No PHI by email — ever. BAA executed before records are transmitted. Cross-border processing disclosed before engagement. PHI not entered into public AI tools. Records not used for model training. AI-assisted and physician-authored components disclosed at the component level on every deliverable.
The intake process begins without records. You send only general case facts. Scope, pricing, and conflict status are confirmed before any records are transmitted or any PHI is involved.
A BAA is executed before PHI-containing records are accepted. The BAA governs retention, deletion, and use of PHI in accordance with HIPAA requirements. Cross-border processing under the BAA framework is disclosed before records are transmitted.
Physician review is performed outside the United States. This is disclosed before engagement is formed and before records are transmitted. The disclosure is a deliberate transparency policy, not an inadvertent one.
Where AI-assisted extraction is used for PHI-containing records, it is used only through systems covered by appropriate contractual safeguards including BAAs. PHI is not entered into public consumer AI tools. Records are not used for model training.
Retention and deletion is governed by the executed BAA. Default practice is to retain only what is needed for the defined scope and to delete upon instruction or engagement close.