HIPAA Compliance & Security

ParrotPadMD is designed from the ground up for healthcare. Your patients' privacy is our priority.

How We Protect PHI

No Audio Storage

• Audio is processed in-memory only
• Immediately discarded after transcription
• Never written to disk or stored in databases
• No audio recordings are retained

No Transcript Storage

• Transcribed text goes directly to your cursor
• We never see, store, or access your transcriptions
• Text exists only in your browser session
• Your EHR is the system of record

No Training on PHI

• Your dictations are never used to train AI models
• Google Cloud's medical model is pre-trained
• Your data doesn't improve or train the system
• Complete data isolation per user

Business Associate Agreement (BAA)

Our BAA Coverage

ParrotPadMD has a signed Business Associate Agreement with Google Cloud Healthcare services, covering:

• Google Cloud Speech-to-Text API
• Google Cloud Healthcare API
• All data processing infrastructure

Your BAA with Us

When you sign up for Pro or use ParrotPadMD for PHI:

1. Review the BAA at parrotpadmd.com/baa.html
2. Accept the BAA during account setup
3. Your acceptance is timestamped and recorded
4. Request a countersigned copy at compliance@parrotpadmd.com

Technical Security Measures

Encryption

• TLS 1.3 encryption for all data in transit
• Audio transmitted over encrypted HTTPS connections
• No plaintext audio transmission

Infrastructure

• SOC 2 Type II certified Google Cloud infrastructure
• Enterprise-grade data centers
• Automatic failover and redundancy
• Regular security audits

Access Controls

• Your account is authenticated via OAuth 2.0
• Session tokens expire and auto-refresh
• No shared accounts or credentials
• Audit logging of all API calls

Data Flow

Here's exactly what happens when you dictate:

1. You speak into microphone
   ↓
2. Audio captured by Chrome (in browser memory)
   ↓
3. Audio sent via TLS 1.3 to Google Cloud Speech-to-Text
   ↓
4. Google processes audio → returns text (audio discarded)
   ↓
5. Text sent back to browser via TLS 1.3
   ↓
6. Text inserted at your cursor
   ↓
7. Text saved to your EHR (your system of record)

We never:

• Store audio files
• Store transcription text
• Log PHI content
• Train models on your data
• Share data with third parties

Your Responsibilities

As a covered entity using ParrotPadMD:

1. Accept the BAA before using with PHI
2. Secure your device — use password/biometrics
3. Log out when leaving shared computers
4. Report incidents to support@parrotpadmd.com

Compliance Certifications

Our Certifications & Agreements

• ✅ BAA with Google Cloud Healthcare
• ✅ Google Cloud SOC 2 Type II infrastructure
• ✅ TLS 1.3 encryption in transit
• ✅ No PHI storage policy
• ✅ Audit logging enabled

What We Don't Do

• ❌ Store audio recordings
• ❌ Store transcription text
• ❌ Train on PHI
• ❌ Share data with advertisers
• ❌ Process data outside the US (standard config)

Frequently Asked Questions

Is ParrotPadMD HIPAA compliant?

Yes. We have a BAA with Google Cloud, no PHI storage, encryption in transit, and audit logging. You can sign our BAA in your account settings.

Do you store my dictations?

No. Transcribed text goes directly to your cursor. The only backup is in your browser's local notepad, which you control.

Can I get a BAA?

Yes. Pro users can accept our BAA at parrotpadmd.com/baa.html. Enterprise customers receive a countersigned copy.

Where is data processed?

Audio is processed by Google Cloud Speech-to-Text in the United States. No data is processed outside the US by default.

What happens if there's a breach?

We have incident response procedures. We would notify affected users within 72 hours as required by HIPAA. Contact compliance@parrotpadmd.com to report concerns.

Contact

• Compliance questions: compliance@parrotpadmd.com
• BAA requests: compliance@parrotpadmd.com
• Security concerns: security@parrotpadmd.com
• Enterprise sales: sales@parrotpadmd.com