Privacy and Compliance

PatientNotes meets the regulations set out by HIPAA, GDPR, UK GDPR, UK Data Protection Act (DPA) and the Australian Privacy Act 1998.

Protecting patient information is our #1 priority

HIPAA compliance

We meet all HIPAA requirements to ensure the confidentiality and security of Protected Health Information (PHI).

Read more

GDPR compliance

We follow the data regulations established by the GDPR, UK GDPR and UK Data Protection Act to ensure the privacy and security of personal data for individuals within the EU and UK.

Read more

Australian Privacy Act 1998

PatientNotes is fully compliant with the Australian Privacy Act 1998 and the Australian Privacy Principles.

Read more

Common questions about privacy at PatientNotes

Is PatientNotes HIPAA compliant?

Yes, PatientNotes is fully compliant with the Health Insurance Portability and Accountability Act (HIPAA), ensuring the confidentiality, integrity, and security of protected health information (PHI).

Is PatientNotes GDPR, UK GDPR, and DPA compliant?

PatientNotes adheres to the General Data Protection Regulation (GDPR), UK GDPR, and the Data Protection Act (DPA), providing robust data protection for individuals within the EU and UK.

Is PatientNotes compliant with the Australian Privacy Act 1998?

Yes. PatientNotes complies with the Australian Privacy Act 1998, upholding the Australian Privacy Principles to safeguard personal information.

Do you have a Business Associate Agreement (BAA)?

Yes. We provide a Business Associate Agreement (BAA) to our US-based customers on-request to ensure mutual compliance with HIPAA regulations. A BAA can be requested by emailing [email protected]

Do you have a Data Processing Agreement (DPA)?

PatientNotes enters into a Data Processing Agreement (DPA) with UK-based and EU-based customers on-request to outline the responsibilities and scope of data processing in compliance with GDPR and other data protection laws. A DPA can be requested by emailing [email protected]

What security measures are employed by PatientNotes?

We implement technical and organizational security measures in a layered approach to prevent unauthorized misuse, interference, loss and unauthorised access, modification and disclosure. More details can be found in our security page.

What security measures are employed by PatientNotes?

We implement technical and organizational security measures in a layered approach to prevent unauthorized misuse, interference, loss and unauthorised access, modification and disclosure. More details can be found in our security page.

How long is patient data stored?

All patient data are securely stored and then deleted after 30 days and cannot be accessed or recovered after this time. Practitioners can choose to delete patient data immediately after the consultation or anytime before 30 days.

Do you de-identify patient data and use it for other purposes?

We do not. Patient data is only used to generate notes and letters for you. No patient data is used for AI model training. Related to this, we believe that de-identification processes often do not consistently remove sensitive information when run at scale. We believe it is inappropriate to rely on de-identification as a security measure. Our layered and least-privileged approach to security combined with stringent data deletion processes ensures that we can deliver you a superior experience while meeting the highest standards of security.

Privacy related documents

We have multiple documents that explain our privacy practices and how we use data. It is important to us that we are fantastic custodians of the sensitive data that passes through our system.