HIPAA & Security
Contents
1. Our Commitment
ECNX Ambient is built for clinical environments where every conversation may contain Protected Health Information. Privacy and security are design constraints, not afterthoughts: we minimize what we collect, encrypt what we keep, restrict who can see it, and log every access.
2. Business Associate Agreements
ECNX signs Business Associate Agreements with Covered Entities and, where applicable, with upstream Business Associates. Our BAA covers permitted uses and disclosures of PHI, safeguards, subcontractor flow-down obligations, breach notification, and return or destruction of PHI at termination.
Subprocessors that touch PHI — including Microsoft Azure Speech Services and Azure OpenAI Service — operate under BAAs or equivalent contractual safeguards, and are configured so that your data is not used to train their models. The current subprocessor list is published in our Privacy Policy.
3. How PHI Flows Through the Service
- Capture: audio is captured only while a clinician has explicitly started a listening session; a visible waveform indicates recording is active.
- Transcription: audio streams to the configured speech-to-text engine (Azure Speech, locally hosted Whisper, or the browser's Web Speech API) and is converted to text with speaker labels.
- Generation: transcripts are processed by clinical language models to draft SOAP notes, form entries, and coding suggestions.
- Review: a clinician reviews, edits, and approves all output before it is finalized or exported to an EHR.
- Retention or deletion: raw audio is deleted after processing unless your organization configures otherwise; documentation is retained per your organization's policy.
4. Technical Safeguards
- Encryption in transit: all traffic between your browser, our servers, and our subprocessors uses TLS 1.2 or higher.
- Encryption at rest: databases, file storage, and backups are encrypted at rest.
- Data minimization: encounter audio is ephemeral by default; only the documentation your organization needs is retained.
- Environment isolation: production PHI is segregated from development and test environments.
- Secure development: code review, dependency scanning, and security testing are part of our release process.
5. Access Controls & Audit Logging
- Role-based access: access to encounters and administration functions is restricted by role (clinician, administrator), enforced on every route and API endpoint.
- Authentication: accounts are individually credentialed; sessions expire after inactivity.
- Audit trails: access to PHI and administrative actions are logged with user, timestamp, and action, supporting HIPAA audit requirements.
- Least privilege: ECNX personnel access to production PHI is restricted to what is necessary for support and operations, and is logged.
6. Patient Consent Guidance
Recording-consent requirements vary by jurisdiction. Providers using ECNX Ambient should:
- Tell the patient, at the start of the visit, that an ambient documentation tool will listen and draft the note;
- Obtain and document consent as required by state or national law and organizational policy (all-party-consent jurisdictions require the patient's agreement);
- Stop the session immediately if the patient declines or withdraws consent — the visit can be documented manually; and
- Consider posting notice in intake paperwork or signage where visits are routinely documented ambiently.
This is general guidance, not legal advice. Consult your compliance or legal team for the rules that apply to your practice.
7. Incident Response & Breach Notification
We maintain an incident-response process covering detection, containment, investigation, and remediation. If a security incident results in a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and within the timeframes required by the HIPAA Breach Notification Rule and our BAAs, and will cooperate with the Covered Entity's own notification obligations.
8. Reporting a Vulnerability
If you believe you have found a security vulnerability in ECNX Ambient, please report it to security@ecnx.health. We appreciate responsible disclosure and will acknowledge reports promptly.