Beta Compliance & Security Overview
Security, privacy, and clinical responsibility overview for beta use.
Beta security positioning This overview describes beta safeguards and planned improvements. It should not be read as a certification, legal opinion, SOC 2 report, or guarantee of HIPAA compliance. A BAA is required before PHI is processed. |
Intended Use Statement
OneStep Clinical Assistant is a clinical documentation support tool for behavioral health providers. It assists with transcription, draft note generation, templates, DSM-informed organization, medication workflow support, CPT/90833 documentation support, and clinical note review.
The Service does not replace clinical judgment. It does not automate diagnosis, prescribe medications, make treatment recommendations, monitor emergencies, or determine billing eligibility. All AI-generated notes are drafts that require clinician review and approval before use.
Controlled Beta Safeguards
Area |
Beta approach |
|---|---|
Access |
Controlled beta access for verified clinicians. NPI or credential review may be required. |
BAA |
Business Associate Agreement required before PHI is processed through the Service. |
PHI minimization |
Providers are encouraged to use initials, aliases, or internal reference labels instead of real patient names when possible. DOB entry is intentionally disabled during beta where not required. |
Audio |
Session audio is processed for transcription and is not retained by OneStep Clinical Assistant after transcription. Temporary audio artifacts created during processing, testing, or troubleshooting must be deleted the same day. |
Transcripts and notes |
Generated transcripts and draft notes may be stored for provider workflow. Provider review remains required. |
Model training |
Patient data, transcripts, and generated notes are not used to train AI models. |
Provider responsibility |
Providers remain responsible for accuracy, completeness, clinical appropriateness, documentation policy compliance, and final approval. |
Live Today / Beta Controls
Controlled access and account verification for beta users.
Role-based access patterns designed to limit provider access to appropriate patient records.
No intentional retention of session audio after transcription.
No use of patient data to train AI models.
Provider-facing disclaimers that AI notes are drafts requiring clinician review.
PHI-minimization reminders: avoid real patient names when possible, use initials/aliases, and note that DOB entry is intentionally disabled during beta.
Planned / In Progress
Expanded audit logging for administrative and clinical documentation events.
Additional session controls, user lifecycle controls, and provider separation checks.
Ongoing security review and infrastructure hardening as beta usage grows.
Additional documentation for BAA execution, subprocessors, retention, incident response, and export/deletion workflows.
Provider Responsibilities
Execute a BAA before processing PHI through the Service in a HIPAA-covered capacity.
Confirm your organization permits use of the Service.
Avoid unnecessary identifiers during beta when possible.
Review and approve all generated notes before using, exporting, billing, or placing them in an EHR.
Use standard clinical, crisis, and emergency protocols. The Service is not a crisis-monitoring tool.
Maintain appropriate patient consent and documentation practices required by your setting, jurisdiction, and payer.
Frequently Asked Questions
Should I use real patient names during beta?
Avoid real patient names when possible. Use initials, aliases, or internal reference labels. This is a beta PHI-minimization safeguard, not a guarantee that generated content is free of PHI.
Is date of birth collected?
DOB entry is intentionally disabled during beta where it is not required for the workflow.
Is audio stored?
Session audio is processed for transcription and is not retained by OneStep Clinical Assistant after transcription. If a temporary audio artifact is created during processing, testing, or troubleshooting, it must be deleted the same day.
Is patient data used to train models?
No. Patient data, transcripts, and generated notes are not used to train AI models.
Does the product guarantee billing or payer approval?
No. The Service provides documentation support. Providers remain responsible for coding, billing, payer requirements, and documentation accuracy.
Can I request a BAA?
Yes. Contact [email protected]. A BAA is required before PHI is processed in a HIPAA-covered capacity.
Contact
For BAA requests, security questions, or compliance documentation, contact [email protected].