Privacy Policy

Introduction

AhlTrade LLC ("Company," "we," "us," or "our") operates MH Scribe, a HIPAA-compliant AI medical scribe platform designed for mental health practitioners ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

IMPORTANT NOTICE: This Privacy Policy applies to both practitioners who use our Service and the Protected Health Information (PHI) of their patients. As a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), we are committed to protecting the privacy and security of all health information entrusted to us.

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Service.

Definitions

For the purposes of this Privacy Policy:

• Protected Health Information (PHI) means any individually identifiable health information that is created, received, maintained, or transmitted by our Service, including demographic data, that relates to the past, present, or future physical or mental health condition of an individual, or the provision of health care to an individual.
• Practitioner means licensed mental health professionals, therapists, psychiatrists, psychologists, counselors, and other healthcare providers who use our Service.
• Patient means individuals whose health information is processed through our Service by their Practitioner.
• Business Associate means a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.
• Covered Entity means a health plan, health care clearinghouse, or health care provider who transmits health information in electronic form.
• Personal Data means any information relating to an identified or identifiable natural person.

1. Information We Collect

1.1 Information Provided by Practitioners

Account Registration Information:

• Full legal name and professional credentials
• Email address and telephone number
• Professional license number and issuing state
• Practice name, address, and NPI number
• Billing and payment information (processed by Stripe)
• Organization and team member information

Service Usage Information:

• Session recordings and audio files
• Transcriptions and clinical documentation
• Template configurations and customizations
• Preferences and settings
• Communications with our support team

1.2 Protected Health Information (PHI)

We process PHI solely on behalf of Practitioners in their capacity as Covered Entities. PHI we may process includes:

• Patient names, dates of birth, and contact information
• Session transcripts and audio recordings
• Clinical notes, assessments, and progress notes
• Mental health diagnoses and treatment plans
• Diagnosis codes (ICD-10) and procedure codes (CPT)
• Medication information and prescriptions
• Insurance and billing information
• Any other health information entered into or generated by the Service

1.3 Automatically Collected Information

When you access our Service, we automatically collect certain technical information:

• IP address and approximate geographic location
• Device type, operating system, and browser type
• Date and time of access, pages viewed, and features used
• Referring website or application
• Error logs and performance data
• Cookies and similar tracking technologies

2. How We Use Your Information

2.1 Use of Practitioner Information

We use Practitioner information for the following purposes:

• To create and manage your account
• To provide, maintain, and improve our Service
• To process payments and manage subscriptions
• To send administrative communications (service updates, security alerts)
• To respond to inquiries and provide customer support
• To analyze usage patterns and improve user experience
• To detect, prevent, and address technical issues and security threats
• To comply with legal obligations and enforce our terms

2.2 Use of Protected Health Information

We process PHI solely for the following purposes as authorized by Practitioners:

• To provide AI-powered transcription of clinical sessions
• To generate clinical documentation and session notes
• To provide billing code suggestions (ICD-10, CPT)
• To enable clinical decision support and continuity insights
• To facilitate data export and EHR integration
• To maintain audit logs as required by HIPAA
• To provide technical support at Practitioner's request

We expressly DO NOT:

• Use PHI for marketing, advertising, or promotional purposes
• Sell, rent, or lease PHI to any third party
• Use PHI to train machine learning models without explicit written consent
• Share PHI with third parties except as permitted by HIPAA or authorized by the Practitioner
• Access PHI except as necessary to provide the Service or as directed by the Practitioner

3. HIPAA Compliance

3.1 Our Role and Obligations

MH Scribe operates as a Business Associate under HIPAA. We execute Business Associate Agreements (BAAs) with all Practitioners who use our Service to process PHI. Under these agreements and applicable law, we are obligated to:

• Use and disclose PHI only as permitted by the BAA or as required by law
• Implement appropriate administrative, physical, and technical safeguards
• Report to the Covered Entity any use or disclosure of PHI not permitted by the BAA
• Report any Security Incident or Breach of Unsecured PHI
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions
• Make PHI available for access by individuals as required
• Make PHI available for amendment and incorporate amendments as required
• Provide an accounting of disclosures of PHI as required
• Make internal practices and records available to HHS for compliance determination
• Return or destroy PHI upon termination of the BAA

3.2 Patient Rights Under HIPAA

Patients whose PHI is processed through our Service have specific rights under HIPAA, including:

• Right to Access: The right to inspect and obtain a copy of their PHI
• Right to Amendment: The right to request corrections to their PHI
• Right to an Accounting of Disclosures: The right to receive a list of disclosures of their PHI
• Right to Request Restrictions: The right to request restrictions on certain uses and disclosures of their PHI
• Right to Request Confidential Communications: The right to request that communications be made through alternative means or to alternative locations
• Right to Complain: The right to file a complaint with HHS if they believe their privacy rights have been violated

Important: Because we process PHI on behalf of Practitioners (Covered Entities), patients must exercise these rights through their Practitioner. We will assist Practitioners in responding to patient requests as required.

