protection Act (DPA) and the Australian Privacy Act 1998.
Protecting patient information is our #1 priority
HIPAA compliance
PatientNotes meets all HIPAA requirements to ensure the confidentiality and security of Protected Health Information (PHI).
GDPR compliance
PatientNotes follows the data regulations established by the GDPR, UK GDPR and UK Data Protection Act to ensure the privacy and security of personal data for individuals within the EU and UK.
Australian Privacy Act 1998
PatientNotes is fully compliant with the Australian Privacy Act 1998 and the Australian Privacy Principles.
Privacy related documents
Common questions about privacy at PatientNotes
Is PatientNotes HIPAA compliant?
Yes, PatientNotes is fully compliant with the Health Insurance Portability and Accountability Act (HIPAA), ensuring the confidentiality, integrity, and security of protected health information (PHI).
Is PatientNotes GDPR, UK GDPR, and DPA compliant?
PatientNotes adheres to the General Data Protection Regulation (GDPR), UK GDPR, and the Data Protection Act (DPA), providing robust data protection for individuals within the EU and UK.
Is PatientNotes compliant with the Australian Privacy Act 1998?
Yes. PatientNotes complies with the Australian Privacy Act 1998, upholding the Australian Privacy Principles to safeguard personal information.
Do you have a Business Associate Agreement (BAA)?
Yes. We provide a Business Associate Agreement (BAA) to our US-based customers on-request to ensure mutual compliance with HIPAA regulations. A BAA can be requested by emailing compliance@patientnotes.app
Where are PatientNotes servers located?
PatientNotes runs on servers located in Sydney, Australia. We have plans to have dedicated servers in each country with data stored locally for each user where possible eg. If a user sets their country to United States, their data will reside in the United States.
Do you have a Data Processing Agreement (DPA)?
PatientNotes enters into a Data Processing Agreement (DPA) with UK-based and EU-based customers on-request to outline the responsibilities and scope of data processing in compliance with GDPR and other data protection laws. A DPA can be requested by emailing compliance@patientnotes.app
What security measures are employed by PatientNotes?
We implement technical and organizational security measures in a layered approach to prevent unauthorized misuse, interference, loss and unauthorised access, modification and disclosure. More details can be found in our security page.
How long is patient data stored?
All patient data are securely stored and then deleted after 30 days and cannot be accessed or recovered after this time. Practitioners can choose to delete patient data immediately after the consultation or anytime before 30 days.
Do you de-identify patient data and use it for other purposes?
We do not. Patient data is only used to generate notes and letters for you. No patient data is used for AI model training. Related to this, we believe that de-identification processes often do not consistently remove sensitive information when run at scale. We believe it is inappropriate to rely on de-identification as a security measure. Our layered and least-privileged approach to security combined with stringent data deletion processes ensures that we can deliver you a superior experience while meeting the highest standards of security.
