Menu
Get Started Free

Privacy Policy

Effective Date: February 17, 2026
Last Updated: February 17, 2026

1. Introduction

AfiaSync LLC ("Company," "we," "us," or "our") is committed to protecting the privacy and security of personal information, including Protected Health Information (PHI), processed through our clinical documentation platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use AfiaSync.

This policy applies to all users of the AfiaSync platform, including healthcare providers, administrators, and authorized personnel ("you" or "User").

2. Information We Collect

2.1 Patient Health Information

As a clinical documentation platform, AfiaSync processes various types of patient health information on your behalf, including:

  • Demographic Information: Names, dates of birth, addresses, contact information, identification numbers
  • Medical Records: Diagnoses, treatment plans, medications, allergies, medical history
  • Clinical Data: Vital signs, lab results, progress notes, SOAP notes
  • Encounter Data: Audio recordings of clinical encounters, AI-generated transcriptions, session notes
  • Billing Information: Insurance details, payment records, claims data

2.2 User Account Information

We collect information necessary to provide our services, including:

  • Registration Data: Name, email address, phone number, professional credentials
  • Authentication Data: Microsoft Entra ID tokens, session information
  • Profile Information: Job title, role, department, facility affiliation
  • Preferences: Notification preferences, dashboard configurations

2.3 Technical Information

We automatically collect certain technical information:

  • Usage Data: Log files, access times, features used, session duration
  • Device Information: IP addresses, browser type, operating system
  • Performance Data: System response times, error logs, application performance metrics
  • Security Logs: Authentication attempts, access patterns, security events

2.4 Communication Data

We may collect information from your communications with us:

  • Support Interactions: Help desk tickets, chat logs, support call records
  • Feedback: Surveys, feature requests, user experience feedback

3. Protected Health Information (PHI)

3.1 What is PHI?

Under HIPAA, Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associate. In the context of AfiaSync, PHI includes:

  • Patient names, addresses, dates of birth, and Social Security numbers
  • Medical record numbers and account numbers
  • Diagnoses, treatment information, and clinical notes
  • Audio recordings of patient encounters
  • AI-generated transcriptions and SOAP notes containing patient information
  • Any other information that could identify a patient and relates to their health condition, care, or payment

3.2 Our Role Regarding PHI

AfiaSync acts as a Business Associate under HIPAA. We process PHI on behalf of Covered Entities (healthcare providers) who use our platform. We do not use PHI for our own purposes except as permitted by HIPAA and our Business Associate Agreement (BAA).

4. How We Use Information

4.1 Primary Purposes

We use the information we collect for the following primary purposes:

  • Clinical Documentation: Transcribing encounters, generating SOAP notes, and maintaining patient records
  • Platform Functionality: Providing clinical documentation services, user authentication, and system operations
  • Compliance: Meeting regulatory requirements under HIPAA and other applicable laws
  • Quality Assurance: Ensuring data accuracy, system reliability, and service quality

4.2 Secondary Purposes

With appropriate safeguards and where legally permitted, we may use information for:

  • Service Improvement: Analyzing usage patterns to enhance platform features and performance
  • De-Identified Analytics: Creating de-identified, aggregated reports in compliance with HIPAA de-identification standards (45 CFR § 164.514)
  • Business Operations: Billing, customer support, and platform administration

5. Data Security Measures

5.1 Technical Safeguards

We implement comprehensive technical security measures:

Encryption:

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit

Access Controls:

  • Authentication via Microsoft Entra ID
  • Role-based access control (RBAC) with principle of least privilege
  • Multi-tenant data isolation with tenant-level partitioning
  • Automated session timeouts and account lockout policies

Infrastructure Security:

  • Hosting on Microsoft Azure with SOC 2 Type II compliance
  • Regular security patches and updates
  • Comprehensive audit logging of all data access and modifications
  • Security monitoring and incident response

6. Your Rights Under HIPAA

If you are a patient whose information is processed through AfiaSync, you have the following rights under HIPAA. These rights are exercised through your healthcare provider (the Covered Entity), not directly through AfiaSync:

6.1 Right to Access

You have the right to inspect and obtain a copy of your PHI maintained by your healthcare provider through AfiaSync. Your provider must respond to access requests within 30 days.

6.2 Right to Amend

You have the right to request that your healthcare provider amend your PHI if you believe the information is inaccurate or incomplete. Providers may deny amendment requests under certain circumstances but must provide a written explanation.

6.3 Right to Restrict

You have the right to request restrictions on certain uses and disclosures of your PHI. While providers are not required to agree to all restriction requests, they must comply with requests to restrict disclosures to health plans for services you paid for in full out-of-pocket.

