AtlasMDAtlasMD

Privacy Policy

Effective date: April 1, 2026 · Last updated: April 1, 2026

AtlasMD, Inc. ("AtlasMD," "we," "us," or "our") operates a medical-legal clinical decision support platform available at getatlasmd.com and related services (collectively, the "Platform"). This Privacy Policy describes how we collect, use, disclose, retain, and protect information — including Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") — when you access or use the Platform.

This Privacy Policy applies to all users of the Platform, including physicians, delegates, and administrative personnel. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

1. Information We Collect

We collect the following categories of information:

1.1 Account Information

When you create an account, we collect your full name, email address, password (hashed and salted — we never store plaintext passwords), professional credentials (including medical license number and specialty, for physician accounts), practice name, and business address. If you authenticate via Google OAuth or magic link, we receive your name and email address from the identity provider.

1.2 Protected Health Information (PHI)

You may upload medical records, diagnostic imaging reports, prior evaluation reports, treatment records, case correspondence, cover letters, and other documents that contain individually identifiable health information as defined under 45 CFR §160.103. PHI is processed solely to provide the clinical decision support services you have requested — specifically, organizing records, performing AMA Guides calculations, structuring report sections, and checking compliance with applicable regulatory requirements.

1.3 Billing Information

When you subscribe to the Platform, payment information (credit card number, expiration date, billing address) is collected and processed by our third-party payment processor, Stripe, Inc. We do not store full payment card numbers on our systems. We receive and retain a tokenized reference to your payment method, the last four digits of your card, the card brand, and transaction history for billing and accounting purposes.

1.4 Usage and Activity Data

We collect information about your interactions with the Platform, including pages viewed, features used, actions taken (such as uploading documents, generating reports, editing content, and signing off on reports), timestamps, session duration, IP address, browser type, operating system, and device identifiers. This data is used to maintain audit trails required for HIPAA compliance and medical-legal defensibility, to diagnose technical issues, and to improve the Platform.

1.5 Communications

If you contact us via email, contact forms, or other channels, we retain the content of those communications along with your contact information and any metadata necessary to respond to your inquiry and maintain records of our correspondence.

1.6 Cookies and Analytics

We use essential cookies required for Platform functionality (authentication, session management). We may use Google Analytics or similar services to collect aggregated, non-PHI usage statistics. We do not use advertising cookies or tracking pixels. No PHI is ever transmitted to analytics providers.

2. How We Use Information

2.1 Service Delivery. To provide, maintain, and improve the clinical decision support services, including record organization, impairment calculations, compliance checking, report structuring, and audit trail generation.

2.2 Account Management. To manage your account, authenticate your identity, process subscription and per-report payments, and communicate with you about your account status.

2.3 Audit and Compliance. To maintain comprehensive audit trails as required by HIPAA (45 CFR §164.312(b)) and to support the medical-legal defensibility of reports generated through the Platform. Audit logs record every access to PHI, every modification to report content, and every administrative action.

2.4 Service Communications. To send transactional communications including account verification, password resets, billing notifications, report status updates, workflow completion alerts, and security notices. These communications are essential to the service and cannot be opted out of.

2.5 Security. To detect, investigate, and prevent security incidents, unauthorized access, fraud, abuse, and violations of our Terms of Service.

2.6 Legal Compliance. To comply with applicable federal and state laws, regulations, legal processes, and enforceable governmental requests.

PHI is never used for marketing, advertising, product development, model training, or any purpose not directly related to delivering the services you have requested.

3. HIPAA Compliance and PHI Handling

3.1 Business Associate Status. AtlasMD operates as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities. We execute Business Associate Agreements ("BAAs") with all customers who are Covered Entities or Business Associates. A BAA must be executed before any PHI is uploaded to the Platform. To request a BAA, contact security@getatlasmd.com.

3.2 Minimum Necessary Standard. We apply the HIPAA Minimum Necessary standard to all uses and disclosures of PHI. Access to PHI is limited to the specific information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request.

