Plexura AI ScribeBack to home

Legal

HIPAA Compliance

Effective: May 2, 2026Last updated: May 2, 2026

Plexura AI Scribe (“Plexura”) provides clinical documentation services to licensed mental and behavioral health professionals. When our customers (“Covered Entities” as defined under HIPAA) use the Service to create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of their patients, Plexura acts as a HIPAA Business Associate within the meaning of 45 C.F.R. § 160.103.

This HIPAA Compliance Statement describes the administrative, physical, and technical safeguards Plexura has implemented to comply with the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E), the HIPAA Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the HITECH Act amendments thereto. It is published in addition to, and not in lieu of, the Business Associate Agreement (“BAA”) signed between Plexura and each Covered Entity that uses the Service to handle PHI. In the event of a conflict, the executed BAA controls.

1. Definitions

Capitalized terms not defined here have the meaning given in 45 C.F.R. Parts 160 and 164. “PHI” means individually identifiable health information transmitted or maintained in any form. “ePHI” means electronic PHI. “Workforce” means employees, contractors, and volunteers under the direct control of Plexura.

2. Business Associate Status and BAA Requirement

Plexura will only create, receive, maintain, or transmit PHI on behalf of a Covered Entity that has executed a current BAA with Plexura. The BAA sets out:

  • The permitted and required uses and disclosures of PHI by Plexura, limited to what is necessary to perform the Service or as required by law;
  • Restrictions on disclosing PHI to subcontractors without a written BAA flow-down;
  • Obligations to safeguard PHI in accordance with the Security Rule;
  • Reporting and breach-notification obligations;
  • Termination, return, and destruction provisions; and
  • The Covered Entity’s right to audit Plexura’s compliance.

A copy of the standard Plexura BAA is available on request from info@plexura.ai.

3. Administrative Safeguards (45 C.F.R. § 164.308)

3.1 Security Management Process — § 164.308(a)(1)

Plexura maintains a written information-security program that includes annual risk analysis, documented risk-management decisions, sanctions policy for workforce non-compliance, and a security-incident review log.

3.2 Assigned Security Responsibility — § 164.308(a)(2)

Plexura has appointed a designated Privacy & Security Officer responsible for the development and implementation of the policies and procedures required by the HIPAA Rules. The Privacy & Security Officer can be reached at info@plexura.ai.

3.3 Workforce Security — § 164.308(a)(3)

  • All workforce members complete HIPAA Privacy and Security training upon hire and annually thereafter.
  • Access to PHI is provisioned on the principle of least privilege and is reviewed at least quarterly.
  • Access is revoked within 24 hours of role change or separation.
  • Background checks are performed for workforce members with PHI access, where permitted by local law.

3.4 Information Access Management — § 164.308(a)(4)

  • Role-based access control (RBAC) is enforced at the practice and account level.
  • Multi-tenant isolation: a clinician’s account cannot access another customer’s PHI under any circumstance.
  • Within a multi-clinician practice, owners can configure which members may view, edit, push, or export which patient records.

3.5 Security Awareness and Training — § 164.308(a)(5)

Workforce members receive ongoing security reminders, password guidance, malicious-software protection training, log-in monitoring expectations, and password-management training. Access is rate-limited and brute-force protected; repeated failed log-ins trigger investigation.

3.6 Security Incident Procedures — § 164.308(a)(6)

Plexura maintains a documented incident-response plan. Suspected incidents are triaged within one business hour, escalated to the Privacy & Security Officer, and tracked through resolution. Customers are notified per Section 9 below.

3.7 Contingency Plan — § 164.308(a)(7)

  • Data backup: automated, encrypted backups of PHI databases on a continuous-replication and daily-snapshot schedule, retained per the BAA.
  • Disaster recovery: documented runbooks, recovery-point objective (RPO) of 24 hours and recovery-time objective (RTO) of 8 hours for critical services.
  • Emergency-mode operation: read-only PHI access can be restored from backup if primary infrastructure is unavailable.
  • Testing: recovery procedures are tested at least annually.

3.8 Evaluation — § 164.308(a)(8)

Plexura performs technical and non-technical evaluations of its environment at least annually, plus event-driven evaluations when material operational or environmental changes occur.

