HIPAA, Privacy, and Security at Around Notes

Around Notes as a Business Associate

Around Notes acts as a Business Associate for Covered Entities and Business Associates under HIPAA. When you sign up as a licensed medical provider or organization, we establish a Business Associate Agreement (BAA) so that you can lawfully use Protected Health Information (PHI) within the app.

• Each user that qualifies as a “Covered Entity” or “Business Associate” under HIPAA must execute a BAA with us.
• Our current BAA is available at https://aroundnotes.ai/docs/around-notes-baa.pdf .
• If you do not sign a BAA, you must not upload PHI into Around Notes.

BAAs with Our Infrastructure and AI Vendors

We only send PHI to vendors who have executed BAAs with us and are used in HIPAA-eligible configurations:

• Infrastructure & databases: Amazon Web Services (AWS)
• AI / model providers: Google Cloud Services (GCS) and OpenAI

These vendors act as our sub-processors under your BAA with us.

Shared Responsibility Model

We take primary responsibility for:

• Application security and architecture
• Cloud security configuration and monitoring
• Encryption, auditing, and incident response

You, as the customer, remain responsible for:

• Managing who in your organization has access to Around Notes
• Using PHI only in appropriate contexts
• Respecting the “no PHI without a BAA” rule
• Choosing whether to use PHI mode vs. de-identified / minimal-data mode

Enterprise customer? We’re happy to review this model with your compliance or security team. Contact: support@aroundnotes.ai.

Who Owns the Data?

You (or your organization) own your clinical content: notes, uploads, and related data you provide to Around Notes. Around Notes acts as a custodian and processor of that data to deliver the service.

No Sale or Rental of Data

Our End User License Agreement (EULA) states:

“No Sale of Personal or Patient Data. Company does not sell or rent User or Patient Data to any third party. In the event of a merger, acquisition, or asset sale, data may transfer to the successor subject to this Agreement and any applicable Business Associate Agreement (BAA).”

This is core to our business model. We make money from subscriptions, not selling data.

No Training on Your PHI

• We do not use PHI to train public or shared models.
• Our AI sub-processors, when used under BAA in HIPAA-eligible configurations, do not use your PHI to train their models.
• Any internal analytics or product improvements use de-identified and aggregated data only.

1. Full HIPAA Mode (with BAA)

You may paste or upload PHI into Around Notes (H&Ps, progress notes, discharges, etc.). This mode is covered by:

• Your BAA with Around Notes
• Our BAAs with AWS, OpenAI, and Google Cloud
• All technical and administrative safeguards described on this page

2. De-Identified / Minimal-Data Mode

You can choose never to send PHI and instead use:

• Objective data such as labs, vitals, and imaging findings
• De-identified text (no identifiers)

This is useful for testing, education, or organizations with strict PHI policies.

Minimum Necessary

Around Notes is designed to support the HIPAA “minimum necessary” principle. Even in full HIPAA mode, we encourage sending only the information needed to generate a safe and accurate note.

US-Based Data Storage and Processing

• We use Amazon Web Services (AWS) for database hosting.
• All patient data is stored and processed in US-based HIPAA-eligible data centers.
• We do not knowingly route PHI to non-US regions.

Encryption in Transit and at Rest

• All data in transit uses HTTPS/TLS.
• Data at rest is encrypted using strong encryption managed by AWS.
• Encryption keys are stored and managed via cloud-native KMS with restricted access.

Account Security

• Each user has a unique login.
• We enforce secure password policies and modern authentication.
• Support for GoogleAuth is live, and MFA is planned.

Internal Employee Access

We apply a strict “least privilege” policy:

• Only authorized employees can access production systems.
• Access is role-based and reviewed regularly.
• Patient data accessed for review is de-identified whenever feasible.

All employees have background checks and receive HIPAA/security training.

Audit Logging

• Production access and key actions are logged.
• Logs are retained per compliance needs.
• Audit records support security reviews and regulatory inquiries.

User-Selectable Retention

Choose retention options (7, 30, 180 days) for notes and content. After that, note content is permanently deleted from primary systems.

Backups

• Database backups are kept for 7 days.
• Backup data is encrypted and stored in HIPAA-eligible cloud storage.
• Deleted primary data ages out of backups within the normal cycle.

Images

• We do not store images once processed.
• Images are only held as long as needed to complete the AI task.

Deletion on Request

Request deletion outside your retention window by emailing support@aroundnotes.ai. We process requests within 7 business days when feasible.

Data Export

Need an export? Contact support@aroundnotes.ai and we will coordinate delivery (typically within 14 business days).

Continuous Monitoring with Vanta

Around Notes uses Vanta for continuous security and compliance monitoring:

• Key systems are monitored hourly for drift, vulnerabilities, and policy violations.
• Alerts are reviewed and remediated to maintain HIPAA-aligned security.

Penetration Testing & Vulnerability Management

• Independent third-party penetration testing is conducted regularly.
• Testing addresses OWASP Top 10 and cloud misconfigurations.
• High/medium findings are prioritized for remediation and re-testing.

We also patch dependencies, use vulnerability scanning tools, and review our architecture as the product evolves.

Incident Response

• We maintain a written incident response plan.
• If we become aware of an incident, we investigate promptly and notify affected customers per HIPAA Breach Notification requirements.

HIPAA-Eligible AI Stack

Around Notes uses a multi-step AI stack to generate and refine clinical notes, including:

• OpenAI (HIPAA-eligible configurations under BAA)
• Google Cloud Services (GCS) for AI/ML (HIPAA-eligible configurations)

We configure these AI processors so that they do not use PHI to train their models and operate within our HIPAA framework.

Model Oversight and Clinical Use

• Multiple AI steps minimize hallucinations and promote data fidelity.
• Outputs are reviewed and edited by a human clinician before entering the medical record.
• Thousands of notes in real clinical practice inform our safety posture.

No AI (or human) is perfect. We emphasize clinician-in-the-loop review, clinical judgment, and institution-specific policies.

Who Is Building Around Notes?

Around Notes is founded and led by a licensed US medical doctor with day-to-day inpatient experience, informing our safety and privacy posture.

Policies and Training

• Written information security and privacy policies
• HIPAA-aligned administrative, physical, and technical safeguards
• Employee training on security, privacy, and incident reporting

Risk Analysis and Reviews

We conduct periodic risk assessments and policy reviews to:

• Align with evolving regulatory expectations
• Reflect product, infrastructure, and vendor changes
• Incorporate feedback from customers and security experts

SOC 2 Type II

We are actively working toward SOC 2 Type II certification and expect to achieve it by end of Q1 2026. This page updates as new attestations are obtained.