Skip to main content
Blueprint Data Security

Is my data safe? Is Blueprint HIPAA certified? How long are my recordings stored for? Do we have a Business Associate Agreement?

Updated over a month ago

This article reviews Blueprint's data and security policies and procedures.


Privacy + Security Summary

  • Certifications and Safeguards: Blueprint is HIPAA compliant and SOC 2 Type 2 Certified, indicating our ability to set and meet strict security standards verified by an independent auditor.

  • Your BAA: Our standard BAA is agreed to as part of our terms of service when you sign up for Blueprint. For a signed version of your BAA with Blueprint click here.

  • Secure transmission and storage of data: All data is encrypted during transmission (HTTPS, SFTP) and at rest (256-bit server disk-level encryption). All data is stored in encrypted databases and data storage repositories located in the United States.

  • Recordings are Auto-Deleted: Once you record a session on Blueprint, it is automatically deleted and removed from our servers permanently upon transcription.

  • Control over your data: Upon conclusion of a recording, Blueprint produces three primary clinical artifacts: (i) transcription; (ii) session summary; (iii) clinical note. Users can choose to retain or delete these artifacts at any time. Deleted artifacts are permanently removed and irrecoverable. Admins can also choose to “auto-delete” transcripts and session summaries as desired (though certain features, such as Magic Edit, may be limited as a result)


Data Security Overview

  • All data is encrypted during transmission (HTTPS, SFTP) and at rest (256-bit server disk-level encryption).

  • All enriched data is stored in encrypted relational databases (Amazon Web Services RDS) and all raw session data (captured audio and text transcriptions) is stored in encrypted blob storage (Amazon Web Services S3).

  • Access to the AWS infrastructure is limited to members of technical staff who require it for their job function. Direct access to the relational databases requires approved access to our Virtual Private Network (VPN).

  • Access to administrative tools (such as clinical portal and internal reporting) is limited to members of staff who require it for their job function.

  • We are SOC 2 Type 2 certified by an independent auditor (report available upon request) and we have implemented administrative, technical, and physical safeguards to protect data per the HIPAA Security Rule.

  • We have BAAs in place with our subprocessors that enable our AI-powered services.

    • Deepgram: Audio transcription

    • OpenAI: LLM for generating clinical artifacts

    • Datadog: Logging and instrumentation; logs are retained for only 15 days


Data Used to Measure Clinical Outcomes

  • Client demographic and data contact information is entered by clinicians either directly using our web-based portal, or via an integration with the customer’s EHR.

  • Clinicians assign assessments, worksheets, and interventions to clients either interactively or via rule-based workflows.

  • Blueprint sends text messages, emails, and/or push notifications (based on client preferences) with reminders to complete assessments.

    • These notifications include a unique-per-client link to complete assessments via a secure web page.

    • Clients are required to create an account with an email address and password to complete worksheets via our web or mobile apps.

  • Assessment, worksheet, and intervention data is stored in relational databases.

  • The transactional production database is replicated to read-only replicas for integration into internal data warehousing tools.

  • At customer request, completed assessment data is extracted daily into CSV files and placed into an SFTP server for customers to self-serve download. Access to the SFTP is provisioned by Blueprint. Customers create their own public/private key pair, provide us the public key only, and we create SFTP users with the public key that has access only to the specific root folder for the customer.

  • At customer request, and if the customer’s EHR is capable, individual completed assessments can be delivered in near real time via a secure webhook. Each webhook request is signed with an HMAC.


Data Used to Produce Clinical Documentation

  • Client demographic and data contact information is entered by clinicians either directly using our web-based portal, or via an integration with the customer’s EHR.

  • Clinicians initiate a session recording via their web browser by granting our web portal access to the device microphone.

  • Audio files are securely transmitted from the browser to encrypted blob storage.

  • Audio files are securely transmitted to Deepgram to create a transcript. Audio files are deleted by Blueprint immediately after the transcript is returned

    • A sampling of audio files may be retained by Deepgram and used to improve the accuracy of transcription models. All audio is handled according to HIPAA, per our BAA with Deepgram.

  • Transcripts are stored as text files in encrypted blob storage.

  • Transcript text and other metadata (such as our proprietary prompts) are transmitted to OpenAI to generate clinical notes, summaries, treatment plans, and other clinical artifacts.

    • As part of our Enterprise API agreement with OpenAI, OpenAI does not retain inputs or outputs, and they are not used for model training.

    • By default, transcript text files may be optionally retained by the customer to enable further downstream features that require access to original transcripts, such as “Magic Edit” and note re-generation.

    • If a customer chooses to not retain transcripts, the transcript text files are deleted immediately by Blueprint after the clinical artifacts are generated.

  • Clinical artifacts are then stored in the encrypted relational databases.


Diagram


We're here for you!

Do you have specific data and security questions? No problem, just reach out to our support team at help@blueprint-health.com

Did this answer your question?