Legal

Clinical Data Governance Policy

Effective Date: February 2026

Document Version: 1.0

This Clinical Data Governance Policy (“Policy”) establishes the standards, controls, and responsibilities governing all clinical data within the Rymeda platform operated by Rymeda, Inc. (“Rymeda,” “we,” “us”). This Policy applies to all Protected Health Information (“PHI”), electronic Protected Health Information (“ePHI”), AI-generated clinical content, voice recordings, and related data processed through the Rymeda platform.

This Policy implements the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR Parts 160 and 164; the California Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code §56 et seq.; California Penal Code §632 (two-party recording consent); California AB 3030 (AI disclosure requirements); and applicable federal and state healthcare regulations.

1. Definitions

Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined under 45 CFR §160.103. Includes patient demographics, clinical notes, diagnoses, medications, treatment plans, and insurance information.

Electronic Protected Health Information (ePHI): PHI that is created, received, maintained, or transmitted in electronic form, including data stored in MongoDB, Amazon S3, and transmitted via TLS 1.3 encrypted channels.

Clinical Chart: The comprehensive clinical record for a patient within an organization, containing problems (with ICD-10 codes), medications, allergies, vital signs, lab results, treatment plans, and voice report references.

Clinical Note: A structured clinical document (SOAP, progress, intake, or discharge note) that may be manually authored or AI-generated, following the status lifecycle: draft → ai_draft → reviewed → signed → amended.

Voice Note: An audio recording captured by an authorized provider, processed through the transcription pipeline (OpenAI Whisper → AI report generation → structured SOAP note), stored encrypted in Amazon S3.

Medical Report: An AI-generated clinical document derived from voice note transcription, containing a structured SOAP note, visit summary, suggested diagnoses (with ICD-10 codes and confidence scores), and follow-up recommendations.

AI Draft: Any clinical content generated or assisted by artificial intelligence, including transcriptions, SOAP notes, suggested diagnoses, and ORIS task recommendations. AI Drafts require mandatory provider review and signature before becoming part of the medical record.

Minimum Necessary Standard: The HIPAA requirement under 45 CFR §164.502(b) that covered entities and business associates limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose.

Tenant: A healthcare organization registered on the Rymeda platform, identified by a unique org_id. All clinical data is strictly isolated at the tenant level.

2. Scope

This Policy governs all clinical data processed within the Rymeda platform, including but not limited to:

Patient demographic and registration information
Clinical charts including problems, medications, allergies, vitals, lab results, and treatment plans
Clinical notes (SOAP, progress, intake, and discharge notes)
Voice recordings and transcriptions
AI-generated medical reports and suggested diagnoses
ORIS AI-generated tasks and daily runbooks
Secure messages between providers and patients
Clinical documents and attachments
Billing records with CPT and ICD-10 codes
Insurance claims and adjudication records
Appointment and scheduling data
Provider verification and credentialing records

This Policy applies to all Rymeda workforce members, authorized users, subprocessors, and any party that accesses, processes, or transmits clinical data through the platform.

3. Data Classification

All clinical data within Rymeda is classified into four tiers based on sensitivity, regulatory requirements, and access restrictions. Classification determines encryption standards, access controls, retention periods, and audit requirements.

Classification	Description	Platform Data Models	Encryption	Access Level
Restricted PHI	Individually identifiable health information requiring maximum protection	`ClinicalChart`, `ClinicalNote`, `VoiceNote`, `MedicalReport`, `VitalSign`, `LabResult`, `TreatmentPlan`	AES-256 at rest, TLS 1.3 in transit, per-tenant KMS keys	Clinical roles only (physician, NP, PA; scoped for RN, therapist)
Confidential ePHI	Patient identifiers and operational healthcare data	`Patient`, `InsuranceInfo`, `EmergencyContact`, `Appointment`, `SecureMessage`	AES-256 at rest, TLS 1.3 in transit	Operational roles (clinical + scheduling + billing as applicable)
Limited Data Set	PHI with direct identifiers removed but containing dates, geographic data, or other indirect identifiers per 45 CFR §164.514(e)	`Invoice`, `Claim`, `LineItem` (CPT codes), aggregated analytics	AES-256 at rest, TLS 1.3 in transit	Billing roles, org admin with data use agreement
De-Identified	Data stripped of all 18 HIPAA identifiers per 45 CFR §164.514(b), no longer considered PHI	Aggregate platform metrics, anonymized usage analytics (Plausible), de-identified research datasets	Standard encryption	Internal analytics, authorized research with DUA