4. Data Security

We implement comprehensive security measures to protect your information in accordance with HIPAA Security Rule requirements and industry best practices.

4.1 Technical Safeguards

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 or higher
• Encryption at Rest: All stored data is encrypted using AES-256 encryption
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Authentication: Multi-factor authentication (MFA) required for all accounts
• Audit Logging: Comprehensive logging of all access to and modifications of PHI
• Intrusion Detection: 24/7 security monitoring and intrusion detection systems
• Vulnerability Management: Regular security assessments and penetration testing
• Automatic Session Termination: Sessions timeout after periods of inactivity

4.2 Physical Safeguards

• Data Center Security: Our infrastructure is hosted on Amazon Web Services (AWS), which maintains SOC 2 Type II and HIPAA compliance certifications
• Data Location: All data is stored exclusively in United States-based data centers
• Redundancy: Multi-availability zone deployment for high availability and disaster recovery
• Backup Systems: Encrypted daily backups with 30-day retention

4.3 Administrative Safeguards

• Security Officer: Designated Security Officer responsible for security policies and procedures
• Workforce Training: All personnel receive HIPAA security and privacy training
• Background Checks: Background checks for employees with access to PHI
• Policies and Procedures: Comprehensive written policies addressing all aspects of information security
• Risk Analysis: Regular security risk assessments and management
• Incident Response: Documented incident response and breach notification procedures
• Business Continuity: Business continuity and disaster recovery plans

5. Data Sharing and Disclosure

5.1 Service Providers (Subcontractors)

We engage certain third-party service providers to assist in providing our Service. These providers may have access to your information only to perform specific tasks on our behalf and are obligated to protect your information:

• Amazon Web Services (AWS): Cloud infrastructure, storage, and computing services. AWS is HIPAA-eligible and we maintain a BAA with AWS.
• Stripe: Payment processing. Stripe only receives payment information necessary to process transactions; no PHI is shared with Stripe.
• Clerk: Authentication and identity management. Clerk receives only authentication credentials; no PHI is shared with Clerk.
• AWS Bedrock: AI model inference. We maintain a BAA with AWS for Bedrock services.

All subcontractors who may access PHI are required to sign Business Associate Agreements and maintain HIPAA compliance.

5.2 Legal Requirements

We may disclose your information, including PHI, when required by law or in response to valid legal process, including:

• Valid court orders or subpoenas
• Law enforcement requests made with proper legal authority
• Requests from regulatory agencies with appropriate jurisdiction
• Public health activities as required by law
• Health oversight activities
• Judicial and administrative proceedings
• To avert a serious threat to health or safety
• Specialized government functions (e.g., military, national security)
• Workers' compensation as required by law

We will notify Practitioners of such disclosures unless prohibited by law.

5.3 De-identified and Aggregated Data

We may use and share de-identified data (data from which all identifiers have been removed in accordance with HIPAA de-identification standards) or aggregated data (statistical data that does not identify individuals) for:

• Service improvement and product development
• Research and analytics
• Industry benchmarking and reporting

Such de-identified or aggregated data is not considered PHI and is not subject to HIPAA restrictions.

6. Data Retention

6.1 Active Accounts

• PHI: Retained for as long as the Practitioner maintains an active account, or longer if required by state medical record retention laws
• Session Recordings: Retained according to Practitioner-configured retention settings
• Audit Logs: Maintained for a minimum of six (6) years as required by HIPAA
• Account Information: Retained for the duration of the account relationship

6.2 Account Termination

Upon account termination:

• Practitioners may export all their data within thirty (30) days of termination notice
• PHI will be securely deleted within ninety (90) days of account termination, unless a legal hold or retention requirement applies
• Audit logs will be retained for six (6) years from the date of creation as required by HIPAA
• De-identified and aggregated data may be retained indefinitely
• Backup copies will be purged according to our backup retention schedule

6.3 Legal Holds

We may retain information beyond our standard retention periods if required by law, legal proceedings, or government investigations.

