HIPAA
HIPAA compliance overview
AI MedPad is positioned for clinical documentation workflows that may include protected health information. Covered entities should complete their own vendor review before production use.
PHI-aware workflows
AI MedPad should be configured so protected health information is handled only by authorized users, approved workspaces, and customer-approved systems. Clinics should define who can record visits, review drafts, export documents, and manage administrative settings.
- Restrict workspace access to authorized clinical and administrative users.
- Review generated notes before they become part of the medical record.
- Avoid entering PHI into unsupported channels outside approved workflows.
Business associate review
Covered entities should request the current business associate agreement and security documentation before production use. The review should confirm permitted uses of PHI, safeguards, breach notification obligations, subcontractor handling, and termination/deletion procedures.
Clinician review
Generated documentation should remain reviewable and editable before it becomes part of the medical record. AI MedPad does not replace clinical judgment, diagnosis, treatment decisions, or prescription responsibility.
Customer responsibilities
Each clinic remains responsible for HIPAA policies, workforce training, minimum necessary access, EHR configuration, patient consent workflows where applicable, and final approval of clinical documentation.