HIPAA Statement

Qualtranscribe is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) to ensure the confidentiality and security of protected health information (PHI) provided during transcription services. This statement outlines our practices regarding the collection, use, and protection of PHI when you utilize our transcription services for healthcare-related content.

1. PHI Collection

We collect only the PHI necessary to complete the transcription process. This may include, but is not limited to:

• Patient names and demographic details

• Medical record numbers

• Diagnoses, procedures, and treatment plans

• Clinical notes and summaries

2. Lawful Use of PHI

All PHI is processed solely for transcription purposes and related healthcare operations as authorized by the covered entity. We do not use or disclose PHI for marketing, data mining, or any other unauthorized purpose.

3. PHI Security Measures, Technical & Physical Safeguards

We have implemented comprehensive technical, administrative, and physical safeguards to protect PHI from unauthorized access, disclosure, alteration, or destruction. These safeguards include:

• 256-bit AES encryption for data at rest and TLS 1.3 for data in transit

• Multi-factor authentication and role-based access controls

• Mandatory use of encrypted, password-protected workstations

• Secure remote work environment requirements

• Prohibition on accessing PHI in public locations or on shared devices

• Device security protocols including automatic screen locks and full-disk encryption

• Automated session timeouts and secure login protocols

• Comprehensive audit logs tracking all PHI access and modifications

3a. File Transfer and Data Storage

Secure File Transfer: Clients securely upload audio and video files containing PHI through a secure, encrypted web portal using TLS 1.3. All file transfers are encrypted end-to-end during transmission. We do not accept PHI via standard email, text message, or unsecured file-sharing services. Clients requiring alternative secure transfer methods should contact us to arrange SFTP, your institution's secure file-sharing platform (e.g., Box Enterprise or SharePoint), or other approved secure protocols.

Data Storage: All PHI is stored on HIPAA-compliant infrastructure provided by Wasabi Technologies, an S3-compatible object storage provider. PHI is stored exclusively in Wasabi's us-east-1 region (N. Virginia) with AES-256 encryption at rest. PHI never leaves the United States for storage or processing purposes.

AI Processing of PHI: Qualtranscribe offers optional AI-powered services including Instant Draft (automated transcription via AssemblyAI) and Smart Insights (qualitative analysis via Anthropic Claude). For HIPAA-active accounts, audio submitted via Instant Draft is transmitted exclusively to AssemblyAI's US-hosted processing endpoints. AssemblyAI is engaged under a Business Associate Agreement. Audio is deleted from AssemblyAI's systems upon transcript completion. Smart Insights processes transcript text using Anthropic Claude, accessed via AWS Bedrock. AWS Bedrock is engaged under a Business Associate Agreement with Qualtranscribe, ensuring that all transcript content processed through Smart Insights remains within HIPAA-compliant infrastructure and is not used for model training. Clients who require that no AI tools process their PHI should select human transcription only and must not use Instant Draft or Smart Insights features. These features are clearly labeled within the platform.

Access Controls: Transcriptionists are granted time-limited access to specific files only for the duration necessary to complete transcription. Access is automatically revoked upon project completion, and all access attempts are logged for audit purposes.

4. Business Associate Agreements (BAAs)

Qualtranscribe enters into Business Associate Agreements with all covered entities prior to service initiation. These agreements confirm our commitment to HIPAA compliance and outline our responsibilities in handling PHI in accordance with applicable laws and regulations. BAAs must be executed before any PHI is shared.

5. PHI Retention and Disposal

PHI is retained only for the time necessary to fulfill the transcription request and provide quality assurance, typically not exceeding 30 days after project delivery. Once this period concludes, or upon earlier request from the covered entity, all PHI is securely deleted. We will retain PHI beyond this timeframe only when specifically instructed in writing by the covered entity or as required by law.

6. HIPAA Training and Compliance

All team members and subcontractors involved in healthcare-related transcription receive comprehensive HIPAA training upon engagement and regularly thereafter. Training covers:

• Proper handling, storage, and disposal of PHI

• Recognition and prevention of security incidents

• Understanding of patient privacy rights

• HIPAA Privacy and Security Rule obligation

6a. Geographic Operations and International Data Transfers

Qualtranscribe works with a global network of professionally trained transcriptionists to deliver high-quality, accurate transcripts with flexible turnaround times. Our subcontractors include professionals based in the United States, Canada, the United Kingdom and EMEA (Europe, Middle East, and Africa), all operating under signed Business Associate Agreements with HIPAA-compliant security protocols.

Service Options:

• ​Standard Service: Transcription may be performed by qualified subcontractors in any of our approved locations, ensuring optimal matching of expertise, language capabilities, and turnaround requirements. All subcontractors, regardless of location, operate under signed Business Associate Agreements and follow identical HIPAA-compliant security protocols.

• US-Only Service: For clients with institutional requirements, IRB restrictions, federal funding mandates, or any other requirement for domestic-only processing, all transcription is performed exclusively by US-based subcontractors with no international data transfers. All file storage and any AI processing remain within the United States. Clients requiring US-Only processing should confirm this when placing their order.

All international subcontractors:

• Sign Business Associate Agreements committing to HIPAA-equivalent standards

• Complete the same HIPAA compliance training as US-based staff

• Follow identical security protocols for encryption, access controls, and data handling

• Undergo the same vetting and quality assurance processes

7. PHI Disclosure

We do not disclose PHI to any third parties unless:

• Required by law, or

• With written authorization from the covered entity, or

• To our subcontractors who have also signed Business Associate Agreements

8. Cooperation with Individual Rights
As a Business Associate, Qualtranscribe does not manage patient requests directly. We cooperate fully with our Covered Entity clients to facilitate patients' rights as outlined by HIPAA, including the right to access PHI, request amendments, receive an accounting of disclosures, and request restrictions on certain uses.

9. Breach Notification

In the event of a breach of unsecured PHI, Qualtranscribe will:

• Conduct an immediate investigation and contain the breach

• Notify the affected covered entity without unreasonable delay, and no later than 24 hours of the breach being confirmed

• Provide detailed documentation of the breach, categories of data affected, affected individuals, and remediation steps taken

• Report to relevant authorities as required under HIPAA breach notification rules

• Offer appropriate support and assistance to the covered entity throughout the notification process

10. Audit and Monitoring

We maintain detailed audit logs of all PHI access and system activities. These logs include:

• User identification and authentication records

• Date and time stamps of all PHI access

• Types of activities performed

• System and application logs

11. Continuous Improvement

Qualtranscribe is committed to continuously improving our security posture through:​

• Staying current with HIPAA regulatory updates

• Implementing industry best practices and standards

• Ongoing staff education and training

12. Client Responsibilities and Best Practices

To maintain HIPAA compliance throughout our partnership, clients are responsible for:

Account Security:

• Using strong, unique passwords for portal access

• Not sharing login credentials with unauthorized individuals

• Enabling multi-factor authentication when available

• Logging out of the portal when not in active use

Data Minimization:

• Providing only the minimum necessary PHI required for transcription

• Removing unnecessary identifiers when possible before file upload

• Clearly communicating any special handling requirements or restrictions

Timely Review:

• Reviewing completed transcripts promptly upon delivery

• Downloading and securely storing transcripts within the designated access period

• Requesting any necessary revisions within the specified timeframe

Contact Information 

By using our transcription services for healthcare-related content, you acknowledge and agree to the terms of this HIPAA statement. We are committed to maintaining the highest standards of PHI protection and privacy. For any inquiries or concerns related to PHI, please contact us at:

Email: support@qualtranscribe.com
Phone: 617-351-8271

Effective Date: May 8, 2025