Health Data Privacy Policy
Whadata Health Data Privacy Policy
Date of Policy: July 17, 2026
Download PDFWhadata AI, Inc. ("Whadata," "we," "us," or "our") recognizes the sensitive and confidential nature of Protected Health Information ("PHI") and is committed to safeguarding it in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and all applicable privacy and security regulations (collectively, the "HIPAA Rules"). This Health Data Privacy Policy ("Policy") explains how we handle PHI when we provide our ambulatory healthcare technology platform and its modules (Scribe, Insights, E-Prescriptions, Patients, Communications, Telehealth, Claims, Billing, and Practice Settings & Administration) on your behalf.
This Policy applies solely to PHI that Whadata receives, maintains, or transmits on your behalf in connection with the Services. For information on how we handle non-PHI personal information, please refer to our Customer Data Privacy Policy. For patient-facing information, see the Patient Privacy Notice.
1. Purpose and Scope
This Policy describes how Whadata protects and uses PHI in compliance with the HIPAA Rules. When we act as a Business Associate to a Covered Entity, we agree to comply with the terms of the Business Associate Agreement ("BAA") executed with that Covered Entity. The BAA, together with this Policy, governs our privacy and security obligations regarding PHI.
2. Definitions
- Protected Health Information (PHI): PHI includes any individually identifiable health information relating to an individual's health condition, provision of healthcare, or payment for healthcare that Whadata creates, receives, maintains, or transmits on behalf of a Covered Entity.
- Covered Entity: A healthcare provider, health plan, or healthcare clearinghouse subject to HIPAA.
- Business Associate: A person or organization, other than a workforce member of a Covered Entity, that performs activities or services involving the use or disclosure of PHI on behalf of a Covered Entity.
3. Our Role Under HIPAA
Whadata typically serves as a Business Associate to Covered Entities using our Services. As such, we may create, receive, maintain, or transmit PHI on behalf of Covered Entities as permitted by the HIPAA Rules and the BAA. We will not use or disclose PHI except as allowed under the BAA, this Policy, the HIPAA Rules, or as required by law.
3.1 Enterprise Clients and Role of Covered Entity
Where the Services are used by an enterprise client (e.g., healthcare group, clinic, or provider network), the Covered Entity is solely responsible for:
- Designating authorized users and managing user permissions;
- Responding to access, amendment, or disclosure log requests from individuals;
- Ensuring compliance with internal privacy and security policies.
Whadata, acting as Business Associate, supports enterprise clients by providing administrative controls, audit logs, and user activity tracking features, but does not assume responsibility for how PHI is accessed or used internally by the Covered Entity's personnel.
4. How the Modules Process PHI
The categories of PHI we process and the way we process it depend on which modules the Covered Entity uses. All processing is for the purpose of providing the Services to the Covered Entity. All PHI is processed and stored within the United States.
| Module | PHI Processed | How It Is Used |
|---|---|---|
| Scribe | Encounter audio, transcripts, clinical summaries | Transcribe encounters and generate draft documentation for provider review |
| Insights | Vitals, labs, conditions, medications, immunizations | Surface analytics, trends, and potential care gaps for clinician review |
| E-Prescriptions | Prescriptions, medication and patient identifiers, allergies | Transmit non-controlled prescriptions and provide drug-interaction, allergy, and dosing decision support |
| Patients | Demographics, contacts, insurance cards, intake forms | Maintain patient records, intake, and portal; extract insurance information |
| Communications | Faxed documents and recipient details | Send and receive secure fax associated with patient records |
| Telehealth | Video, audio, transcripts, and patient location at visit start | Conduct video visits, confirm location for licensure, and generate draft documentation |
| Claims | Diagnosis and procedure codes, claim detail | Assist with medical coding and claim preparation |
| Billing | Eligibility, claims, copay and payment amounts | Assist with eligibility, claim submission, and patient payment processing |
| Practice Settings & Administration | Administrative metadata, audit logs, EHR-migration data, support/bug-report data | Manage users, enterprises, analytics, EHR data migration, and support |
5. How We Use and Disclose PHI
- Permitted Uses and Disclosures: We may use or disclose PHI as necessary to provide the Services, for example to process patient data, facilitate treatment-related communications among authorized healthcare professionals, support payment activities, conduct telehealth visits, transmit prescriptions, or assist in healthcare operations as defined by HIPAA, such as quality improvement or analytics.
- Minimum Necessary: We will make reasonable efforts to ensure that access to and disclosure of PHI is limited to the minimum amount necessary to accomplish the intended purpose, in accordance with HIPAA's "minimum necessary" standard.
- Authorizations: We will not use or disclose PHI for purposes outside the scope of treatment, payment, or healthcare operations without a valid, written patient authorization or as otherwise permitted or required by the HIPAA Rules.
- Support and Troubleshooting: Where a Covered Entity submits a support request or in-app bug report that includes PHI, authorized Whadata personnel may access that information solely to diagnose and resolve the issue, under access controls and audit logging. Covered Entities are responsible for limiting PHI included in such reports to the minimum necessary.
6. Artificial Intelligence and Automated Processing
Several modules use artificial intelligence to assist Covered Entities. We apply the following commitments to all AI processing of PHI:
- No training on identifiable PHI: We do not use Protected Health Information in identifiable form to train, develop, or improve any machine-learning or AI model, whether our own or a third party's.
- De-identified data: We may de-identify PHI in accordance with HIPAA (45 CFR §164.514). De-identified data is no longer PHI, and we may use it for purposes including training and improving our AI/ML models, analytics, and research and medical studies. We do not attempt to re-identify such data except as permitted by law.