6.4 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made by your healthcare provider or AfiaSync during the six years prior to your request.

6.5 Right to Receive Breach Notification

You have the right to be notified if there is a breach of your unsecured PHI. See Section 7 for details on our breach notification procedures.

6.6 Right to a Paper Copy

You have the right to obtain a paper copy of this Privacy Policy upon request.

7. Breach Notification

AfiaSync complies with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414):

  • Discovery and Investigation: Upon discovering a potential breach of unsecured PHI, AfiaSync will promptly investigate to determine whether a breach has occurred and the scope of affected data.
  • Notification to Covered Entity: AfiaSync will notify the affected Covered Entity (your healthcare provider) without unreasonable delay, and in no event later than 60 days after discovery of the breach.
  • Content of Notification: Notifications will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what AfiaSync is doing to investigate and mitigate the breach, and contact information.
  • Individual Notification: The Covered Entity is responsible for notifying affected individuals. AfiaSync will cooperate with and support the Covered Entity in fulfilling this obligation.
  • HHS Notification: For breaches affecting 500 or more individuals, the Covered Entity must notify the U.S. Department of Health and Human Services (HHS). AfiaSync will provide all information necessary for such notification.
  • Documentation: AfiaSync maintains records of all breach investigations, risk assessments, and notifications for a minimum of six years.

8. Data Residency

8.1 US-Based Data Centers

All data processed by AfiaSync is stored within the United States, specifically in Microsoft Azure US East regions. We do not transfer PHI outside the United States.

8.2 Data Sovereignty

By hosting exclusively in US data centers, AfiaSync ensures:

  • Compliance with US federal and state data residency requirements
  • Data subject to US jurisdiction and legal protections
  • No cross-border transfer of PHI

9. Subprocessors

AfiaSync uses the following Microsoft Azure services to process data. Microsoft has executed a Business Associate Agreement (BAA) covering these services:

Service Purpose Data Processed
Azure Cosmos DB Primary database Patient records, encounter data, clinical notes, user accounts
Azure Blob Storage File storage Audio recordings, uploaded documents
Azure OpenAI Service AI clinical note generation Transcribed encounter text (used to generate SOAP notes; not used for model training)
Azure Speech Services Audio transcription Audio recordings of clinical encounters
Azure Service Bus Asynchronous messaging Event messages for background processing (e.g., transcription jobs)

Important: Azure OpenAI Service, when used with the Azure API, does not use customer data to train or improve Microsoft's models. All processing occurs within the Azure trust boundary.

10. Data Retention

We retain your information as follows:

  • PHI and Clinical Data: Retained for the duration of your subscription and for 30 days after termination to allow data export. Upon request, PHI will be returned or destroyed in accordance with our BAA.
  • Account Information: Retained for the duration of your account plus a reasonable period for legal and business purposes.
  • Audit Logs: Retained for a minimum of six years as required by HIPAA.
  • De-Identified Data: May be retained indefinitely as it no longer constitutes PHI.

11. Regulatory Compliance

11.1 HIPAA Compliance

AfiaSync is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA):

  • Business Associate Agreements (BAAs) available for all Covered Entities — see our BAA page
  • Implementation of required administrative, physical, and technical safeguards
  • Regular compliance audits and risk assessments
  • Workforce training on HIPAA policies and procedures
  • Breach notification procedures compliant with 45 CFR Part 164, Subpart D

11.2 State Privacy Laws

In addition to HIPAA, AfiaSync is designed to comply with applicable state health information privacy laws that may provide additional protections beyond HIPAA.

12. Cookies and Tracking Technologies

AfiaSync uses the following types of cookies:

  • Essential Cookies: Required for core site functionality such as session management and security. These cannot be disabled.
  • Analytics Cookies: Used to understand how visitors interact with our website, helping us improve our services. These are only set with your consent.

You can manage your cookie preferences at any time using the cookie consent controls on our website. For more information about your choices, see our cookie consent banner.

13. Contact Information

13.1 Privacy Officer

For privacy-related questions or concerns, contact our Privacy Officer:

Privacy Officer
AfiaSync LLC
Email: support@afiasync.com

13.2 Filing a Complaint

If you believe your privacy rights have been violated, you may:

  • Contact AfiaSync's Privacy Officer at the address above
  • File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at www.hhs.gov/ocr/complaints

You will not be retaliated against for filing a complaint.

This Privacy Policy is effective as of the date listed above and supersedes all previous versions. By using AfiaSync, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Document Version: 2.0
Next Review Date: February 17, 2027