Doctora is built from the ground up to protect patient health information (PHI). This article explains how we handle your data, who can access it, and what safeguards are in place.
HIPAA Compliance
Doctora is fully HIPAA compliant. Every layer of the platform--from audio capture in the Chrome extension to data storage in the cloud--is designed to meet the requirements of the HIPAA Privacy Rule and Security Rule.
We maintain administrative, physical, and technical safeguards including encryption, access controls, audit logging, and workforce training. Our engineering practices follow strict PHI-handling guidelines: patient-identifiable information is never written to application logs, and all logging uses HIPAA-safe utilities that record only operational metadata.
Business Associate Agreement (BAA)
Doctora signs a Business Associate Agreement with every practice during onboarding. The BAA establishes our legal obligations for handling PHI on your behalf and is required before any patient data flows through the platform. If you need a copy of your BAA or have questions about its terms, contact your account manager or email support@doctora.io.
Data Encryption
All data is encrypted both in transit and at rest.
- In transit: Every connection between your browser, the Doctora extension, and our cloud servers uses TLS 1.3 encryption. This applies to audio streaming, API calls, and EHR sync traffic.
- At rest: Patient data stored in our database is encrypted using AES-256 encryption. Audio recordings are encrypted immediately upon capture, before they are written to storage.
Audio Recordings
When you start a patient encounter, the Doctora extension streams audio to our transcription service in real time. Here is how recordings are handled:
- Audio is encrypted in transit via TLS and encrypted at rest using AES-256.
- Once transcription processing is complete, audio recordings are deleted from our servers.
- Doctora does not retain raw audio files after the encounter has been processed and finalized.
- The resulting transcription text and clinical documentation are stored securely in your practice's account.
Data Retention
- Audio recordings are deleted after processing is complete. Doctora does not maintain a long-term archive of raw audio.
- Transcriptions and clinical documentation are stored according to your practice's retention needs. You maintain full ownership of your data and can request deletion at any time.
- Account data (user profiles, practice settings) is retained for the duration of your subscription.
Access Controls
Doctora uses role-based access control (RBAC) to ensure that only authorized users can view or modify patient data.
- Practice isolation: Each practice's data is fully isolated. Users in one practice cannot see patients, encounters, or documentation belonging to another practice.
- Role-based permissions: Access is scoped by user role. Doctors, staff, and billing users each see only the data relevant to their responsibilities.
- Authentication: Users authenticate through secure login. Device-level authentication is used for the Windows desktop agent, where each device is paired to a specific practice through a verified registration flow.
Who Can See Patient Data
Patient data is visible only to authenticated members of your practice who have the appropriate role. Specifically:
- Doctors can view and edit encounters, transcriptions, and clinical documentation for patients within their practice.
- Staff members can view schedule and patient information as needed for their workflow.
- Billing users can access coding and billing-related data.
Doctora employees do not have routine access to your patient data. Any access for support or debugging purposes is logged and subject to our internal access policies.
Audit Logging
All data access is tracked through audit logging. Logs capture who accessed what and when, without recording the PHI itself. This allows your practice to demonstrate compliance during audits without creating additional exposure risk.
Questions
If you have questions about our security practices or need documentation for a compliance review, contact us at support@doctora.io.