This Privacy Policy describes how MedFetch AI LLC ("MedFetch AI," "we," "our," or "us") collects, uses, protects, and discloses information when you use our platform at medfetchai.com (the "Service"). By using the Service, you agree to this Privacy Policy.
1. WHO WE ARE
MedFetch AI LLC is a health technology company incorporated in Idaho. We provide an AI-powered platform that enables licensed healthcare providers and attorneys to retrieve, aggregate, and summarize patient medical records from electronic health record (EHR) systems with the patient's explicit authorization.
2. SCOPE — HIPAA AND PROTECTED HEALTH INFORMATION
MedFetch AI is designed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. When we access or process patient medical records on behalf of a covered entity or business associate, we act as a Business Associate as defined under HIPAA.
Protected Health Information (PHI) accessed through our platform is governed by: - HIPAA Privacy Rule (45 CFR Part 164, Subpart E) - HIPAA Security Rule (45 CFR Part 164, Subpart C) - The HITECH Act and applicable state health privacy laws - Our Business Associate Agreements (BAAs) with covered entities and subcontractors
3. INFORMATION WE COLLECT
3.1 Account Information. When you register for an account, we collect your name, email address, professional license information (if applicable), and account credentials.
3.2 Patient Health Information (PHI). With the patient's explicit OAuth 2.0 authorization, we access medical records from connected EHR systems including Epic and Cerner. This data may include: - Patient demographics (name, date of birth, address) - Diagnoses and problem lists - Medications and prescription history - Allergy information - Lab results and vital signs - Clinical notes and procedure records - Imaging and diagnostic reports
PHI is accessed only after the patient completes the EHR system's authorization flow (MyChart for Epic, patient portal for Cerner) and explicitly approves access, or where a user provides a valid patient authorization. We do not access records without an authorized basis.
3.3 Usage Data. We collect logs of platform activity for security and HIPAA audit purposes, including timestamps of record access, the identity of the user who requested access, and the patient whose records were accessed. We do not log the content of medical records in application logs.
3.4 Technical Information. We collect standard technical data including IP address, browser type, and session information necessary to operate the Service securely.
4. HOW WE USE INFORMATION
We use the information we collect to: - Retrieve, store, and display patient medical records requested by authorized users - Generate AI-powered clinical summaries and legal chronologies - Maintain HIPAA-required audit logs of all PHI access - Authenticate users and protect account security - Improve and maintain the Service - Comply with legal obligations
We do not use PHI for marketing, advertising, or any purpose beyond providing the Service to the authorized user.
5. AI SUMMARIZATION AND THIRD-PARTY PROCESSORS
Medical record data submitted for summarization is processed using the Claude model hosted on Amazon Web Services (AWS) Bedrock, under our Business Associate Agreement with AWS. The model provider does not use your data to train its models or for any purpose other than generating output on our behalf.
We do not share PHI with any third party except: - Amazon Web Services (AWS), for AI summarization (via Bedrock), secure storage, and optical character recognition, under the AWS Business Associate Agreement - EHR systems (Epic, Cerner) to the extent necessary to retrieve authorized records - As required by law or legal process
6. DATA SECURITY
We implement technical and administrative safeguards consistent with the HIPAA Security Rule: - All data is encrypted in transit using TLS 1.2 or higher and at rest - OAuth access tokens are stored in encrypted, HttpOnly session cookies and never exposed to the browser - PKCE (Proof Key for Code Exchange) is used for all OAuth flows to prevent interception attacks - Session data is encrypted using AES-256 via iron-session - Infrastructure is hosted on HIPAA-eligible cloud services (AWS) under a Business Associate Agreement - Access to systems containing PHI is restricted to authorized personnel
7. DATA RETENTION
We retain information according to the following schedule: - Account Information: retained while your account is active and for 2 years after account closure. - Medical Records / Case Documents: retained while your account remains active and as necessary to provide the Service; after a deletion request or account termination, deleted from production systems within 30 to 90 days. - Audit Logs: retained for 6 years, consistent with HIPAA. - Security Logs: retained for 2 years. - Billing Records: retained for 7 years. - Backups: retained in encrypted backups for up to 12 months.
8. YOUR RIGHTS
8.1 Patient Rights. Patients retain all rights under HIPAA, including the right to access, amend, and request an accounting of disclosures of their PHI. Where supported by their EHR's patient portal (for example, MyChart for Epic), patients may revoke access previously granted to MedFetch AI; patients may also contact their provider or us regarding access to their information.
8.2 User Account Rights. You may request access to, correction of, or deletion of your account information by contacting us at the address below.
9. CHILDREN'S PRIVACY
MedFetch AI is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors.
10. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and will post the updated policy at medfetchai.com/privacy with a revised effective date.
11. CONTACT US
For questions about this Privacy Policy or our data practices, contact us at:
MedFetch AI LLC Idaho, United States Email: privacy@medfetchai.com Website: https://medfetchai.com