top of page

PHI and Data Protection Policy

Last Updated: 12/02/2025

 

This PHI & Data Protection Policy describes how SCRIPTOSIGHT LLC (“the Company”) protects, processes, and manages Protected Health Information (“PHI”) and electronic Protected Health Information (“ePHI”).
The Company complies with all applicable HIPAA and HITECH regulations when handling PHI on behalf of clients.

 

1. Scope & Purpose

This policy applies only to the handling of PHI/ePHI shared with the Company for the purpose of delivering transcription, analysis, research-support, or consulting services.


This page supplements our general Privacy Policy.

 

2. The Website Does Not Process PHI

Our website itself does not collect or store PHI.

However, the Company provides clients with the option to upload PHI securely as part of our services. All PHI uploads occur outside the website, through Google Workspace, which is covered under a signed Business Associate Agreement (BAA) between the Company and Google.

No PHI should be submitted through standard website forms, email, or any unencrypted channels.

 

3. Protected Health Information (PHI) We May Receive

The Company may receive PHI or ePHI only when clients intentionally share it for service delivery. Examples include, but are not limited to:

  • Patient interview transcripts

  • Audio/video recordings

  • Medical narratives

  • Research notes containing identifiable health information

We will only collect PHI necessary to provide services requested by the client, and we will not reuse or disclose PHI for any other purpose unless required by law.

 

4. Encouragement to De-Identify Data

Whenever possible, clients are strongly encouraged to de-identify their data prior to uploading.

  • If de-identification is not possible due to the nature of the service, PHI/ePHI will be handled according to HIPAA-compliant procedures described below.

  • If de-identification is possible under the nature of the service but the clients are not able to de-identify the data, we will offer de-identification for a fee.

 

If clients de-identify data before sending it to us, then:

  • We are not receiving PHI

  • We are not a Business Associate under HIPAA

  • HIPAA does not apply to that dataset

 

If we receive PHI first and then de-identify the data:

  • The data is PHI during receipt and processing

  • HIPAA applies

  • A BAA is required

  • We must protect the raw data until de-identified

  • After de-identification, we can treat the resulting dataset as non-PHI

​

5. HIPAA-Compliant Storage, Encryption & Security

All PHI/ePHI is stored exclusively in Google Workspace, which provides:

  • Encryption in transit and at rest

  • Secure cloud storage with access controls

  • HIPAA-compliant infrastructure under Google’s BAA

The Company does not store PHI locally on personal devices unless temporarily required for service delivery and only under encrypted, access-controlled conditions.

 

6. Access Control & Authentication

PHI access is restricted to authorized staff only. Authorized staff members are trained in handling PHI data. Access controls include:

  • Multi-Factor Authentication (MFA) for all accounts

  • Role-based permissions (principle of least privilege)

  • Access logging and audit trails that record who accessed what and when

  • Periodic review of access rights

No staff member may download, copy, or transfer PHI outside approved secure systems.

 

7. Business Associate Agreements (BAA)

If the Company processes PHI on behalf of any covered entity (e.g., hospitals, clinics, research organizations), a signed BAA is required prior to data transfer.

 

The Company also ensures that any subcontractors or third-party service providers with access to PHI have:

  • Their own BAAs

  • Demonstrable compliance with HIPAA requirements

We never use vendors who cannot meet HIPAA standards.

 

8. Third-Party Tools & Compliance

The Company may use the following platforms exclusively for service delivery:

  • Google Workspace (HIPAA-compliant, BAA in place)

  • Descript

  • NVivo

  • Miro

  • Google Forms

  • Azure GPT (used in a HIPAA-aligned, no-training, no-data-retention configuration when applicable)

Only tools capable of meeting HIPAA requirements will be used when PHI is involved.
No PHI is shared with any third party unless necessary for service delivery and protected under contractual obligations.

 

9. Why We Collect PHI & How It Is Used

We collect PHI strictly for:

  • Transcription

  • Qualitative or mixed-methods analysis

  • Coding and data structuring

  • Research support and consulting

  • Project-related communication

We do not:

  • Sell PHI

  • Use PHI for advertising or marketing

  • Reuse PHI for unrelated purposes

  • Disclose PHI to unauthorized third parties

 

10. Data Retention

Unless otherwise agreed in writing:

  • Raw PHI files (audio, video, documents) are retained for 30 days after project completion.

  • Transcripts are retained for 90 days unless the client requests deletion sooner.

  • Derivative outputs (e.g., de-identified reports, coded datasets) may be retained for internal quality assurance but will not include identifiable information unless specifically required.

Customized retention periods can be provided upon request.​

​

11. Secure Deletion & Disposal

At the end of the retention period:

  • All PHI and ePHI are deleted using secure deletion processes compliant with NIST SP 800-88 standards.

  • Deletions are logged and verified internally.

Clients may also request deletion at any time (see Section 12).

 

12. Client Rights: Access, Correction, Deletion

Clients may request:

  • Access to PHI or derivative files we hold

  • Corrections to inaccurate information

  • Secure deletion of data

Requests must be submitted to help@scriptosight.com.
We will respond within 30 days, consistent with HIPAA and general privacy best practices.

 

13. Data Breach Policy

In the event of a suspected or confirmed breach involving PHI:

  1. The Company will immediately initiate internal incident response.

  2. Affected clients/covered entities will be notified without unreasonable delay and no later than 60 days, in accordance with HIPAA/HITECH.

  3. Notifications will include description, scope, potential impacts, and corrective measures.

  4. The Company will cooperate fully with required regulatory reporting.

 

14. Staff Training & Security Audits

To maintain HIPAA compliance, the Company conducts:

  • Annual HIPAA training for all staff with PHI access

  • Periodic risk assessments

  • Technical and administrative security audits

  • Internal policy reviews and updates

 

15. Marketing Emails & Optional Communications

The Company may offer optional updates, newsletters, or marketing content.
Participation is opt-in only.
PHI is never used for marketing purposes under any circumstances.

 

16. Cookies & Tracking Technologies

Our website may use cookies or analytics tools for operational purposes (e.g., website performance).
These technologies never collect PHI and are not linked to PHI uploaded through secure Google Workspace channels.

 

17. De-Identified and Anonymized Data

The Company may, with client permission, retain or use fully de-identified information for:

  • Quality improvement

  • Methodology development

  • Training internal staff

No de-identified data will be re-identified or merged with other datasets.

 

18. Contact Information

For questions about PHI handling or privacy rights, contact:

 

SCRIPTOSIGHT LLC

Email: info@scriptosight.com
Phone: +1 866-202-0856
Address: 801 Travis Street, Suite 2101, PMB 2002, Houston, TX 77002

bottom of page