Classification Assignment

Data classification is assigned automatically at the model level. All data within the ClinicalChart collection and its nested sub-documents (problems, medications, allergies, vitals, lab results, treatment plans) inherits the “Restricted PHI” classification. Reclassification requires written approval from the Privacy Officer and must follow the Safe Harbor de-identification method under 45 CFR §164.514(b)(2).

4. Data Lifecycle Management

Clinical data follows a defined lifecycle from collection through destruction. Each stage has specific controls, responsibilities, and audit requirements.

4.1 Collection

Patient data is collected through provider-initiated registration with explicit consent under CMIA §56.11
Clinical data entry is performed by authorized clinical roles through the platform interface
Voice recordings require explicit two-party consent per California Penal Code §632 prior to recording
All collection points enforce the minimum necessary standard (§164.502(b)) — only data elements required for the specific clinical purpose are requested
Data is validated at the API boundary for format, type, and completeness before storage

4.2 AI Processing

Voice Transcription: Audio uploaded to encrypted Amazon S3 → processed by OpenAI Whisper (Zero Data Retention) → transcript stored in MongoDB
Report Generation: Transcript processed by AI models (via LiteLLM routing to OpenAI GPT or Google Gemini with HIPAA BAA) → structured SOAP note, visit summary, suggested diagnoses (ICD-10 + confidence scores), and follow-up recommendations generated
ORIS AI Tasks: Clinical context analyzed by ORIS AI assistant → task recommendations generated across categories (pre_visit, documentation, follow_up, inbox, billing, compliance) with priority scoring (1–5)
Training Data Prohibition: No PHI or clinical data is used for AI model training. All AI subprocessors operate under Zero Data Retention (ZDR) agreements or equivalent contractual prohibitions

4.3 Storage

Database: Structured clinical data (charts, notes, patient records, messages) stored in MongoDB Atlas with encryption at rest (AES-256) and per-tenant logical isolation via org_id
Object Storage: Voice recordings, documents, and attachments stored in Amazon S3 with server-side encryption (SSE-KMS) using per-tenant AWS KMS keys
Secrets: API keys, credentials, and encryption keys managed through AWS Secrets Manager with automatic rotation
Backup: Automated daily backups with point-in-time recovery (RPO: 1 hour). Backups encrypted with the same AES-256 standards as primary storage

4.4 Archival

Clinical records for discharged or inactive patients are archived to long-term storage after 12 months of inactivity
Archived data retains full encryption and access controls
Archived data remains accessible for authorized clinical, legal, and regulatory purposes
Archival does not reset retention clocks — retention periods are measured from the date of last clinical activity

4.5 Destruction

Cryptographic Erasure: Primary method for encrypted data — destruction of the per-tenant KMS encryption key renders all associated data permanently unreadable
NIST 800-88 Compliant: Unencrypted data (if any) is purged following NIST Special Publication 800-88 Rev. 1 guidelines for media sanitization
S3 Lifecycle: Amazon S3 lifecycle policies enforce automatic deletion of temporary processing artifacts (transcription intermediaries, processing queues) within 24 hours
Database Purge: Logical deletion (status change) followed by physical purge after the applicable retention period and legal hold review
Destruction certificates are generated and retained for 6 years per HIPAA requirements

5. Access Control Matrix

Rymeda implements role-based access control (RBAC) with nine clinical sub-roles. Access to clinical data is governed by the principle of minimum necessary access under 45 CFR §164.502(b). Each role is assigned specific permissions that determine access to clinical charts, operational functions, and administrative capabilities.

