Beta Privacy Policy

Plain-language privacy practices for beta use.

onestepscribe.com/privacy | [email protected]

1. Overview

OneStep Scribe LLC operates OneStep Clinical Assistant, including its built-in OneStep Scribe documentation feature. This Privacy Policy explains how we collect, use, store, and protect information when you use the Service.

This policy is written for behavioral health providers and beta users. It is not a substitute for a Business Associate Agreement (BAA) where HIPAA requires one.

2. Information We Collect

A. Provider and Account Information

Name, email address, credentials, specialty, role, practice information, and NPI or verification information.

Password or authentication information, login activity, account status, and usage metadata.

Support communications and administrative requests.

B. Clinical Workflow Information

Patient label or reference entered by the provider. During beta, providers are encouraged to use initials, aliases, or internal reference labels instead of real patient names when possible.

Date of birth is intentionally disabled during beta when not required for the workflow.

Transcripts, generated draft notes, provider edits, templates, alerts, notepad entries, and annotations created within the Service.

Session metadata used for security, troubleshooting, audit, usage tracking, and platform integrity.

C. Audio Processing

Session audio is processed for transcription and is not retained by OneStep Clinical Assistant after transcription.

If a temporary audio artifact is created during processing, testing, or troubleshooting, it must be deleted the same day.

Generated text transcripts and notes may be retained according to this policy and your account settings or requests.

3. How We Use Information

We use information to operate and improve the Service, including to:

Generate transcripts and draft clinical documentation.

Organize provider notes, patient labels, and clinical workflow materials.

Authenticate users and maintain account security.

Provide support, troubleshooting, and platform maintenance.

Monitor usage, reliability, abuse prevention, and beta performance.

Maintain audit, security, and compliance-related metadata.

We do not sell clinical data. We do not use patient data, transcripts, or generated notes to train AI models.

4. PHI and BAA Requirement

If you are using the Service with Protected Health Information (PHI) in a HIPAA-covered capacity, a BAA must be executed before PHI is processed through the Service.

We design the Service to support HIPAA-regulated workflows when used under appropriate agreements and configured appropriately. Providers are responsible for confirming that their organization permits use of the Service and that required agreements are in place.

5. PHI-Minimization During Beta

During beta, providers should avoid entering real patient names when possible and use initials, aliases, or internal reference labels. DOB entry is intentionally disabled during beta where not required. Providers should avoid speaking or entering unnecessary identifiers during testing, demos, or troubleshooting.

Even with these precautions, transcripts and generated notes may contain PHI if PHI is spoken or entered during a session. Providers remain responsible for reviewing, editing, exporting, storing, and retaining final documentation according to their own obligations.

6. Security Safeguards

We use administrative, technical, and organizational safeguards designed to protect provider and clinical workflow data, including encryption in transit, access controls, role-based permissions, and security monitoring appropriate for the beta stage.

No system can guarantee absolute security. Providers should use strong passwords, avoid credential sharing, log out when finished, and contact us immediately if unauthorized access is suspected.

7. Data Retention

We retain provider account data, transcripts, notes, and metadata for as long as needed to provide the Service, maintain security, meet operational needs, comply with agreements, or respond to user requests.

During beta, providers may request export or deletion by contacting us. We will process requests as reasonably practical, subject to security, backup, legal, operational, or contractual requirements.

Audio is not retained by OneStep Clinical Assistant after transcription. If temporary audio artifacts are created during processing, testing, or troubleshooting, they must be deleted the same day.

8. Vendors and Subprocessors

We may use vendors and subprocessors to provide hosting, transcription, AI processing, authentication, support, and infrastructure services. Where required for PHI workflows, applicable vendor relationships must be covered by appropriate agreements, including BAAs.

9. Cookies and Tracking

We use minimal cookies or browser storage for authentication, session management, security, and product functionality. We do not display advertisements and do not sell data to advertisers.

10. User Rights and Requests

You may request access, correction, export, deletion, or support regarding your account data by contacting us at [email protected]. We may need to verify your identity before completing certain requests.

11. Children and Minors

The Service is intended for use by adult healthcare professionals and supervised clinical users, not by patients or minors as direct end users.

12. Changes to This Policy

We may update this Privacy Policy as beta operations evolve. We will update the effective date and provide notice of material changes when appropriate.

13. Contact

Questions about privacy or data handling may be sent to [email protected].