FeaturesHow it worksBenefitsPricing Español Log in Create account
← Back to home

HIPAA-aligned

Last updated: March 1, 2025

DoctorEscribe adopts as its reference the standards of the United States Health Insurance Portability and Accountability Act (HIPAA), regarded as the global gold standard for protecting electronic protected health information (ePHI). While HIPAA is a U.S. federal regulation, its security principles are applied by DoctorEscribe for the benefit of all our users in the Philippines, ensuring a level of protection that exceeds the minimum requirements of most regional digital health legislation.

Compliance with Philippine law: DoctorEscribe complies with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and the issuances of the National Privacy Commission (NPC) — including lawful, consent-based processing, data-subject rights, a designated Data Protection Officer, and personal-data-breach notification under NPC Circular 16-03. For telemedicine, the platform supports the standards of DOH–NPC Joint Memorandum Circular No. 2020-0001.

1. Commitment to Data Protection

At DoctorEscribe we understand that patients' medical information is among the most sensitive data that exists. A security incident in the clinical setting not only carries legal consequences, but can also affect patient trust, the doctor's reputation, and, in extreme cases, the patient's well-being. For this reason, we have designed our security architecture from the ground up with a "privacy by design" approach, integrating data protection into every layer of our platform.

Our commitment to security includes:

Periodic risk assessments: We conduct formal security risk analyses at least once a year, as well as after any significant change to our infrastructure or processes.

Documented policies: We maintain formal policies and procedures for information security, data access, incident response, and secure data destruction.

Ongoing training: All DoctorEscribe personnel with access to systems containing user data receive information security and HIPAA training upon onboarding, along with mandatory annual refreshers.

Partner agreements: All of our vendors and business partners that process data on behalf of DoctorEscribe sign Business Associate Agreements (BAAs) requiring them to comply with equivalent security standards.

2. Technical Safeguards

Technical safeguards are the technological controls we implement to protect electronic medical information. These include:

Encryption in Transit

All data traffic between the user's device and DoctorEscribe's servers is encrypted with TLS 1.3 (Transport Layer Security version 1.3), the most modern and secure cryptographic protocol available. TLS 1.3 offers significant improvements over earlier versions, including a faster handshake and the elimination of obsolete cryptographic algorithms. We do not allow connections using earlier versions of TLS or SSL.

Encryption at Rest

All data stored in our infrastructure—including clinical notes, transcriptions, patient information, and attachments—is encrypted using AES-256 (Advanced Encryption Standard with a 256-bit key), the symmetric encryption standard approved by the United States government for classified information. Encryption keys are managed through a key management service (KMS) with periodic automatic rotation.

Audit Trails

We maintain complete, immutable audit logs of all operations that access, create, modify, or delete sensitive data. These logs include: the identity of the user who performed the action, a timestamp with time zone, the type of operation performed, the device's IP address, and the specific resource that was accessed. Audit logs are retained for a minimum of 12 months and are protected against unauthorized modification.

Granular Access Control

We implement technical access controls that ensure each user can only view and modify the data they are explicitly authorized to access. Access to clinical data requires valid authentication in every session, and inactive sessions are automatically closed after a configurable period.

Secure Authentication

User passwords are stored using secure cryptographic hashing algorithms (bcrypt with a high cost factor), which ensures that even in the hypothetical event of a database breach, passwords cannot be recovered in plain text. In addition, we offer and recommend enabling two-factor authentication (2FA) for all accounts.

Audio Transmission Security

Audio recordings of consultations are transmitted in encrypted form in real time for processing. They are not stored on the user's device or on intermediate servers. Processing is performed in memory, and the audio is not persisted after the transcription is completed, unless the user explicitly enables audio archiving.

3. Administrative Safeguards

Administrative safeguards are the organizational policies, procedures, and processes that complement the technical security measures:

Role-Based Access Control (RBAC)

DoctorEscribe implements a role-based access control system for both platform users and the Company's internal personnel. Each role has defined specific permissions assigned to it, and no user—internal or external—can access resources for which they are not explicitly authorized according to their role.

For DoctorEscribe's internal personnel, access to production systems containing user data is limited to a minimal number of employees with a legitimate and duly justified need. All internal access requires multi-factor authentication and is recorded in the audit logs.

