โ† Back to Login
HIPAA

HIPAA Notice of Privacy Practices

How MentraNote handles Protected Health Information as a HIPAA Business Associate.

๐Ÿ“… Effective: May 22, 2026๐Ÿฅ 45 C.F.R. ยง164.520โœ… BAA Included
โœ“ HIPAA Security Rule Compliantโœ“ HIPAA Privacy Rule Compliantโœ“ HIPAA Breach Notification Compliantโœ“ BAA Available
Table of Contents
  1. Our Role Under HIPAA
  2. Business Associate Agreement (BAA)
  3. How We Use & Disclose PHI
  4. PHI Safeguards
  5. Your Rights Regarding PHI
  6. Breach Notification
  7. Permitted Uses Without Authorization
  8. Prohibited Uses
  9. AI & PHI Policy
  10. Contact & Complaints

1. Our Role Under HIPAA

MentraNote Inc. operates as a HIPAA Business Associate (BA) under 45 C.F.R. Part 160 and Part 164 (the HIPAA Rules). As a BA, we provide EHR and practice management services to Covered Entities (licensed mental health professionals and healthcare organizations โ€” our "Clients").

This Notice describes how we handle Protected Health Information (PHI) on behalf of our Clients. MentraNote is not itself a Covered Entity; our Clients bear primary HIPAA obligations. MentraNote supports those obligations as required under our Business Associate Agreement.

Required Notice: Under 45 C.F.R. ยง164.520, Business Associates must provide notice of their privacy practices. This document fulfills that requirement. You must review and acknowledge this Notice before creating a MentraNote account.

2. Business Associate Agreement (BAA)

A Business Associate Agreement is a legally required contract between a Covered Entity and its Business Associates that handle PHI. By checking the BAA acknowledgment checkbox during registration, you are:

  • Entering into a binding BAA with MentraNote Inc.
  • Confirming that you are a Covered Entity or are authorized to enter a BAA on behalf of one.
  • Acknowledging that MentraNote will handle PHI subject to the terms of the BAA.
BAA Key Terms Summary
๐Ÿ”’
Permitted UsesMentraNote may use/disclose PHI only to provide contracted services, for proper management of the BA, or as required by law.
๐Ÿšซ
Prohibited UsesPHI may not be used for marketing, sold, or shared with unauthorized parties under any circumstances.
๐Ÿ›ก๏ธ
SafeguardsMentraNote implements all HIPAA-required administrative, physical, and technical safeguards for ePHI.
๐Ÿ””
Breach ReportingMentraNote will notify Clients within 60 days of discovering a breach affecting their PHI, as required by 45 C.F.R. ยง164.410.
๐Ÿค
SubcontractorsAny subcontractor that handles PHI is bound by equivalent BAA terms.
๐Ÿ“ค
Data Return/DestructionUpon contract termination, PHI will be returned or destroyed per HIPAA requirements.

3. How We Use & Disclose PHI

MentraNote uses and discloses PHI only as necessary to provide contracted services and as permitted under the BAA and HIPAA, including:

Permitted Purposes

  • Service Delivery: Processing clinical notes, appointments, billing, and session recordings on behalf of the Covered Entity.
  • Healthcare Operations: Quality assurance, training, and accreditation activities.
  • Legal Obligation: When disclosure is required by applicable law, court order, or regulatory authority.
  • BA Management: Internal use necessary for proper management and administration of MentraNote as a Business Associate.
  • Data Export: Returning PHI to the Covered Entity upon request.

4. PHI Safeguards

MentraNote implements comprehensive safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C):

Technical Safeguards

  • AES-256 encryption for all data at rest.
  • TLS 1.3 encryption for all data in transit.
  • Unique user identification with strong authentication requirements.
  • Automatic logoff after periods of inactivity.
  • Role-based access controls ensuring minimum necessary access.
  • Audit logs of all PHI access, creation, modification, and deletion.

Physical Safeguards

  • PHI stored exclusively in SOC 2 Type II certified data centers.
  • Physical access controls at all server facilities.
  • Workstation use policies for all personnel with PHI access.

Administrative Safeguards

  • Designated HIPAA Security and Privacy Officers.
  • Annual HIPAA training for all employees with PHI access.
  • Risk analysis and risk management program.
  • Sanctions policy for workforce members who violate HIPAA.
  • Incident response and breach notification procedures.

5. Your Rights Regarding PHI

Covered Entities (our Clients) have the following rights with respect to PHI processed by MentraNote:

  • Access & Export: Request a copy of all PHI held by MentraNote through your account's export tools or by contacting compliance.
  • Amendment: Request amendment of PHI records that are inaccurate or incomplete.
  • Accounting of Disclosures: Receive a list of disclosures of PHI made by MentraNote for purposes other than treatment, payment, and healthcare operations.
  • Restriction: Request restrictions on how PHI is used or disclosed.
  • Termination & Deletion: Upon contract termination, request return or certified destruction of PHI.

To exercise these rights, contact compliance@mentranote.com.

6. Breach Notification

MentraNote maintains a comprehensive Breach Notification procedure compliant with 45 C.F.R. ยงยง164.400โ€“414. In the event of a breach of unsecured PHI:

  • MentraNote will notify affected Clients within 60 calendar days of discovering the breach.
  • Notification will include the nature of the breach, PHI involved, steps taken to investigate, and mitigations applied.
  • The Client (Covered Entity) is responsible for notifying affected individuals, HHS, and media as required under 45 C.F.R. ยงยง164.404 and 164.406.
  • MentraNote will cooperate fully with any breach investigation.

7. Permitted Uses Without Authorization

HIPAA permits certain uses of PHI without individual authorization. MentraNote may disclose PHI without Client authorization only in the following circumstances:

  • Required by Law: To comply with applicable federal, state, or local laws.
  • Public Health Activities: To report disease outbreaks, injuries, or other threats as required by public health authorities.
  • Serious Threat: To prevent or lessen a serious and imminent threat to health or safety.
  • Law Enforcement: In response to lawful orders, warrants, or subpoenas.

8. Prohibited Uses

MentraNote strictly prohibits the following uses of PHI:

  • Sale of PHI to any third party for any purpose.
  • Use of PHI for marketing or fundraising without explicit authorization.
  • Use of PHI to make employment decisions about individuals whose PHI was received.
  • Disclosure of PHI to unauthorized subcontractors or partners without equivalent BAA protections.
  • Use of PHI in ways inconsistent with the terms of the BAA or this Notice.

9. AI & PHI Policy

Critical Policy: MentraNote's AI models are NEVER trained on PHI. All AI processing of PHI occurs in real-time inference only (e.g., transcription, note generation during a session). PHI is not retained by AI systems beyond the immediate processing task, and is not used to improve, fine-tune, or train any AI model.

AI processing of PHI is conducted exclusively by HIPAA-compliant AI providers bound by appropriate data processing agreements. Any improvement of MentraNote's AI models uses only fully de-identified data that meets the requirements of 45 C.F.R. ยง164.514(b).

10. Contact & Complaints

To contact MentraNote's HIPAA compliance team or to file a complaint about our privacy practices:

You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

MentraNote will not retaliate against any individual who files a complaint in good faith.

Terms of Service โ†’Privacy Policy โ†’Payment Terms โ†’Back to Login