3.3 Access Controls. PHI is protected by role-based access controls (RBAC). Physician account holders control which delegates have access to their cases. Delegates cannot access PHI beyond what is necessary for their assigned case responsibilities. AtlasMD personnel access to PHI is restricted to authorized support and engineering staff acting under confidentiality obligations and only when necessary for Platform operations.

3.4 Encryption. All PHI is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Encryption keys are managed through industry-standard key management services and are never stored alongside encrypted data.

3.5 Audit Controls. The Platform maintains a complete, tamper-resistant audit trail of all access to PHI, all modifications to report content, all administrative actions, and all authentication events, in compliance with 45 CFR §164.312(b). Audit logs are retained for a minimum of six (6) years.

3.6 Breach Notification. In the event of a breach of unsecured PHI as defined under 45 CFR §164.402, AtlasMD will notify affected Covered Entities without unreasonable delay and no later than sixty (60) days following discovery of the breach, as required under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). The notification will include the information specified in 45 CFR §164.410(c).

4. Use of Artificial Intelligence and Machine Learning

4.1 AI-Assisted Processing. The Platform uses artificial intelligence and machine learning technologies to organize medical records, perform AMA Guides impairment calculations, structure report sections according to applicable regulatory requirements (including CCR §39 and §41), and identify potential compliance gaps. These AI/ML capabilities are clinical decision support tools — they assist the physician but do not replace physician judgment, author clinical opinions, or make independent clinical determinations.

4.2 Physician Authorship. In accordance with California Labor Code §4628, the physician of record remains the sole author of every report generated through the Platform. The physician conducts the examination, reviews all records, exercises clinical judgment, writes all clinical opinions (including causation, apportionment, impairment, and work restrictions), and signs the report under penalty of perjury. AtlasMD provides structured documentation support — it does not participate in the nonclerical preparation of the report within the meaning of LC §4628.

4.3 AB 1293 Compliance. In compliance with California Assembly Bill 1293, physicians using AtlasMD are encouraged to disclose in their reports that structured documentation software was used for record organization and calculation support, consistent with existing disclosure practices for dictation services, calculators, and other clinical tools. AtlasMD provides model disclosure language to all subscribers.

4.4 No Model Training on PHI. PHI processed through the Platform is never used to train, fine-tune, improve, or evaluate any AI or machine learning model. PHI submitted to third-party model providers for processing is subject to zero-retention agreements — it is not stored, logged, cached, or used for any purpose beyond the immediate processing request.

5. Information Sharing and Sub-Processors

We disclose information to the following categories of third parties solely as necessary to provide the Platform:

AI/ML Processing Providers

PHI is processed by AI model providers (including Anthropic, OpenAI, and Google) under Business Associate Agreements with contractual zero-retention obligations. PHI is transmitted for real-time processing only and is not stored, cached, logged, or used for model training by any provider. A circuit breaker system ensures failover between providers without data exposure.

Infrastructure Providers

Vercel (application hosting), Neon (PostgreSQL database), Cloudflare R2 (document storage), Railway (background workflow processing), and Pinecone (vector search for regulatory knowledge). All providers are SOC 2 Type II certified, US-based, and covered by BAAs where PHI processing occurs. All data resides within the United States.

Payment Processing

Stripe, Inc. processes all payment transactions. Stripe is PCI DSS Level 1 certified. We do not receive or store full payment card numbers. Stripe's processing of your payment information is governed by Stripe's privacy policy.

Email Communications

Resend, Inc. transmits transactional emails (account verification, password resets, report notifications). Email communications do not contain PHI. Resend does not have access to case data, medical records, or report content.

We do not sell, rent, lease, trade, or otherwise disclose your personal information or PHI to third parties for their own commercial purposes. We do not share information with data brokers, advertising networks, or marketing platforms.

