QuillMD
Start free trial
Compliance

HIPAA Compliance

Last updated: 2026-04-20

[DRAFT — PENDING LEGAL REVIEW]

This page is a practical summary of our HIPAA posture for prospective customers. A reviewed version and our signed BAA template will replace this document before we onboard paid customers handling PHI.

Business Associate Agreements (BAAs)

AshTech Group will execute a Business Associate Agreement with any Covered Entity or Business Associate customer before PHI is sent to QuillMD. Our subprocessors that process PHI on our behalf have signed BAAs with us:

  • Anthropic (Claude models)
  • OpenAI (embeddings)
  • Deepgram (audio transcription, Nova-3 Medical model)
  • Resend (email delivery)

Encryption and transport

PHI is encrypted in transit (TLS 1.2+ on every provider call and to the browser once a domain with TLS is active). At rest, PostgreSQL data and MinIO objects inherit host-level disk encryption from our VPS provider. Backups are stored encrypted.

Access controls

  • Every clinical record is scoped to the user who created it. Cross-user access is rejected with a 404 (anti-enumeration).
  • Single-session enforcement: a new login revokes prior sessions, so a stolen JWT stops working the next time the true owner signs in.
  • Password storage uses bcrypt with a 12-round cost factor. After 5 failed logins, the account is locked for 15 minutes.
  • Production secrets are rotated quarterly (see our internal rotation runbook) and on any suspected exposure.

Audit logging

Every sensitive action (login, password change, data access, note signing, export) writes a row to the audit log, scoped to the practice tenant. Audit logs are retained for the HIPAA minimum of 6 years.

Retention and deletion

  • Audio files: 90 days past visit completion. Configurable per practice.
  • Transcripts and signed notes: 7 years minimum.
  • Account + audit logs: retained per HIPAA.

You may request deletion of your account and associated data at any time from Settings. Backups include PHI and are retained for the shorter of 90 days or until next quarterly prune.

Breach notification

If we become aware of a breach of unsecured PHI, we will notify affected customers within 60 days as required by 45 CFR § 164.410, with a written description of what was disclosed and what mitigations are in place.

De-identification for product improvement

QuillMD captures anonymized edit patterns to improve AI output for each doctor (the "few-shot prompting" system). This data is scoped to the signed-in doctor and stored as embeddings of text snippets. It is never shared across accounts without a separate data-use agreement.

Contact

BAA requests and compliance questions: compliance@ashtechgroup.com.