HIPAA & Compliance

Compliance

HIPAA, security, and how we handle PHI

Working with an offshore documentation partner is a compliance decision before it is a convenience decision. This page sets out exactly how we operate, so your counsel can evaluate us before your first encounter is shared.

Our commitments

  • BAA before PHI. We execute a Business Associate Agreement with every client before any protected health information moves. No pilot, sample, or trial begins without it.
  • Offshore-specific provisions. Our BAA includes security provisions addressing offshore risk directly, as HHS guidance expects covered entities to consider.
  • No AI training on your data. Ever. Your PHI is used to produce your documentation and for nothing else. This is stated explicitly in our agreement.
  • Named access only. A defined list of credentialed physicians works on your account. Each has signed an individual confidentiality and PHI-handling agreement. You may request the list at any time.
  • Your systems first. Wherever possible we work inside your EHR under audited accounts you control. Otherwise, only client-approved encrypted channels are used. No PHI on personal devices; no local downloads where avoidable.
  • Same-day revocation. When a physician leaves an account, access is revoked the same day, and we confirm it to you in writing.
  • Breach notification. Contractual notification duties with defined timelines are part of our standard BAA.
  • Draft status of all notes. Every note is a draft for the treating provider’s review and signature. The provider retains final authority over the medical record.

Questions your compliance officer will ask

Where is the work performed?

By licensed physicians working from secured setups in Pakistan, under individual agreements, named-access control, and the safeguards above. We are transparent about this from the first conversation — it is also why our pricing is what it is.

Can we see the BAA first?

Yes. We send our BAA template for your counsel’s review before any commitment, and we will work from your standard BAA instead if you prefer.

What about subcontracting?

We do not subcontract. The physician assigned to your account is the person doing the work — that is the entire premise of the service.

Request our BAA for review