Role	Clinical Chart Access	Operational Access	Admin Access	Data Visible
Physician	Full	Yes	No	All clinical chart data, notes, voice notes, reports, vitals, labs, medications, problems, treatment plans, appointments, messages
Nurse Practitioner (NP)	Full	Yes	No	Same as Physician
Physician Assistant (PA)	Full	Yes	No	Same as Physician
Registered Nurse (RN)	Scoped	Yes	No	Own authored notes only, vitals (read/write), medications (read), allergies (read), appointments, messages. Cannot access full chart or sign AI drafts
Therapist	Scoped	Yes	No	Own authored notes and treatment plans only, appointments, messages. Cannot access vitals, labs, or medications outside own scope
Biller	None	Billing only	No	Invoices, claims, CPT/ICD-10 codes, insurance information, payment records. Zero access to clinical charts, notes, voice notes, or medical reports
Front Desk	None	Scheduling only	No	Appointments, patient demographics (name, phone, email), provider availability. Zero access to clinical charts, notes, billing, or insurance data
Org Admin	None	Yes	Limited	Staff management, organization settings, operational reports, audit logs. Zero access to individual patient clinical data
Owner	None	Yes	Full	Full admin capabilities, organization management, billing oversight, staff management. Zero access to individual patient clinical data

Clinical Data Separation

Administrative and ownership roles (Biller, Front Desk, Org Admin, Owner) have zero access to clinical chart data by design. This separation is enforced at the API layer — requests from non-clinical roles to clinical endpoints are rejected with HTTP 403 before any data is queried. This architecture implements the minimum necessary standard and prevents inadvertent clinical data exposure to administrative staff.

5.1 Scoped Access Details

Roles with “Scoped” clinical chart access are subject to the following restrictions:

Own Notes Only: Can view and edit only clinical notes where author_id matches the authenticated user
No Chart Signing: Cannot sign AI-generated drafts or finalize clinical notes as the responsible provider
Read-Only Sections: May have read access to specific chart sections (e.g., medications, allergies) required for safe patient care, but cannot modify them
No Voice Note Access: Cannot initiate voice recordings or access AI-generated medical reports

5.2 Provider Verification Requirements

Access to clinical data requires successful identity and credential verification. Providers must complete the verification state machine: unverified → pending → npi_validated → verified. NPI numbers are validated against the CMS NPPES Registry. Providers in unverified or suspended status cannot access clinical data regardless of their assigned role.

6. AI-Generated Content Review

All AI-generated clinical content on the Rymeda platform is classified as a draft requiring mandatory human review by a qualified provider. No AI-generated content enters the permanent medical record without explicit provider authorization.

AI DRAFT — REQUIRES PROVIDER REVIEW

All AI-generated clinical content is prominently flagged with a visual indicator and the status ai_draft. This content has been generated by artificial intelligence and has NOT been reviewed or validated by a licensed healthcare provider. It must not be relied upon for clinical decision-making until reviewed and signed by an authorized provider. This disclosure requirement implements California AB 3030.

6.1 Clinical Note Lifecycle

Clinical notes follow a strict status lifecycle that ensures AI-generated content is always reviewed before becoming part of the official record:

Status	Description	Who Can Transition	Record Status
`draft`	Manually created by a provider, work in progress	Author (clinical role)	Not part of the official record
`ai_draft`	Generated by AI (from voice note transcription or ORIS), flagged with `ai_generated: true`	System (automatic on AI generation)	NOT part of the official record
`reviewed`	Provider has reviewed the content and made any necessary edits	Physician, NP, or PA (full clinical access)	Under review, not yet finalized
`signed`	Provider has authenticated and signed the note, accepting clinical responsibility. Records `signed_at` timestamp and `signed_by` provider ID	Physician, NP, or PA only	Official medical record
`amended`	Previously signed note has been amended with documented rationale. Original content preserved	Physician, NP, or PA only	Official record with amendment history