6. Data Retention

6.1 Account Data. Account information is retained for the duration of your active subscription and for thirty (30) days following account termination to allow for data export and account recovery.

6.2 Case Data and Reports. Case files, uploaded documents, and generated reports are retained for the duration of your active subscription. Upon termination, case data is retained for thirty (30) days and then permanently deleted unless a longer retention period is required by law or requested by you in writing.

6.3 Audit Logs. Audit trail records are retained for a minimum of six (6) years from the date of creation, in compliance with HIPAA requirements (45 CFR §164.530(j)). Audit logs cannot be deleted upon request because they constitute legally required compliance records.

6.4 PHI at Sub-Processors. PHI transmitted to AI model providers for processing is subject to contractual zero-retention obligations. PHI is not retained by model providers beyond the real-time processing window. There is no persistent storage of PHI at any model provider.

6.5 Deletion Requests. You may request deletion of your case data at any time by contacting privacy@getatlasmd.com. We will process deletion requests within thirty (30) days. Deletion of PHI does not affect the retention of audit logs, which must be maintained per HIPAA.

7. Security Measures

We implement administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of information processed through the Platform:

  • AES-256 encryption at rest for all stored data, documents, and database records.
  • TLS 1.3 encryption for all data in transit between clients, servers, and sub-processors.
  • Role-based access control (RBAC) with physician-only sign-off enforcement at the application level.
  • Multi-factor authentication (2FA) support for all accounts.
  • Complete, tamper-resistant audit trail for all access to PHI and administrative actions.
  • Rate limiting and anomaly detection to prevent automated attacks and unauthorized access attempts.
  • Pre-signed, time-limited URLs for document access — documents are never served from publicly accessible endpoints.
  • Cryptographic timing-safe token comparison for all authentication gateways.
  • US data residency — all data is processed and stored within the United States.
  • Regular vulnerability assessments and penetration testing.
  • SOC 2 Type II certified infrastructure at every layer of the technology stack.

8. Your Rights

8.1 HIPAA Rights

If you are a patient whose PHI has been processed through the Platform, your rights with respect to that PHI are governed by HIPAA and exercised through the Covered Entity (the physician or practice) that uploaded the records, not directly through AtlasMD. AtlasMD will cooperate with Covered Entities to fulfill their obligations under HIPAA with respect to individual rights requests.

8.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to: (a) know what personal information we collect about you and how it is used; (b) request deletion of your personal information (subject to legal retention requirements); (c) opt out of the sale of your personal information — we do not sell personal information; (d) non-discrimination for exercising your privacy rights. Note: PHI governed by HIPAA is exempt from CCPA/CPRA. To exercise your California privacy rights, contact privacy@getatlasmd.com.

8.3 General Rights

All users may: (a) access and download their personal data and case files; (b) request correction of inaccurate personal data; (c) request deletion of their account and associated data; (d) export their reports and case data in standard formats (PDF); (e) opt out of non-essential communications. To exercise any of these rights, contact privacy@getatlasmd.com.

9. Children's Privacy

The Platform is not directed at individuals under 18 years of age, and we do not knowingly collect personal information from minors. Physician users may upload clinical records pertaining to minor patients as part of legitimate medical-legal evaluations, in accordance with applicable HIPAA authorizations and state law.

10. International Data Transfers

The Platform is hosted, operated, and maintained entirely within the United States. All data — including PHI, account information, and audit logs — is processed and stored on servers located in the United States. We do not transfer data outside the United States.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will provide notice of material changes by email to the address associated with your account and/or by posting a prominent notice on the Platform at least fourteen (14) days before the effective date. Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

12. Contact Information

For privacy-related inquiries, data subject requests, BAA requests, or to report a privacy concern:

Privacy: privacy@getatlasmd.com

Security & BAA: security@getatlasmd.com

General: hello@getatlasmd.com

This Privacy Policy does not constitute legal advice. We recommend that you consult with qualified legal counsel to ensure your own compliance with applicable privacy laws and regulations.