EHR & PHI data handling
The Premium Internal Scan reads from your EHR to find revenue and operational leaks. Here is exactly how that data is accessed, minimized, used, audited, and retained — written to match what the platform actually does, not aspirational policy.
Last reviewed: May 25, 2026
Read-only
We read from your EHR. We never write back to your chart — no orders, no edits, no demographics changes.
Gated by agreement
No clinical data flows until a Business Associate Agreement and a Data-Sharing Addendum are both signed.
Minimized at the boundary
Records are de-identified the moment they arrive — before they are ever stored or analyzed.
How the data flows
Free scan (outside-in)
Reads only your public surface — website, listings, reviews. No PHI, no login, no EHR access.
Agreements
Before any internal scan, your practice signs a BAA + Data-Sharing Addendum. Both are required and recorded.
Read-only pull
We connect to your EHR via SMART-on-FHIR or a health-data network and read a curated set of resources (encounters, appointments, conditions, documents). Read-only.
Minimization
Each record is de-identified at the boundary (see below) before storage. The analysis engine and AI never see raw identifiers.
Findings
We compute operational/financial findings, benchmark them against de-identified peer distributions, and map each to a fix.
What “minimized” means, exactly
Applied at ingestion, before storage. These are the concrete transforms in the pipeline.
Append-only audit trail
Every credential access, EHR pull, and report view is written to an append-only audit log (enforced at the database level — no edits or deletes). It records who, what, when, and from where, and is retained for the HIPAA window.
Retention & residency
Scan data is retained for a configurable window (90 days by default) then hard-deleted by an automated job, with a deletion recorded in the audit log. All primary data is hosted in US-East; nothing leaves the United States unless an integration you connect requires it.