3.9 Business Associate Contracts with Subcontractors — § 164.308(b)

Plexura executes a written BAA with every subcontractor that creates, receives, maintains, or transmits PHI on Plexura’s behalf, including:

  • MongoDB, Inc. (Atlas database hosting)
  • OpenAI, L.L.C. (speech-to-text and LLM inference)
  • Resend, Inc. (transactional email delivery)
  • Stripe, Inc. (payment processing — non-PHI billing data only)
  • Emergent Cloud / underlying Kubernetes infrastructure provider

4. Physical Safeguards (45 C.F.R. § 164.310)

Plexura does not operate its own data centers. PHI is stored exclusively in cloud-provider data centers (MongoDB Atlas, the managed Kubernetes provider) located in the United States. Each provider maintains:

  • SOC 2 Type II audited physical-security controls;
  • 24x7 staffed access control with multi-factor authentication;
  • Biometric or token-based facility entry;
  • Continuous video surveillance and intrusion detection;
  • Workstation use, security, and disposal controls per § 164.310(b)–(d), enforced by Plexura for all workforce devices.

Workforce devices used to access PHI must run a current operating system, full-disk encryption, an active screen-lock policy, and endpoint-protection software.

5. Technical Safeguards (45 C.F.R. § 164.312)

5.1 Access Control — § 164.312(a)

  • Unique user IDs for every account; passwords hashed with bcrypt and a random per-user salt.
  • Password policy: minimum 12 characters, three of four character classes, breach-pattern blocklist, sequence/repeat rejection.
  • Automatic logoff via signed JWTs that expire after 120 minutes of issuance.
  • Encryption and decryption of ePHI: TLS 1.2+ in transit; AES-256 at rest in the database, in object storage, and in backups.
  • Optional emergency-access procedure for designated workforce members during a declared incident.

5.2 Audit Controls — § 164.312(b)

Plexura maintains immutable audit logs of every login, PHI access, modification, deletion, export, and EHR-push event. Logs include actor identity, timestamp, source IP, user-agent, action, target resource, and result. Logs are retained for at least six (6) years per § 164.316(b)(2)(i) and surfaced to Covered Entities through the Plexura analytics dashboard for their own compliance reporting.

5.3 Integrity — § 164.312(c)

ePHI is protected from improper alteration through database-level write controls, version history on transcripts and notes, and cryptographic checksums during backup and restore. The audit log provides a forensic trail to detect any unauthorized alteration.

5.4 Person or Entity Authentication — § 164.312(d)

Plexura authenticates every API request via short-lived signed JWT tokens. Browser-extension push payloads are signed and validated server-side before any action is taken. Multi-factor authentication is available for owner and administrator accounts and is on the product roadmap for all accounts.

5.5 Transmission Security — § 164.312(e)

  • All client-server communication is encrypted with TLS 1.2 or higher, with weak ciphers disabled.
  • HTTP Strict Transport Security (HSTS), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a strict Referrer-Policy are enforced on every response.
  • A least-privilege CORS allowlist prevents unauthorized cross-origin credentialed requests.
  • Inter-service traffic between application pods and the database is encrypted within the provider’s private network.

6. Privacy Rule Implementation (45 C.F.R. Part 164, Subpart E)

6.1 Permitted Uses and Disclosures

Plexura uses and discloses PHI only to:

  • Provide the Service to the Covered Entity;
  • Carry out Plexura’s management and administration, where permitted by 45 C.F.R. § 164.504(e)(4);
  • Carry out Plexura’s legal responsibilities;
  • Disclose PHI as required by law (e.g., subpoena);
  • Provide data aggregation services to the Covered Entity, where requested.

Plexura applies the minimum-necessary standard to all uses and disclosures of PHI.

6.2 Individual Rights

Where a patient (the “individual” under HIPAA) submits a rights request directly to Plexura, we will redirect the request to the Covered Entity, who is responsible for fulfillment, and will provide reasonable cooperation, including:

  • Right of access (§ 164.524) — export and delivery of the patient’s designated record set.
  • Right of amendment (§ 164.526) — ability to update PHI within the Service at the Covered Entity’s direction.
  • Right to an accounting of disclosures (§ 164.528) — via the audit-log export feature.
  • Right to restrict (§ 164.522) — honored when the Covered Entity instructs Plexura accordingly.

