Notice of Privacy Practices
Effective April 24, 2026 · ScribeGo.ai operates as a HIPAA Business Associate.
A note on scope
Under HIPAA, the formal Notice of Privacy Practices is a document that Covered Entities (healthcare providers) give to their patients. ScribeGo.ai is a Business Associate, not a Covered Entity, so we don\u2019t issue an NPP directly to patients. We maintain this page as our public-facing privacy statement, a plain-English summary of how we handle data received from customer Covered Entities.
What we do
ScribeGo.ai is a software platform clinicians use to rewrite and restructure clinical documentation with AI. Our customers are healthcare providers (Covered Entities under HIPAA) who use our service to process Protected Health Information.
What we receive
From the clinician using our service:
Clinical text
The transcript or note pasted into the app, which may contain PHI.
Images or PDFs
Optional clinical documents we OCR to extract the text.
Instructions
What the clinician types about how the AI should rewrite the note.
How we handle the data
From the moment text reaches our server to the moment we hand back the rewritten note:
- 1
Detect identifiers
AWS Comprehend Medical (covered by our BAA with AWS) scans the text for protected health information.
- 2
Replace with tokens
Every identifier is swapped for a placeholder like [NAME_001] or [DATE_001] before anything leaves our server.
- 3
Send only the tokenized text
The language model on AWS Bedrock receives only placeholder-protected text, never real patient data.
- 4
Model returns tokens
The response comes back using the same placeholder tokens. No real PHI is exposed to the model.
- 5
Re-identify on our server
We swap placeholders back to the real values inside our servers, never on the model side.
- 6
Return to clinician
The final note is delivered to you. The placeholder mapping is destroyed within ~1 second of response.
What we keep, and what we don\u2019t
We do store
- Saved notes a clinician explicitly chose to save to a project, encrypted at rest.
- User account information (email, name) for sign-in.
- Usage counters for rate limiting and aggregate business metrics.
- Application and AWS audit logs, these never contain actual patient data.
We do NOT store
- Raw clinical transcripts. Processed and returned, not persisted unless explicitly saved.
- The mapping between placeholder tokens and real patient identifiers.
- Any data shared with the language model or the model’s provider.
What we never do
- Share PHI with any third party outside of AWS.
- Use your data to train any AI model, AWS Bedrock is contractually prohibited from doing so.
- Sell or rent your data.
- Use your data for marketing or advertising.
Your rights as an individual patient
Under HIPAA, individuals exercise their rights through their healthcare provider (the Covered Entity), not directly with ScribeGo.ai. These include the right to:
- Request access to your health information.
- Request amendments to your health information.
- Request an accounting of disclosures.
- Request restrictions on how your health information is used.
- File a complaint about privacy practices.
To exercise any of these rights, contact the healthcare provider you received care from. They\u2019ll loop us in if our participation is needed, and we\u2019ll respond as required by their Business Associate Agreement with us.
Filing a complaint
You may file a complaint with any of the following. We will not retaliate against any individual for filing a complaint.
Your healthcare provider
The Covered Entity who received your care.
ScribeGo.ai directly
hello@scribego.ai. Acknowledged within 3 business days, substantive response within 30 calendar days.
HHS Office for Civil Rights
ocrcomplaint@hhs.gov or 1-800-368-1019.
Download as PDF
For printing, emailing to a patient advocate, or attaching to a vendor questionnaire.
Privacy Notice (PDF)