Privacy & Security
HIPAA & Our Privacy Practices
Medical information is among the most sensitive data you have. Here's exactly how we handle it and what protections are in place.
Last updated: April 6, 2026
๐ 256-bit AES encryption
๐ Deleted immediately after analysis
๐ซ Never sold or shared
๐ฅ HIPAA-aligned practices
Our Relationship with HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) establishes standards for protecting sensitive patient health information. HIPAA primarily applies to "covered entities" โ healthcare providers, health plans, and healthcare clearinghouses โ and their business associates.
MedClear is a consumer software tool. When you voluntarily share your own medical documents with us, you are acting as an individual consumer โ not a covered entity. This means MedClear does not operate as a HIPAA covered entity or business associate in the traditional sense.
However, we believe your medical information deserves the highest level of protection regardless of legal classification. We voluntarily follow HIPAA-aligned security practices because it's the right thing to do.
What We Do to Protect Your Information
โ
We go beyond what's legally required because your medical data deserves it.
- Encryption in transit โ all data transmitted between your device and our servers uses TLS 1.3, the same standard used by banks and financial institutions.
- Encryption at rest โ any temporarily stored data is encrypted using AES-256, the gold standard for data protection.
- Immediate deletion โ your original document is permanently and irreversibly deleted the moment analysis is complete. We never retain your raw medical documents.
- Minimum necessary access โ we follow the HIPAA principle of "minimum necessary" โ only accessing the data required to perform the analysis.
- No employee access โ your document content is processed automatically by AI systems. No MedClear employee reads your documents.
- Secure authentication โ passwords are hashed using industry-standard algorithms. We never store passwords in plain text.
- Third-party vetting โ our AI provider (Anthropic) and database provider (Supabase) both maintain strong security practices and do not use your data for training or other purposes.
What Information We Process
When you upload a medical document, here is exactly what happens:
- The document text is extracted and sent to our AI system for analysis
- The AI returns a plain-English report with identified charges and potential issues
- The original document is immediately and permanently deleted
- Only the analysis results (not the original document) are saved to your account
We never store your Social Security number, full insurance ID, or complete medical record numbers beyond what's temporarily needed for processing.
Who We Share Information With
We share your document content with exactly one party for processing:
- Anthropic โ our AI provider analyzes your document text to generate the report. Anthropic's enterprise API does not use submitted data for model training and maintains SOC 2 Type II compliance.
We do not share your medical information with insurers, employers, data brokers, advertisers, or any other third party. Ever.
Your Rights Over Your Data
- Access โ view your analysis history anytime in your account portal
- Deletion โ request complete deletion of your account and all associated data at any time
- Portability โ request a copy of your account data in a readable format
- Correction โ contact us to correct any inaccurate account information
To exercise any of these rights, email us at information@medclearpro.com. We'll respond within 5 business days.
Security Incident Response
In the unlikely event of a security incident involving your data, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with applicable data breach notification laws. We will provide clear information about what happened, what data was affected, and what steps we're taking.