ScrivifyScrivify

HIPAA Compliance & BAA

Last updated: February 24, 2026

1. Our Approach

Scrivify is designed with a privacy-first architecture. Rather than collecting Protected Health Information (PHI) and building safeguards around it, we have architected our platform to avoid collecting PHI in the first place. Our forms capture clinical findings and procedure details — never patient-identifying information.

2. What We Do NOT Collect

Scrivify's narrative generator does not ask for or store any of the following HIPAA identifiers:

  • Patient names
  • Dates of birth
  • Social Security numbers
  • Insurance member IDs or group numbers
  • Addresses or phone numbers
  • Medical record numbers
  • Photographs or biometric data
  • Any other HIPAA-defined patient identifiers

Our form fields are specifically designed to capture only the clinical data necessary to generate a narrative — tooth numbers, clinical observations, procedure codes, and treatment details.

3. What We Do Collect

The information Scrivify collects is limited to:

  • Your account information: Name and email address for authentication and account management.
  • Clinical findings: De-identified procedure details such as tooth numbers, probing depths, bone loss percentages, clinical observations, and treatment descriptions.
  • Generated narratives: The AI-generated output stored in your generation history.
  • Usage metadata: Timestamps, procedure types selected, and payer selections.

4. Technical Safeguards

Even though we minimize data collection, we maintain robust technical safeguards:

  • All data is encrypted in transit using TLS 1.2 or higher
  • Data at rest is encrypted in MongoDB Atlas using AES-256
  • Authentication is managed through Clerk with secure session handling
  • API communications with Anthropic use encrypted connections
  • Rate limiting prevents abuse (10 generations per hour per user)
  • Role-based access controls restrict database access to authorized personnel

5. Administrative Safeguards

  • Access to production systems is limited to authorized team members
  • Security practices are reviewed and updated regularly
  • Third-party service providers are evaluated for their security posture
  • Audit logs track narrative generation and account activity

6. Third-Party Processors

Scrivify relies on the following third-party services:

  • Clerk — Handles user authentication and account management. Clerk processes account credentials only, not clinical data.
  • Anthropic (Claude AI) — Processes clinical findings to generate narratives. Anthropic does not use API-submitted data for model training under their commercial terms. No patient identifiers are included in API requests.
  • MongoDB Atlas — Provides encrypted, SOC 2-compliant database hosting for account data and generation history.

7. BAA Availability

While Scrivify's architecture is designed to avoid PHI collection, we understand that some covered entities and their compliance teams may require a Business Associate Agreement (BAA) as part of their vendor onboarding process.

We are prepared to execute BAAs with qualifying organizations. To request a BAA or discuss our compliance posture in detail, please contact us:

Request a BAA →

8. Your Responsibilities

As a user of Scrivify, you are responsible for:

  • Not entering patient PII into the narrative generator. Our forms do not ask for it, and you should not include it in free-text fields.
  • Reviewing generated narratives before adding patient-identifying information in your own systems for payer submission.
  • Maintaining your own HIPAA compliance when handling the final narrative that includes patient information added outside of Scrivify.
  • Securing your account credentials and reporting any unauthorized access immediately.

9. Incident Response

In the unlikely event of a security incident involving user data, Scrivify will:

  • Investigate and contain the incident promptly
  • Notify affected users within 72 hours of discovery, or sooner as required by applicable law
  • Provide details about the nature of the incident and data potentially affected
  • Take corrective measures to prevent recurrence
  • Cooperate with any regulatory investigations as required by HIPAA or state breach notification laws

10. Contact Us

For questions about our HIPAA compliance practices, to request a BAA, or to report a security concern, contact us at: hello@scrivify.com