Legal Effective May 6, 2026

Privacy Policy

prosemed provides voice-driven clinical documentation tools for physicians across specialties. This Privacy Policy explains what information prosemed collects, why we collect it, how we protect it, and the rights you have over your information. By using the prosemed application or this website, you agree to the practices described here.

Roles under HIPAA

Most information we process is Protected Health Information (PHI) created by clinicians during patient visits. prosemed acts as a Business Associateto the medical practices that subscribe to the service (the “Covered Entities”). We process PHI on the practice's behalf under a Business Associate Agreement (BAA) and in accordance with the HIPAA Privacy and Security Rules.

Information we collect

Account information. When a clinician creates an account we collect a name, work email address, role, and the practice they belong to. Multi-factor authentication is required for every account.

Clinical content.When a clinician records a visit, prosemed receives the visit's audio, the resulting transcript, the structured note, and the billing codes confirmed by the clinician. Patient demographics, allergies, medications, and problem lists added by the clinician are also stored.

Audit and operational data. Every time PHI is read or written, we record who did it, when, what action was taken, and which record was touched. These audit entries cannot be edited or deleted. We also collect crash reports, error logs, and aggregate performance metrics. These records exclude PHI other than the record identifier needed to make the audit trail useful.

How we use information

  • To deliver the documentation, structuring, and billing features the clinician requested.
  • To verify identity, secure accounts, and prevent abuse.
  • To maintain the audit trail required by HIPAA §164.312.
  • To diagnose service failures and improve reliability.
  • To meet legal, regulatory, or contractual obligations.

We do not sell personal information. We do not use PHI to train third-party general-purpose models.

Speech recognition and AI structuring

Speech-to-text runs on the clinician's device by default. When on-device transcription is unavailable for a given recording, the audio is processed by a cloud transcription service that operates under a Business Associate Agreement with prosemed. That service is configured so the audio is not retained or used for any purpose other than producing the transcript.

AI structuring of the transcript is performed in a controlled cloud environment under the same Business Associate Agreement. Before any transcript is sent to a structuring model, prosemed removes direct identifiers (names, dates of birth, medical record numbers, contact details) so the model receives only the clinical narrative needed to produce a note.

Sharing

prosemed shares information only with:

  • The practice that created the account, and the practice members it has authorized.
  • Sub-processors that operate the underlying infrastructure (cloud hosting, storage, identity, transcription, AI structuring). Each sub-processor in the PHI path operates under a BAA and is reviewed for HIPAA alignment before production use.
  • Authorities or third parties when required by law, valid legal process, or to protect the rights and safety of patients, clinicians, or the public.

Storage, encryption, and retention

All clinical data is encrypted both in transit and at rest using industry-standard methods. The encryption keys are controlled at the practice level and can be revoked, which renders the underlying stored records unreadable. Data lives on U.S.-based cloud infrastructure. Audit log entries are retained for at least six years to satisfy HIPAA §164.530(j). Deleted records remain restorable for thirty days; after that window they are permanently removed, and the deletion itself is recorded in the audit log.

Your rights

Patients and authorized representatives have the right to request access to, correction of, or restriction on the use of their PHI under HIPAA §164.524 and §164.526. These requests are coordinated through the patient's clinical practice (the Covered Entity), which holds the relationship with the patient. Clinicians may request export or deletion of their own account information by writing to [email protected].

Children

prosemed is intended for use by licensed clinicians. We do not knowingly collect personal information directly from anyone under thirteen. Patient information about minors is entered only by the treating clinician on behalf of the practice.

Changes

We may revise this Privacy Policy as prosemed evolves. When we make material changes we will update the effective date above and, where appropriate, notify account holders by email. Continued use of prosemed after a change takes effect constitutes acceptance of the revised policy.

Contact

Questions about this Privacy Policy or prosemed's privacy practices can be sent to [email protected].