6.3 De-Identification

Where Plexura uses datasets internally for service improvement, de-identification is performed in accordance with the Safe Harbor method (§ 164.514(b)(2)) or expert determination (§ 164.514(b)(1)), as applicable. We do not use PHI to train public AI models.

7. Sanctions and Workforce Discipline

Workforce members who violate these policies are subject to progressive discipline up to and including termination of employment and, where applicable, civil and criminal referral. Sanctions actions are documented and retained per § 164.530(e).

8. Risk Analysis and Risk Management

Plexura performs a comprehensive HIPAA risk analysis at least annually and after any material change to the environment. Identified risks are entered into a risk register, prioritized by likelihood and impact, and remediated through documented risk-management actions. Penetration testing is performed annually by a third-party provider; vulnerability scanning is run continuously against production infrastructure.

9. Breach Notification (45 C.F.R. Part 164, Subpart D)

If Plexura discovers a Breach (as defined at § 164.402) of Unsecured PHI, it will:

  • Notify the affected Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery (the BAA may impose a shorter window);
  • Provide the information required by § 164.410, including the identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed during the Breach;
  • Cooperate with the Covered Entity’s investigation, mitigation, and notice obligations to individuals, the Department of Health & Human Services, and (where applicable) the media; and
  • Document the Breach and Plexura’s response per HIPAA recordkeeping requirements.

Reports of suspected Breach or other security incidents may be sent to info@plexura.ai 24x7. Suspected Breach is escalated to the Privacy & Security Officer immediately upon receipt.

10. Data Retention, Return, and Destruction

Upon termination of the BAA, Plexura will, if feasible, return or destroy all PHI it maintains in any form on behalf of the Covered Entity. Where return or destruction is not feasible (e.g., due to legal-hold or backup-immutability constraints), Plexura will extend the protections of the BAA to the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible. Audit-log records are retained for at least six (6) years per § 164.316(b)(2)(i).

11. State Law and Substance-Use Disorder Records (42 C.F.R. Part 2)

Where a Covered Entity is also subject to state laws more protective than HIPAA (e.g., California CMIA, New York Public Health Law § 18, Texas HB 300), Plexura’s safeguards do not displace the Covered Entity’s obligation to comply with those laws. If your practice handles substance-use disorder records subject to 42 C.F.R. Part 2, please contact info@plexura.ai before uploading those records so that we can document the additional consent and disclosure restrictions.

12. Customer Responsibilities

Plexura’s safeguards do not relieve the Covered Entity of its own HIPAA obligations. Customers remain responsible for:

  • Obtaining and documenting valid, informed patient consent before recording sessions through the Service;
  • Configuring access controls within their practice account to enforce minimum-necessary access among their own workforce;
  • Reviewing and approving every AI-generated note before signing or pushing it to an EHR;
  • Promptly reporting suspected breach or unauthorized access to Plexura at info@plexura.ai;
  • Maintaining their own HIPAA Privacy Rule documentation, notice of privacy practices, and patient-rights fulfillment processes.

13. Reporting and Compliance Contacts

Plexura AI Scribe
Privacy & Security Officer
Email: info@plexura.ai

The same address handles HIPAA inquiries, security incident reports, and patient/individual rights requests. Suspected breach notifications are escalated to the Privacy & Security Officer immediately upon receipt and acknowledged within one business hour.

Patients who believe their privacy rights have been violated may also file a complaint directly with the U.S. Department of Health & Human Services, Office for Civil Rights: https://www.hhs.gov/hipaa/filing-a-complaint.

Other legal documents

Privacy PolicyTerms of ServiceHIPAA Compliance

Questions, requests, or concerns regarding this document — including legal, privacy, individual-rights, security, and HIPAA matters — can be sent to info@plexura.ai.

© 2026 Plexura AI Scribe. All rights reserved.

HIPAA Compliant · Encrypted · Secure