Privacy Policy
Contents
- Who We Are
- Our Role Under HIPAA
- Information We Collect
- How We Use Information
- AI Processing & Model Training
- How We Share Information
- Service Providers & Subprocessors
- Data Retention
- Security
- Your Rights & Choices
- Information for Patients
- Cookies & Similar Technologies
- Children's Privacy
- Changes to This Policy
- Contact Us
1. Who We Are
ECNX ("ECNX," "we," "us," or "our") provides ECNX Ambient, an ambient clinical documentation platform that listens to clinician–patient conversations and turns them into structured clinical notes, transcripts, medical forms, and coding suggestions (the "Service").
This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Service. It applies to clinicians and healthcare-organization staff who hold accounts ("Users") and describes how we handle information about patients whose encounters are documented through the Service.
2. Our Role Under HIPAA
When the Service is used by a healthcare provider or organization that is a "Covered Entity" under the Health Insurance Portability and Accountability Act ("HIPAA"), ECNX acts as a Business Associate. In that capacity we process Protected Health Information ("PHI") only as permitted by our Business Associate Agreement ("BAA") with the Covered Entity and applicable law.
For information that is not PHI — such as your account details, billing information, and product usage data — ECNX acts as the data controller and this Privacy Policy applies directly.
3. Information We Collect
Information you provide
- Account information: name, email address, professional role, credentials, organization, and password.
- Voice profile data: if you enroll a voice profile for speaker identification, we collect short voice samples and derived voiceprints.
- Templates and settings: note templates, form configurations, microphone and verbosity preferences.
- Support communications: messages you send when contacting us.
Encounter data (may contain PHI)
- Audio: ambient audio captured during a clinical encounter while a recording session is active.
- Transcripts: real-time speech-to-text transcripts with speaker labels.
- Generated documentation: SOAP notes, populated medical forms, summaries, and coding suggestions derived from the encounter.
Information collected automatically
- Usage data: pages visited, features used, session duration, and interaction events.
- Device and log data: IP address, browser type, operating system, timestamps, and error logs.
4. How We Use Information
- To provide the Service: transcribing encounters, identifying speakers, generating clinical notes, populating forms, and suggesting billing codes.
- To maintain and improve the reliability, safety, and quality of the Service.
- To authenticate Users, manage accounts, and enforce role-based access.
- To provide customer support and respond to requests.
- To monitor for, prevent, and investigate security incidents, fraud, and abuse.
- To comply with legal obligations, including HIPAA and our BAAs.
- To communicate with Users about the Service, including security and feature updates.
5. AI Processing & Model Training
The Service uses artificial-intelligence models to convert speech to text, distinguish speakers, and generate clinical documentation. AI-generated output is a draft that must be reviewed, corrected, and approved by a qualified clinician before it becomes part of the medical record.
We may use de-identified data — data stripped of identifiers in accordance with the HIPAA de-identification standard — to improve transcription accuracy, note quality, and product performance.
7. Service Providers & Subprocessors
We use a small number of vetted subprocessors to deliver the Service. Subprocessors that handle PHI are bound by Business Associate Agreements or equivalent contractual safeguards.
| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Microsoft Azure Speech Services | Cloud speech-to-text transcription and speaker diarization | Encounter audio, transcripts |
| Microsoft Azure OpenAI Service | Clinical note generation, summarization, and coding suggestions | Transcripts, generated documentation |
| Microsoft Azure (hosting) | Application hosting, storage, and networking | All Service data |
Depending on your configuration, transcription may instead run locally in your browser (Web Speech API) or on locally hosted Whisper models, in which case audio for that engine is processed on your device or within your organization's environment.
8. Data Retention
- Encounter audio is retained only as long as needed to produce the transcript and documentation, and is deleted after processing unless your organization configures retention for quality-assurance purposes.
- Transcripts and generated documentation are retained according to your organization's configuration and applicable medical-records retention laws.
- Account information is retained while your account is active and for a reasonable period afterward as required for legal, audit, and security purposes.
- Voice profiles are retained until you or your administrator delete them.
When a BAA terminates, we return or destroy PHI as the BAA requires, unless retention is mandated by law.
9. Security
We maintain administrative, technical, and physical safeguards designed to protect the information we process, including encryption in transit and at rest, role-based access controls, audit logging, and secure development practices. No system is perfectly secure; we describe our program in more detail on the HIPAA & Security page.
10. Your Rights & Choices
Depending on where you live, you may have rights to:
- Access, correct, or delete personal information we hold about you.
- Object to or restrict certain processing.
- Receive a portable copy of your personal information.
- Withdraw consent where processing is based on consent.
Users can review and update account information on the My Profile page or by contacting us at privacy@ecnx.health. If you are in the European Economic Area, the UK, or a U.S. state with a comprehensive privacy law (such as the California Consumer Privacy Act), you may also have the right to lodge a complaint with your supervisory authority or attorney general.
11. Information for Patients
If you are a patient whose visit was documented using ECNX Ambient, your healthcare provider — not ECNX — decides how the Service is used and controls your records. Requests to access, amend, or delete your health information should be directed to your provider, who can act on them under HIPAA and applicable law. Your provider is responsible for obtaining any consent required for recording your visit; you may decline ambient documentation at any time by telling your provider.
13. Children's Privacy
The Service is intended for use by healthcare professionals and is not directed to children. We do not knowingly collect personal information directly from children under 13. Encounter documentation may relate to pediatric patients when a clinician treats them; that information is handled as PHI under the treating organization's direction and our BAA.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify Users through the Service or by email before the changes take effect, and we will update the "Last updated" date above.
15. Contact Us
Questions about this Privacy Policy or our data practices? Contact our privacy team at privacy@ecnx.health.