HIPAA Notice

Effective date: May 19, 2026

This notice describes how Defo Labs LTD (trading as Patien), registered at 128 City Road, London, EC1V 2NX, United Kingdom, handles Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act.

Our role under HIPAA

Patien functions as a Business Associate under HIPAA. We provide services to covered entities (healthcare providers, health plans, and healthcare clearinghouses) that involve creating, receiving, maintaining, and transmitting PHI on their behalf.

Business Associate Agreement (BAA)

We sign a Business Associate Agreement with all customers who qualify as covered entities or who otherwise handle PHI. The BAA governs our obligations with respect to PHI and is incorporated into our Terms of Service.

To request a BAA, contact privacy@usepatien.com. We process BAA requests within two business days.

Technical safeguards

• Encryption in transit: All data transmitted between your device and Patien servers is encrypted using TLS 1.3.
• Encryption at rest: All stored data, including audio files and transcripts, is encrypted using AES-256.
• Access controls: Production data access is restricted to authorized personnel, protected by multi-factor authentication, and fully logged.
• Audit logs: All access to PHI is logged with timestamp, user identity, and action performed.

Administrative safeguards

• Designated Privacy Officer responsible for HIPAA compliance
• Regular workforce training on privacy and security obligations
• Policies and procedures for handling, disclosing, and disposing of PHI
• Risk assessments conducted at least annually and after significant changes

Physical safeguards

Patien operates on Cloudflare's infrastructure, which maintains SOC 2 Type II and ISO 27001 certifications. Data centers have physical access controls, environmental protections, and equipment disposal procedures consistent with HIPAA requirements.

Minimum necessary standard

We limit access to PHI to the minimum necessary to perform our services. Clinical audio is processed and then deleted within 24 hours of note generation. Only the structured note — not the raw audio — is retained beyond processing.

Subcontractors

Any subcontractor that accesses PHI on our behalf is required to sign a HIPAA-compliant BAA and is subject to the same security standards we maintain.

Breach notification

In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and within 60 days of discovery, as required by HIPAA's Breach Notification Rule. Notifications will include the nature of the breach, PHI involved, corrective actions taken, and steps individuals can take to protect themselves.

Your rights regarding PHI

As a Business Associate, we support your obligations to patients regarding their PHI. Upon written request, we will make PHI available to you so that you can fulfill patient access rights under HIPAA.

Contact our Privacy Officer

For HIPAA-related inquiries, BAA requests, or to report a suspected breach:
privacy@usepatien.com
Defo Labs LTD (trading as Patien)
128 City Road, London, EC1V 2NX, United Kingdom

We respond to all HIPAA-related inquiries within two business days.