OrthoScribe LogoOrthoScribe

HIPAA Compliance

At OrthoScribe, protecting patient privacy and safeguarding Protected Health Information (PHI) is a core responsibility. Our platform is designed to support healthcare organizations in meeting their obligations under the Health Insurance Portability and Accountability Act (HIPAA).

Our Role Under HIPAA

OrthoScribe operates as a Business Associate to covered healthcare entities. PHI is processed solely to provide OrthoScribe services and only as permitted under a Business Associate Agreement (BAA).

Lotus Scientific is the legal entity that contracts with customers and executes BAAs.

Business Associate Agreements (BAA)

We provide a standard HIPAA-compliant Business Associate Agreement available upon request. The BAA governs:

  • Permitted uses and disclosures of PHI
  • Required administrative, technical, and physical safeguards
  • Breach notification obligations
  • Data return or destruction upon termination

Data Privacy & Ownership

  • Customers retain full ownership and control of their data
  • PHI is never sold or used for advertising
  • Data is used only to deliver OrthoScribe services

OrthoScribe applies the minimum necessary standard to limit access to PHI.

Data Retention & Deletion

  • Default PHI retention: 14 days
  • Data is retained only as long as necessary to provide the service
  • Customers may request data deletion at any time
  • Secure deletion processes are available upon account termination

U.S.-Only Data Residency

All customer data is processed and stored exclusively within the United States. OrthoScribe does not transfer PHI outside the U.S.

Technical Safeguards

OrthoScribe implements industry-standard technical controls, including:

  • Encryption of data in transit and at rest
  • Role-based access controls (RBAC)
  • Strong authentication mechanisms
  • Audit logging of system access and activity
  • Segregation of customer environments

Our infrastructure is hosted on secure cloud platforms designed for healthcare workloads.

Administrative Safeguards

We maintain documented HIPAA-aligned policies and procedures, including:

  • Workforce access management
  • Security and HIPAA training for employees
  • Incident response and breach notification processes
  • Vendor and sub-processor risk management

Sub-Processors & AI Providers

OrthoScribe works with carefully selected third-party service providers to support platform functionality, including speech-to-text and AI processing. Where required, Business Associate Agreements are in place.

Customer PHI is not used to train public or consumer AI models.

Incident Response & Breach Notification

OrthoScribe maintains a formal incident response program. In the event of a confirmed breach involving PHI, customers will be notified without unreasonable delay and in accordance with HIPAA breach notification requirements.

Ongoing Compliance

HIPAA compliance is an ongoing process. OrthoScribe continuously reviews and improves its security controls, policies, and procedures to align with evolving regulations and industry best practices.

Contact

For questions about HIPAA compliance or to request a Business Associate Agreement:

Email: support@lotusscientific.com

Subject: HIPAA / Compliance Inquiry