Privacy & compliance
HIPAA on the platform

HIPAA on the platform

How HIPAA flows through the Heartful Sprout product, plus the Notice of Privacy Practices patients receive at onboarding.

Notice of Privacy Practices

The Notice of Privacy Practices (NPP) is the formal HIPAA document patients receive at onboarding. It explains what protected health information is collected, how it can be used or shared, and the patient's rights.

Two formats available — same content, different presentation:

Effective date: April 28, 2025.

Patient rights at a glance

The NPP gives patients the right to:

  • Get an electronic or paper copy of their medical record
  • Ask to correct their record
  • Request confidential communications
  • Ask to limit what's used or shared
  • Get a list of disclosures
  • Choose someone to act for them
  • File a complaint without retaliation

How the platform uses or shares PHI

Standard HIPAA-permitted uses:

  • Treatment — sharing with other professionals who are treating the patient
  • Operations — running the practice, improving care, contacting patients
  • Billing — to health plans and other payers

Plus disclosures governed by law (public health, research, law enforcement, organ donation, court orders, etc.). The NPP enumerates each.

Consent flow on the patient app

When a patient enters your connection code, they're shown an explicit consent screen listing every data category that will share back to you. For the categories and revocation rules, see Connecting patients → HIPAA consent.

PHI handling on the platform

  • Audio captured during dictation is encrypted in transit and at rest, and auto-deleted after the note is generated.
  • Session PDFs, billing documents, and patient records are stored encrypted.
  • Access is gated by organization and per-patient permissions.

PHI rule. Don't share patient health information directly with individual Heartful Sprout team members. Use support@heartfulsprout.com — it's the HIPAA-aware channel.

OverviewData flows