6.2 Mandatory Review Controls

No Auto-Approve: There is no mechanism for AI-generated content to bypass provider review. The system does not support automatic transition from ai_draft to signed
Provider Authentication: Signing requires the authenticated provider to be in a verified status with a role that has full clinical chart access (physician, NP, or PA)
Immutable Signature: Once signed, the signed_at and signed_by fields are immutable. Modifications after signing create an amendment, not an overwrite
AI Model Version Tracking: Every AI-generated report records the ai_model_version used, enabling traceability and reproducibility
Confidence Scores: Suggested diagnoses include confidence scores to assist provider judgment. Low-confidence suggestions are visually distinguished
Original Voice Reference: AI-generated notes maintain a link to the original_voice_note_id, allowing providers to reference the source audio during review

6.3 AI-Generated Medical Reports

Medical Reports generated from voice note transcription contain the following AI-generated components, each requiring provider validation:

Structured SOAP Note: Subjective, Objective, Assessment, and Plan sections derived from the voice transcript
Visit Summary: Narrative summary of the clinical encounter
Suggested Diagnoses: ICD-10 codes with descriptions and confidence scores — these are suggestions only and require provider confirmation
Follow-Up Recommendations: Suggested actions with timeframes and assignee recommendations

7. Voice Note Governance

Voice recordings are a core component of Rymeda’s AI-assisted clinical documentation workflow. Due to the sensitive nature of audio recordings containing PHI, voice notes are subject to enhanced governance controls.

7.1 Consent Requirements

California Two-Party Consent

California Penal Code §632 requires all-party consent for recording confidential communications. Before initiating any voice recording on the Rymeda platform, the recording provider must obtain and document explicit consent from all parties present, including the patient and any other participants in the clinical encounter.

Consent must be obtained before recording begins — retroactive consent is not valid
The platform presents a consent acknowledgment prompt to the provider before the recording interface activates
Consent documentation is stored as part of the patient record and linked to the voice note
Patients may withdraw consent at any time, at which point the recording must cease immediately
Telehealth sessions via 100ms video incorporate recording consent into the session initiation workflow

7.2 Transcription Pipeline

Voice notes are processed through a secure, audited transcription pipeline:

Stage	Process	Status	Data Protection
1. Upload	Audio file uploaded to Amazon S3 with SSE-KMS encryption	`pending`	Encrypted at rest, access restricted to author and system
2. Transcription	Audio processed by OpenAI Whisper API (Zero Data Retention)	`processing`	TLS 1.3 in transit, ZDR — no data retained by OpenAI
3. Report Generation	Transcript analyzed by AI model (via LiteLLM) to generate structured SOAP note, diagnoses, and follow-ups	`generating`	HIPAA BAA with AI provider, ZDR, no training use
4. Draft Ready	AI-generated report stored in MongoDB, linked to voice note, flagged as `ai_draft`	`draft`	Encrypted at rest, access restricted to author and authorized clinical roles
5. Provider Review & Sign	Provider reviews, edits, and signs the report, transitioning it to the official medical record	`reviewed` → `signed`	Immutable once signed, full audit trail

7.3 Voice Recording Access Controls

Recording Initiation: Only providers with full clinical chart access (physician, NP, PA) can initiate voice recordings
Audio Access: Voice note audio files are accessible only to the recording author and providers with full clinical chart access within the same organization
Transcript Access: Follows the same access restrictions as the voice note audio
No Bulk Export: Voice recordings cannot be bulk-exported or downloaded outside the platform without explicit authorization and audit logging
Training Prohibition: Voice recordings and their transcriptions are never used for AI model training without explicit, separate patient authorization that meets HIPAA research authorization requirements (45 CFR §164.508(c))

8. Audit Trail & Logging

Rymeda maintains an immutable, append-only audit trail for all clinical data access, modification, and transmission events. The audit system implements the requirements of HIPAA §164.312(b) (Audit Controls) and CMIA §56.101 (automatic recording of disclosures).

