HIPAA posture
Business Associate Agreements. prosemed signs a Business Associate Agreement with every practice and with every service provider that handles PHI on our behalf. We review those agreements at procurement and again on every renewal.
Where data lives. On U.S.-based cloud infrastructure. All stored clinical data is encrypted, and the encryption keys can be revoked by your practice at any time, which makes the underlying records permanently unreadable.
Encryption.Data is encrypted both in transit and at rest using industry-standard methods. Each practice's data is encrypted with its own keys, so one practice's keys cannot read another's.
Audit trail. Every time PHI is read or written, we record who did it, when, and what was touched. Entries cannot be edited or deleted, even by prosemed staff. Audit history is retained for six years to meet HIPAA requirements.
Practice isolation.One practice cannot see another practice's data. Each practice's records and encryption keys are kept separate at every layer of the system.
Sign-in. Sign-in uses an email address and a password, with two-factor authentication required. Accounts lock automatically after repeated failed attempts.
Who can see what. Four roles: owner, admin, clinician, and billing. Clinicians see the patients and visits they are assigned to, plus what practice admins explicitly share. Any time someone views a patient outside their assignment, it is recorded.
Retention. Clinical data is retained for the period set in your Business Associate Agreement, by default seven years after the visit. Deleted records can be restored within 30 days; the deletion itself is recorded in the audit log.
Breach notification. If an incident touches PHI, the contact you designate at your practice is notified within 24 hours. Regulatory notification within 60 days follows the HIPAA Breach Notification Rule.
How prosemed fits with your EHR and billing
prosemed sits next to your EHR and billing system, not on top of them. We capture the documentation, you keep ownership of the clinical history and the claims.
EHR. Export an individual visit or a batch, either as a PDF for the chart or as a data file your EHR can ingest. Direct EHR integration options are discussed with each practice.
Billing. Export the confirmed CPT and ICD-10 codes, any modifiers, and the dictation excerpt that supports each code, in a format your billing system can accept.
Operational practices
Accuracy before release. Every model version is evaluated for accuracy and faithfulness to the source dictation before it reaches any practice. A version that does not meet our internal quality bar is not released.
Gradual rollout. New versions are rolled out gradually, never all at once. If quality drops during a rollout, it is paused automatically and the previous version is restored without any action required from your practice.
Incident response. Incidents touching PHI are acknowledged within four hours, day or night. Affected practices receive a written postmortem within five business days that covers what happened, what we did, and what we changed so it does not happen again.
Contact
Questions about a specific control, or a vulnerability to report, go to [email protected]. For our compliance roadmap, Business Associate Agreements, or HIPAA documentation, write to [email protected].