HIPAAList

Legal

Privacy Policy

Last updated June 29, 2026. Version 2026-06-29-v1.

1. Overview

This Privacy Policy explains how HIPAAList collects, uses, stores, and shares information when users visit the website, create accounts, use organization workspaces, communicate with HIPAAList, or use related services.

HIPAAList is not intended to receive or store Protected Health Information (PHI). Do not enter, upload, or submit PHI into HIPAAList.

This policy also explains, in plain language, how HIPAAList uses organization workspace information and limits what is sent to AI-assisted features.

2. Information We Collect

  • Account and identity information, such as name, email address, authentication identifiers, organization membership, and profile details provided through the account system.
  • Organization workspace records, such as profile settings, staff records, roles, documents, vendors, actions, evidence metadata, training settings, acknowledgements, reminders, exports, and audit history.
  • Files and attachments users choose to upload, subject to HIPAAList's no-PHI rule and upload restrictions.
  • Usage and technical information, such as IP address, user agent, device/browser details, pages visited, actions taken, timestamps, cookies, logs, and diagnostic data.
  • Billing and subscription metadata handled by payment or billing providers, such as plan, subscription state, payment status, and customer identifiers.
  • Support, feedback, and communications users choose to send.

3. Workspace Separation and Organization Records

HIPAAList organizes customer information by organization workspace. Records such as organization profile details, staff records, vendor records, documents, actions, training settings, reminders, exports, and audit history are treated as records for that organization.

Signed-in users access workspace information based on their organization membership and permissions. HIPAAList support or operational access, when needed, is limited to authorized purposes such as troubleshooting, security, account support, service maintenance, or legal requirements.

4. How We Use Information

HIPAAList uses organization information to provide the product features a workspace uses. For example, saved organization details may help HIPAAList suggest relevant work, prepare a document starter, remind staff about training, show a review that is due, or build an export requested by an authorized user.

  • Operate, secure, maintain, and improve HIPAAList.
  • Authenticate users, manage organization workspaces, enforce access controls, and support billing state.
  • Provide readiness workflows, document tools, training, reminders, exports, audit logs, notifications, and Assistant features.
  • Generate, tailor, or improve templates, recommendations, and AI-assisted responses within product guardrails.
  • Detect, prevent, and investigate abuse, security issues, errors, policy violations, and service misuse.
  • Communicate about service updates, support, security notices, billing, and administrative matters.
  • Comply with legal obligations and enforce terms.

5. How Information Is Shared

HIPAAList may share information with service providers that help operate the product, such as hosting, storage, authentication, billing, email, analytics, security, AI, and infrastructure providers. These providers are expected to use information only to provide services to HIPAAList.

HIPAAList may also share information when required by law, to protect rights and security, to prevent abuse, as part of a business transfer, or with a user's direction or consent.

6. AI-Assisted Features

Some HIPAAList features may use AI providers, such as OpenAI, to draft, edit, explain, classify, or organize content. Current examples include Assistant responses, Assistant intent classification, document starter tailoring, suggested document edits, and search support for finding relevant organization details.

Users must not submit PHI to AI-assisted features. HIPAAList uses product guardrails intended to reduce PHI entry and avoid legal advice, but users remain responsible for what they submit and for reviewing outputs.

AI output is a draft or suggestion. Users are responsible for reviewing, editing, approving, and deciding whether any output is appropriate for their organization.

  • HIPAAList sends limited, task-specific context for the AI feature being used.
  • HIPAAList avoids sending organization-identifying information to AI providers by default when a placeholder or general description can be used instead.
  • Reusable details such as organization names, officer names, staff names, vendor names, emails, phone numbers, URLs, and addresses should be replaced with placeholders or generalized descriptions when possible.
  • Where HIPAAList cannot safely minimize a prompt or document, the feature should ask the user to revise the content rather than sending it to AI.
  • HIPAAList AI usage records are intended to be metadata-only, such as feature, purpose, timing, model, and outcome. They should not store raw prompts, raw responses, raw provider payloads, or retrieved source text.

7. Organization-Identifying Information

Organization-identifying information is not the same as PHI, but HIPAAList still treats it as sensitive. Examples include organization names, staff names, officer names, vendor names, email addresses, domains, URLs, phone numbers, addresses, and exact locations.

HIPAAList may need exact values to show records inside the workspace, render approved documents, send messages, manage users, or produce exports requested by authorized users. For AI-assisted features, HIPAAList should prefer placeholders and general descriptions unless the exact value is needed for that specific task.

8. Documents, Exports, and Audit History

Documents, exports, acknowledgements, training records, audit history, and other workspace records are generated from the organization's own workspace information. Approved documents and exports may include exact organization details when users choose to create or approve them.

Users are responsible for reviewing workspace content before approving documents, sending messages, sharing exports, or relying on records outside HIPAAList.

9. Cookies and Similar Technologies

HIPAAList and its providers may use cookies, local storage, and similar technologies for authentication, session management, preferences, analytics, fraud prevention, and product operation.

10. Retention

HIPAAList retains information for as long as needed to provide the service, maintain organization records and audit history, comply with legal obligations, resolve disputes, enforce agreements, protect security, and support legitimate business needs.

11. Security

HIPAAList uses reasonable safeguards designed to protect information. No method of transmission or storage is perfectly secure. Users should keep credentials secure, manage workspace access carefully, and avoid submitting PHI or unnecessary sensitive information.

12. Choices and Requests

Users may update certain account or workspace information through the product. Organization administrators may manage workspace records and access. Requests about account data, privacy, or deletion should be directed through the support or contact channel made available by HIPAAList.

13. Children

HIPAAList is intended for business and organizational use and is not directed to children.

14. Changes to This Policy

HIPAAList may update this Privacy Policy. When a material update is made, HIPAAList may require users to review and accept the updated version before continuing to use the workspace.

15. Contact

Questions about this Privacy Policy should be directed through the support or contact channel made available by HIPAAList.