8.1 Audit Record Fields

Each audit entry captures the following data elements:

Field	Description	Example
User ID	Authenticated user performing the action	`user_abc123`
Role	Clinical role at time of action	`physician`
Timestamp	UTC timestamp with millisecond precision	`2026-02-10T14:32:01.123Z`
IP Address	Source IP of the request	`203.0.113.42`
Entity Type	Data model being accessed or modified	`ClinicalNote`
Entity ID	Unique identifier of the specific record	`note_xyz789`
Action	Operation performed	`sign_note`
Organization	Tenant organization context	`org_def456`

8.2 Audited Events

The following events are automatically logged:

All clinical chart access (read, create, update) including field-level changes
Clinical note creation, editing, review, signing, and amendment
Voice note recording initiation, upload, transcription, and report generation
AI model invocation including model version, input context, and output summary
Patient record access, creation, and modification
Access denied events (unauthorized access attempts)
User authentication, session creation, and session termination
Data export and download requests
Provider verification status transitions
Role assignment and permission changes
ORIS task generation, assignment, and completion
Secure message send, read, and escalation events

8.3 Retention & Integrity

Retention Period: Audit logs are retained for a minimum of 6 years in compliance with HIPAA §164.530(j) and CMIA §56.101
Immutability: Audit records are append-only — once written, they cannot be modified, overwritten, or deleted by any user, including system administrators
Tamper Detection: Cryptographic integrity verification ensures any unauthorized modification of audit records is detectable
Centralized Logging: Audit events are streamed to AWS CloudWatch with additional long-term archival to encrypted S3 storage
Access to Audit Logs: Audit log access is restricted to Compliance Administrators and is itself logged (meta-auditing)

9. Inter-Organization Data Sharing & Tenant Isolation

Rymeda operates a multi-tenant architecture where each healthcare organization constitutes an isolated tenant. Clinical data governance requires strict boundaries between tenants to prevent unauthorized cross-organizational data access.

9.1 Tenant Isolation Architecture

Logical Isolation: Every clinical data record includes an org_id field that is validated on every database query. Cross-tenant queries are architecturally impossible — the org_id filter is applied at the data access layer before any query executes
Per-Tenant Encryption: Each organization has a dedicated AWS KMS encryption key. Even in the event of database compromise, data from one tenant cannot be decrypted using another tenant’s key
Session Binding: User sessions are bound to a specific org_id at authentication time via AWS Cognito. Session tokens cannot be used to access data in a different organization
API Enforcement: All API endpoints validate that the requested resource’s org_id matches the authenticated user’s organization before returning data

9.2 Zero Cross-Tenant Default

No Cross-Tenant Data Sharing

By default, there is zero cross-tenant data sharing. Clinical data from Organization A is never visible to, accessible by, or shared with Organization B — regardless of whether they share patients, providers, or administrative relationships. This is a foundational architectural constraint, not a configurable setting.

9.3 Patient-Authorized Sharing

In limited circumstances, clinical data may be shared between organizations when all of the following conditions are met:

The patient provides explicit, written authorization compliant with HIPAA §164.508 and CMIA §56.11
The authorization specifies the exact data elements to be shared (minimum necessary standard)
The receiving organization has a valid provider relationship with the patient
Both organizations have active, verified accounts on the Rymeda platform
The sharing event is fully logged in both organizations’ audit trails
The patient retains the right to revoke authorization at any time per §164.508(b)(5)

10. Data Quality & Integrity

Maintaining the accuracy, completeness, and integrity of clinical data is essential for patient safety and regulatory compliance. Rymeda implements the following data quality controls:

10.1 Input Validation

Schema Validation: All clinical data models are defined as Pydantic v2 schemas with strict type enforcement, required field validation, and enum constraints
Code Validation: ICD-10 diagnosis codes and CPT procedure codes are validated against recognized code sets before storage
Date Integrity: Clinical dates (onset, collection, result, scheduled) are validated for logical consistency — future dates are flagged where clinically inappropriate
NPI Verification: Provider NPI numbers are validated against the CMS NPPES Registry API, preventing unverified providers from generating clinical records