- Human oversight: AI outputs (such as draft summaries, suggested codes, or extracted data) are informational drafts that require review and approval by qualified personnel of the Covered Entity. AI is not used to make automated decisions about individuals.
- Attestation: AI-generated clinical and coding outputs are recorded in a tamper-evident attestation ledger that captures provider review and sign-off, supporting auditability and integrity.
- Transparency: Upon reasonable request, we will provide a Covered Entity with documentation describing the AI systems used in processing its PHI, their intended purpose, and known limitations.
- Clinical decision support: Clinical decision support (such as drug-interaction, drug-allergy, and dosing alerts in E-Prescriptions) relies on patient and medication data the Covered Entity supplies. These alerts are decision-support tools that require the prescriber's review, may not identify every issue, and are not a substitute for professional judgment.
7. Individual Rights
While Covered Entities are responsible for managing patient requests related to PHI, our Services are designed to support compliance with individual rights under HIPAA, including:
- Right of Access: Covered Entities may use our Services to retrieve and provide patients with their PHI.
- Right to Amend: We can support Covered Entities in amending PHI within our system as directed, maintaining audit trails of changes.
- Right to Accounting of Disclosures: Our Services maintain logs of certain disclosures to help Covered Entities comply with accounting requirements.
Covered Entities remain responsible for managing and responding to such requests. Upon request, Whadata will assist in providing the necessary data, logs, or audit records in a timely manner.
8. Administrative, Physical, and Technical Safeguards
We implement appropriate administrative, physical, and technical safeguards to protect PHI:
- Administrative Safeguards: We conduct regular risk analyses, implement policies and procedures for workforce training and sanctions, and maintain contingency plans for emergencies.
- Physical Safeguards: Our infrastructure is hosted in SOC 2-certified cloud data centers with controlled access; we maintain device and media disposal protocols.
- Technical Safeguards: We use access controls, encryption in transit (TLS 1.2+) and at rest (AES-256), unique user identification, audit logs, and integrity checks to protect PHI from unauthorized access, alteration, or disclosure.
8.1 Subprocessors
Whadata engages trusted third-party service providers (e.g., cloud hosting and compute, AI processing, transcription, telehealth video, email, fax, e-prescribing, claims clearinghouse, and payment processing) to deliver the Services. Each Subprocessor that handles PHI is contractually bound by a Business Associate Agreement to safeguard PHI and comply with HIPAA, and is vetted for technical and organizational security measures. A current, named list of our Subprocessors, including the function each performs and the data category it handles, is maintained in the Whadata Subprocessor List and provided to Covered Entities upon request. Whadata may update its Subprocessors from time to time and ensures that each new Subprocessor handling PHI is bound by a Business Associate Agreement before it processes PHI.
9. Business Associate Agreements (BAAs)
We enter into BAAs with all Covered Entities or upstream Business Associates. Each BAA outlines the permitted uses and disclosures of PHI, our obligations regarding security and breach notification, and our commitment to comply with the HIPAA Rules. In the event of any conflict between this Policy and the BAA, the BAA will govern with respect to PHI.
10. Breach Notification
In the event of a breach of unsecured PHI, we will provide the required notifications to the Covered Entity in accordance with HIPAA's Breach Notification Rule and our BAA. We will cooperate with the Covered Entity in investigating and mitigating the breach and, if requested, assist in providing the required notifications to affected individuals and regulators.
11. Data Retention and Destruction
We retain PHI in accordance with our agreement with the Covered Entity, the Covered Entity's instructions, and applicable law. The Covered Entity is responsible for determining the record-retention period applicable to its PHI under state and other applicable law. When PHI is no longer needed, or upon termination, we will return or securely destroy it as directed by the Covered Entity and in accordance with the BAA and HIPAA standards, using methods that render the PHI unusable, unreadable, or indecipherable.
Separately, we retain our own HIPAA compliance documentation (such as policies, procedures, Business Associate Agreements, and access and audit logs) for at least six (6) years in accordance with 45 CFR §164.316(b)(2); this is separate from, and does not require, the retention of PHI. Certain communication records, such as faxes sent or received through the Communications module, may be retained for up to seven (7) years to meet recordkeeping and regulatory requirements.
Data that has been de-identified in accordance with HIPAA is no longer PHI; our right to retain and use it (as described in Section 6) survives termination.
12. International Transfers and Localization
Whadata processes PHI within the United States. If required by law or requested in writing by a Covered Entity, Whadata will:
- Evaluate the feasibility of regional or in-country hosting options;
- Implement appropriate safeguards, such as Business Associate Agreements, access restrictions, encryption, and contractual commitments to meet data residency or localization obligations;
- Avoid transferring PHI across borders unless required by the Services and permitted by applicable HIPAA Rules and other laws.
By using the Services, Covered Entities acknowledge and agree to these data transfer mechanisms unless otherwise negotiated.
13. Complaints and Concerns
If you have concerns about our handling of PHI, please contact us at . Patients may direct any requests or complaints to their Covered Entity. We will promptly assist the Covered Entity, as appropriate, in addressing such concerns.
14. Changes to This Policy
We may update this Policy as necessary to ensure continued compliance with HIPAA or to reflect changes in our Services. We will notify Covered Entities of significant updates. The latest version of this Policy will be made available to Covered Entities.
15. Governing Law
This Policy is governed by and shall be interpreted in accordance with applicable federal and state laws, including HIPAA and its implementing regulations.