Skip to main content

PHI & security

Clinical.ink processes sensitive clinical encounters. The platform is built with HIPAA-conscious defaults and gives workspace owners the tools they need to control access and retention.

Platform safeguards

  • Authentication – All API requests require Auth0 access tokens. Internal services communicate with scoped credentials instead of user accounts.
  • Transport security – Production deployments run behind HTTPS. Browsers refuse microphone access on insecure origins, so the app automatically enforces secure connections.
  • Temporary storage – Uploaded audio and intermediate files are kept only while a job is running and are deleted automatically once processing finishes.
  • Task isolation – Background workers handle heavy AI tasks. Progress notifications contain task identifiers, not transcript text.
  • Structured logging – Operational logs capture timings, status codes, and task IDs but avoid storing PHI. This allows troubleshooting without exposing encounter content.

Workspace controls

Use Settings → Organization / Security to manage exposure:

  • Roles – Owners can manage members, seat counts, and billing details. Members can capture encounters and work with notes but cannot change billing or delete the workspace.
  • Seat limits – Invitations respect the seat limit of your plan. Removing a member frees a seat immediately.
  • Audit trail – Encounter IDs, subscription data, and usage summaries are available from the subscription screen for compliance reviews.
  • Chat quotas – Chat allowances limit how much content is shared with the copilot. When a quota is reached the panel switches to read-only responses.

Handling PHI responsibly

  • Always open Clinical.ink over HTTPS.
  • Record and upload encounters from trusted devices. Use Settings → General → Restart application to clear cached content on shared computers.
  • Review transcripts and drafted notes for accuracy before exporting or copying into your EHR.
  • Share exported files through your organization’s secure channels (encrypted email, secure messaging, etc.).

Data retention & deletion

  • Audio files and derived chunks are removed automatically after processing.
  • Encounter metadata, transcripts, and notes remain available until your workspace is deleted or you request a purge. Contact support@clinical.ink if you need specific encounters removed early.
  • Billing records are retained for financial compliance but do not contain clinical content.

Incident response

If you suspect unauthorized access or data leakage:

  1. Email security@clinical.ink with the organization slug, encounter ID(s), and timestamps.
  2. Remove or suspend affected members from Settings → Organization.
  3. Rotate any connected credentials (calendar integrations, storage keys, etc.) if you believe they were exposed.
  4. Collect relevant logs or screenshots and share them securely with the support team.

We acknowledge security reports within one business day and keep you informed until the issue is resolved.