Minimum Necessary Access Principle

We follow the "least privilege / minimum necessary access" principle, which states that each user, system, or process should have access only to the resources and data strictly necessary to perform its function. We apply this principle at every level: user access to patient data, employee access to internal systems, and the permissions of services and microservices toward one another.

Incident Management

We have documented procedures for managing security incidents, including identification, containment, eradication, recovery, and post-incident analysis. The security team is available to respond to critical incidents 24 hours a day.

Business Continuity

We maintain business continuity and disaster recovery plans that include encrypted, redundant backups, with periodic restoration testing to ensure data recoverability.

4. Data Storage and Processing

Cloud infrastructure: DoctorEscribe runs on cloud infrastructure with the industry's highest security certifications, including SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS.

Server location: All DoctorEscribe data is stored and processed on servers located in the United States, in certified data centers. We do not transfer data to regions with less robust data protection legal frameworks.

Backups: Data is backed up automatically and continuously. Backups are encrypted to the same standards as production data and are stored in geographically distributed locations for disaster protection.

Data separation: Each user's and organization's data is logically separated from that of other users. There is no mechanism that would allow one user to access another user's data.

Secure deletion: When data is deleted (at the user's request or upon expiration of the retention period), a secure deletion is performed that ensures the data cannot be recovered, including the purging of all backups once the retention period has ended.

5. Patient Consent Responsibilities

DoctorEscribe operates under a shared responsibility model when it comes to patient consent. It is important that all of our users clearly understand the responsibilities of each party:

Healthcare professional's responsibility: The doctor or healthcare professional who uses DoctorEscribe is solely responsible for obtaining the patient's informed consent before recording the consultation or processing their medical information. This consent must be free, prior, informed, and specific, in accordance with the laws and regulations applicable in the country where the medical practice takes place.

Minimum consent content: We recommend that the informed consent include at least: a description of the use of AI tools for transcription and note generation, the specific data that will be processed, who has access to that data, how long it will be retained, and the patient's right to withdraw their consent. DoctorEscribe provides reference consent templates that can be adapted to the needs of each practice and jurisdiction.

DoctorEscribe's responsibility: Once the healthcare professional has obtained the patient's consent and has processed their data on the platform, DoctorEscribe assumes responsibility for protecting that data in accordance with the standards described in this document and in our Privacy Policy.

Minors: For underage patients, consent must be granted by the parent or legal guardian, in accordance with applicable local legislation. The healthcare professional is responsible for obtaining and documenting this parental consent.

6. Incident Response Procedures

Despite all our preventive measures, we recognize that no system is completely invulnerable. For this reason, we have robust procedures to respond to potential security incidents:

Detection and classification: We have automated anomaly detection systems and a security team that continuously monitors systems for signs of unauthorized access, unusual behavior, or security breaches. Incidents are classified by severity (critical, high, medium, low) to prioritize the response.

Immediate containment: When a security incident is detected, the first step is to contain the breach to limit potential damage. This may include locking compromised accounts, isolating affected systems, or revoking access credentials.

Investigation and eradication: Once the incident has been contained, we conduct a forensic investigation to determine the origin, scope, and impact of the incident, and we proceed to eliminate the root cause of the problem.

User notification: In the event of a security breach affecting user data, we will notify those affected within 72 hours of confirming the incident, as required by applicable regulations. The notification will include: the nature of the breach, the data potentially affected, the measures taken, and recommendations for affected users.

Reporting to authorities: We will notify the competent regulatory authorities within the time frames established by applicable legislation.

Post-incident analysis: After each incident, we conduct a detailed analysis to identify lessons learned and implement improvements that prevent similar incidents in the future.

7. Contact for Security Inquiries

If you have questions about our security practices and HIPAA alignment, if you would like to report a vulnerability or security concern, or if you need additional information to assess whether DoctorEscribe meets your organization's requirements, please contact us:

Security email: soporte@doctorescribe.com

Recommended subject line: "Security inquiry – [brief description]" or "Vulnerability report – [brief description]"

Response time: We respond to all security inquiries within 24 business hours. For critical vulnerability reports, we have an expedited response process.

Responsible disclosure: If you discover a security vulnerability in our platform, we ask that you report it to us responsibly through our security email before disclosing it publicly. We appreciate the collaboration of the security community and are committed to responding promptly and professionally to all good-faith reports.

For Business Associate Agreement (BAA) requests or corporate security assessments, contact us directly to coordinate the corresponding process.