7. Your Privacy Rights

7.1 Practitioner Rights

As a Practitioner, you have the following rights regarding your information:

• Right to Access: You may access and download your data at any time through your account settings
• Right to Correction: You may update or correct your account information at any time
• Right to Deletion: You may request deletion of your account, subject to legal retention requirements
• Right to Data Portability: You may export your data in standard formats (JSON, CSV, PDF)
• Right to Opt-Out: You may opt out of non-essential communications
• Right to Restrict Processing: You may request restrictions on certain processing activities

7.2 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: compliance@mhscribeai.com
• We will respond to your request within thirty (30) days
• We may require identity verification for security purposes

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

• Strictly Necessary Cookies: Required for the Service to function, including authentication, security, and session management
• Functionality Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how the Service is used and identify areas for improvement

8.2 PHI and Cookies

We do not store PHI in cookies. Cookies are used only for authentication, session management, and anonymized analytics.

9. International Data Transfers

All data, including PHI, is stored and processed exclusively in the United States. We do not transfer PHI outside of the United States. If you access our Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

10. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect Personal Data from individuals under 18. If you are a parent or guardian and believe that your child has provided us with Personal Data, please contact us immediately at compliance@mhscribeai.com.

Note: PHI of minor patients may be processed through our Service by authorized Practitioners in accordance with applicable law and with appropriate parental or guardian consent.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request information about the categories and specific pieces of Personal Data we have collected about you
• Right to Delete: You have the right to request deletion of your Personal Data, subject to certain exceptions
• Right to Correct: You have the right to request correction of inaccurate Personal Data
• Right to Opt-Out of Sale/Sharing: We do not sell or share your Personal Data for cross-context behavioral advertising
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Limit Use of Sensitive Personal Information: You may limit certain uses of sensitive Personal Data

Note: PHI that is subject to HIPAA is generally exempt from CCPA/CPRA requirements where HIPAA applies.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this Privacy Policy
• For material changes, we will provide prominent notice via email to registered accounts and/or through in-app notifications
• Changes will become effective thirty (30) days after the updated Privacy Policy is posted, unless a longer notice period is required by law
• Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy

13. Breach Notification

In the event of a Breach of Unsecured PHI, we will comply with all applicable breach notification requirements under HIPAA and state law:

• Notification to Practitioners: We will notify affected Practitioners without unreasonable delay and in no case later than sixty (60) days following discovery of a breach
• Notification to Patients: Practitioners (as Covered Entities) are responsible for notifying affected patients; we will assist Practitioners as needed
• Notification to HHS: We will assist Practitioners in reporting breaches affecting 500 or more individuals to the Secretary of HHS
• Media Notification: For breaches affecting 500 or more residents of a state, we will assist Practitioners in providing required media notifications

14. Contact Information

Compliance Inquiries

For questions about privacy, HIPAA compliance, or to request a Business Associate Agreement:
Email: compliance@mhscribeai.com
Response Time: Within five (5) business days

Security Concerns

To report security vulnerabilities or concerns:
Email: security@mhscribeai.com
Available 24/7 for security emergencies

Mailing Address

AhlTrade LLC
Attn: Privacy Officer
[Address to be added]

15. Regulatory Oversight and Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

U.S. Department of Health and Human Services

Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll-free: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy

Federal Trade Commission

600 Pennsylvania Avenue, NW
Washington, DC 20580
Toll-free: 1-877-FTC-HELP (1-877-382-4357)
Website: www.ftc.gov

16. Business Associate Agreement

By using our Service to process PHI, Practitioners agree to enter into our Business Associate Agreement (BAA). The BAA establishes the permitted uses and disclosures of PHI, required safeguards, and our respective obligations under HIPAA.

To request a copy of our BAA or for questions about our BAA terms, please contact: compliance@mhscribeai.com

17. Consent and Acknowledgment

By accessing or using MH Scribe, you acknowledge and agree that:

• You have read, understood, and agree to this Privacy Policy
• You consent to the collection, use, and disclosure of your information as described in this Privacy Policy
• You understand your rights under HIPAA and applicable privacy laws
• If you are a Practitioner, you agree to our Business Associate Agreement and assume responsibility for obtaining any necessary patient consents
• If you do not agree with this Privacy Policy, you should not access or use our Service