10.2 Record Integrity

Append-Only Clinical Records: Signed clinical notes cannot be deleted or overwritten. Corrections are made through the amendment process, which preserves the original content alongside the correction
Version Tracking: Clinical documents support versioning with version and previous_version_id fields, maintaining a complete change history
Status Lifecycle Enforcement: Clinical note status transitions are validated server-side — invalid transitions (e.g., ai_draft directly to signed) are rejected
Referential Integrity: Patient relationships (PatientRelationship) with status tracking (active, discharged, transferred) maintain care team context and prevent orphaned records

10.3 AI Output Quality

Confidence Scoring: AI-suggested diagnoses include numerical confidence scores, allowing providers to prioritize their review of lower-confidence suggestions
Model Versioning: Every AI-generated report records the ai_model_version, enabling quality tracking across model updates
Transcription Status: Voice note transcription includes explicit status tracking (pending, processing, completed, failed) to prevent incomplete or failed transcriptions from entering the clinical workflow
ORIS Guardrails: The ORIS AI assistant implements safety guardrails including emergency detection, blocked content filtering, off-topic rejection, and rate limiting to maintain output quality and prevent misuse

11. Clinical Data Breach Response

In the event of unauthorized access to, disclosure of, or compromise of clinical data, Rymeda follows the procedures outlined in our Breach Notification Policy and Incident Response Policy. Clinical data breaches are subject to additional requirements:

HIPAA Breach Notification Rule (45 CFR §§164.400–414) requires notification to affected individuals within 60 days
California SB 446 requires notification within 30 days for California residents
CMIA §56.36 provides additional penalties for unauthorized disclosure of medical information
Affected tenant organizations are notified immediately upon confirmed breach
Audit logs are preserved and analyzed as part of the forensic investigation
Incident types tracked include safety events, privacy breaches, complaints, and near-misses

12. Compliance & Regulatory Framework

This Clinical Data Governance Policy is designed to comply with the following regulatory requirements:

Regulation	Applicable Provisions	Policy Sections
HIPAA Privacy Rule	45 CFR §164.502(b) (minimum necessary), §164.508 (authorizations), §164.514 (de-identification)	Sections 3, 5, 9
HIPAA Security Rule	§164.312(a) (access control), §164.312(b) (audit controls), §164.312(c) (integrity), §164.312(e) (transmission security)	Sections 4, 5, 8
HIPAA Breach Notification	45 CFR §§164.400–414 (breach notification requirements)	Section 11
CMIA	Cal. Civ. Code §56 et seq. (§56.101 automatic recording, §56.11 authorization, §56.36 penalties)	Sections 7, 8, 11
CA Penal Code §632	Two-party consent for recording confidential communications	Section 7
California AB 3030	Disclosure of AI-generated healthcare content	Section 6
California SB 446	30-day breach notification for California residents	Section 11
NIST 800-88	Guidelines for media sanitization and data destruction	Section 4.5

13. Policy Review & Updates

This Policy is reviewed and updated according to the following schedule:

Annual Review: Comprehensive review of all policy sections at minimum once per calendar year
Regulatory Changes: Updated within 30 days of applicable regulatory changes at the federal or state level
Platform Changes: Updated when new clinical data models, AI capabilities, or access control modifications are implemented
Incident-Driven: Reviewed after any clinical data breach, audit finding, or compliance incident
Version Control: All policy versions are retained with effective dates, and material changes are communicated to affected users

Contact

For questions about this Clinical Data Governance Policy or to report a clinical data concern:

Legal Team

legal@rymeda.com

Related Policies

Privacy Policy →HIPAA Notice of Privacy Practices →Patient Consent & Authorization →Breach Notification Policy →Incident Response Policy →AI Transparency & Ethics Policy →Data Retention & Destruction Policy →Business Associate Agreement →Data Processing Agreement →Subprocessor List →Acceptable Use Policy →Service Level Agreement →