Privacy Policy

MedStory - Vishwamitra, LLC

Effective Date: December 1, 2024
Last Updated: December 1, 2024

Vishwamitra, LLC (“we,” “our,” or “us”) operates the MedStory iOS application (“MedStory” or “the App”). This Privacy Policy describes how we collect, use, and protect information when you use our HIPAA-compliant medical data aggregation application.

Important Notice

MedStory is designed with a fundamental principle: we do not store, retain, or exploit any patient data or medical information in any way, commercially or otherwise. All data is processed in temporary memory only and automatically expires without any persistent storage.

HIPAA Compliance

MedStory is designed and operated in full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. As a Business Associate to healthcare providers, we maintain the highest standards of data protection and privacy.

HIPAA Safeguards

Administrative Safeguards

  • • Workforce training and awareness
  • • Access control and management
  • • Security incident procedures
  • • Contingency planning

Physical Safeguards

  • • Device and workstation security
  • • Facility access controls
  • • Media controls and disposal
  • • Workstation use policies

Technical Safeguards

  • • AES-256 encryption for all data in memory
  • • Multi-factor authentication (PIN, biometric, phone, voice)
  • • Automatic session timeouts (30 minutes)
  • • Complete audit logging of all data operations
  • • No persistent storage of patient data
  • • Automatic data expiration (1-24 hours configurable)

Information We Collect

Patient Identification Data

To search for and retrieve medical records, we collect minimal patient identification information:

  • Patient Name: For patient identification and search
  • Date of Birth: For patient identification and search
  • Gender: For patient identification and search

Medical Records Data

Through secure EHR integrations, we temporarily access and display:

  • Patient demographics and identifiers
  • Clinical encounters and hospital stays
  • Diagnoses and chronic conditions
  • Documented allergies
  • Medications taken
  • Surgical and procedural history
  • Vaccination records
  • Lab results and vitals
  • Clinical documents

Critical: No Data Storage

All patient data and medical records are processed in temporary memory only.We do not store, retain, or save any patient information to persistent storage, cloud services, or any other data repository. All data automatically expires and is permanently deleted.

How We Use Information

We use the collected information solely for the following purposes:

  • Patient Search: To identify and locate patients in EHR systems
  • Medical Record Retrieval: To fetch and display medical records from integrated EHR systems
  • Clinical Decision Support: To provide healthcare professionals with comprehensive patient information
  • Voice Command Processing: To interpret and execute voice commands for app functionality

What We Do NOT Do

  • • We do not store any patient data permanently
  • • We do not use data for analytics or marketing
  • • We do not sell, rent, or share data with third parties
  • • We do not use data for commercial exploitation
  • • We do not create profiles or tracking mechanisms
  • • We do not use data for research without explicit consent

Data Security

Encryption & Protection

  • AES-256 Encryption: All data in memory is encrypted using industry-standard AES-256 encryption
  • Secure Authentication: Multi-factor authentication including PIN, biometric, phone, and voice verification
  • Session Management: Automatic session timeouts after 30 minutes of inactivity
  • iOS Keychain: Sensitive authentication data stored securely in iOS Keychain
  • Memory Monitoring: Real-time monitoring of memory usage with automatic cleanup

Data Lifecycle

  1. Data Retrieval: Secure FHIR API calls to EHR systems
  2. Temporary Processing: Data held in encrypted memory only
  3. Display: Organized presentation to healthcare professionals
  4. Automatic Expiration: Data automatically expires (1-24 hours configurable)
  5. Permanent Deletion: All data permanently removed from memory

Data Sharing

We maintain a strict policy of not sharing any patient data or medical information:

No Data Sharing Policy

  • • We do not share data with third-party vendors
  • • We do not share data with advertisers or marketers
  • • We do not share data with analytics providers
  • • We do not share data with research institutions
  • • We do not share data with government agencies (except as required by law)

Legal Requirements

We may disclose information only in the following limited circumstances:

  • When required by law or court order
  • To comply with HIPAA regulations and audits
  • To respond to valid legal process
  • To protect the safety and security of users

Your Rights

As a healthcare professional using MedStory, you have the following rights:

  • Access: Request information about what data we process
  • Correction: Request correction of any inaccurate information
  • Deletion: Request immediate deletion of any data in memory
  • Portability: Request data in a portable format (where applicable)
  • Restriction: Request restriction of data processing
  • Objection: Object to data processing activities

To exercise these rights, please contact us at privacy@medstory.io.

Data Retention

Zero Retention Policy

MedStory operates on a zero-retention policy for all patient data and medical information.All data is automatically deleted and permanently removed from our systems within 1-24 hours (configurable by the user), with no possibility of recovery.

Retention Periods

  • Patient Data: 1-24 hours (configurable, then permanent deletion)
  • Medical Records: 1-24 hours (configurable, then permanent deletion)
  • Authentication Logs: 7 years (for compliance and audit purposes)
  • System Logs: 7 years (for security and compliance)

Children's Privacy

MedStory is designed for use by healthcare professionals and is not intended for use by children under 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information immediately.

International Users

MedStory is designed for use within the United States and complies with U.S. healthcare privacy laws, including HIPAA. If you are accessing MedStory from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and our central database is operated.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last Updated” date at the top of this policy. We encourage you to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Company: Vishwamitra, LLC
Privacy Email: privacy@medstory.io
Support Email: support@medstory.io

This Privacy Policy is effective as of December 1, 2024, and is maintained by Vishwamitra, LLC.