SOAP-E, LLC ("SOAP-E," "Company," "we," "us," or "our") provides an AI-assisted clinical documentation platform designed for use by licensed healthcare professionals and their organizations (the "Service").
This Privacy Policy describes how we collect, use, disclose, and safeguard information when acting solely as a Business Associate under HIPAA, and when processing limited personal information related to user accounts.
This Privacy Policy is not a Notice of Privacy Practices under HIPAA. Covered Entities are responsible for providing their own Notice of Privacy Practices to patients, as required by law.
This Policy applies to:
In the event of any conflict between this Privacy Policy and a signed Business Associate Agreement ("BAA"), the BAA controls with respect to PHI.
SOAP-E's privacy and security practices are designed to align with applicable laws and regulations, including:
Protected Health Information processed under HIPAA is exempt from most state privacy laws, including the California Consumer Privacy Act (CCPA).
State privacy law requirements, where applicable, apply only to:
When state privacy laws apply to non-PHI data, individuals may have rights to access, correct, or delete such information, subject to legal exceptions and Covered Entity approval where account data is linked to clinical services.
Compliance with healthcare privacy laws depends on lawful and appropriate use of the Service by Users and Covered Entities.
We process limited personal information necessary to create and secure user accounts, including:
OAuth access tokens are encrypted, short-lived, and used solely for authentication. SOAP-E does not access user email content, contacts, or files from OAuth providers.
Authentication through OAuth (identity verification) does not equal authorization (permission to access PHI).
Important clarifications:
SOAP-E processes PHI solely on behalf of Covered Entities for the purpose of providing clinical documentation services.
PHI may include clinical notes, observations, assessments, and related documentation content submitted by Users.
SOAP-E does not use PHI for advertising, marketing, or to train or improve general-purpose artificial intelligence models.
We process limited operational and technical data to maintain service reliability and security, including:
Operational logs are designed to exclude PHI.
We use information solely to:
SOAP-E may analyze aggregated, de-identified operational metadata to:
Such analysis does not involve the use of PHI or Customer Content to train or fine-tune general-purpose AI or foundation models.
SOAP-E does not sell or rent personal information or PHI.
SOAP-E uses the following infrastructure and service providers under executed Business Associate Agreements:
AWS does not use PHI processed through Bedrock or other AWS services to train foundation models or general-purpose AI models.
Any subcontractor that may process PHI is contractually bound to:
We may disclose information when required to do so by law, regulation, or valid legal process, including disclosures to health oversight authorities.
In the event of a merger, acquisition, or asset sale, information will remain subject to equivalent privacy protections and applicable legal restrictions.
SOAP-E implements administrative, physical, and technical safeguards designed to protect information, including:
SOAP-E personnel do not have routine access to decrypted PHI, except as required for:
All such access is subject to strict access controls, audit logging, and oversight.
No system can be guaranteed to be completely secure. While SOAP-E implements industry-standard safeguards, you acknowledge and accept residual security risks inherent in electronic data processing and transmission.
SOAP-E acts solely as a Business Associate under HIPAA.
To the extent SOAP-E maintains PHI in a Designated Record Set on behalf of a Covered Entity, SOAP-E will support Covered Entity obligations related to:
Requests regarding patient rights should generally be directed to the Covered Entity.
Data retention is governed by the following hierarchy of controlling documents:
SOAP-E retains information only as necessary to provide the Service, meet contractual obligations, and comply with applicable law.
Retention periods may vary based on:
SOAP-E does not independently determine medical record retention obligations — such determinations remain the responsibility of the Covered Entity.
Upon termination of services, PHI will be handled in accordance with BAA requirements:
Users may:
Requests involving PHI may be subject to Covered Entity approval and legal requirements.
The Service is hosted in the United States. Authorized remote access may occur from approved jurisdictions under strict access controls and audit logging.
SOAP-E maintains an incident response program designed to identify, contain, and remediate security incidents.
In the event of a Breach of Unsecured PHI, SOAP-E will notify affected Covered Entities without unreasonable delay and in accordance with HIPAA Breach Notification Rule requirements.
We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by other appropriate means.
Questions or concerns may be directed to:
Email: support@soap-e.com
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
Questions about this Privacy Policy? Contact our Privacy Officer at support@soap-e.com