← DocReport

HIPAA Notice of Privacy Practices

Effective date: May 18, 2026

Important Notice

This Notice describes how Protected Health Information ("PHI") about you may be used and disclosed and how you can access this information. Please review it carefully.

DocReport acts as a Business Associate to Covered Entities (healthcare providers, health plans, and healthcare clearinghouses) under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). As a Business Associate, we are required to protect the privacy and security of PHI we receive, create, or maintain on behalf of Covered Entities.

1. Who This Notice Applies To

This Notice applies to Be Smart Global, LLC (dba DocReport) and its operations relating to the storage, processing, and transmission of PHI on behalf of healthcare provider organizations and other Covered Entities that use the DocReport platform.

2. How We Use and Disclose PHI

2.1 Permitted Uses and Disclosures

As a Business Associate, we may use or disclose PHI only as permitted by our Business Associate Agreement ("BAA") with each Covered Entity and as required by law. Permitted uses include:

  • Treatment support: Processing voice recordings and clinical notes to generate SOAP notes, assessments, and plans at the direction of the Covered Entity.
  • Payment support: Generating CPT and ICD-10-CM coding suggestions, prior-authorization packets, and denial appeal letters to support billing and reimbursement.
  • Healthcare operations: Providing analytics, quality improvement reports, and documentation support services to Covered Entities.
  • Legal and compliance: Disclosing PHI as required by law, including to the Department of Health & Human Services (HHS) for compliance reviews and investigations.

2.2 Prohibited Uses

We will not:

  • Use or disclose PHI in a manner that violates HIPAA or our BAA.
  • Sell PHI to third parties.
  • Use PHI to train publicly-available AI or machine learning models.
  • Use PHI for marketing purposes without explicit authorization.

3. Minimum Necessary Standard

We use or disclose only the minimum necessary PHI to accomplish the purpose of the disclosure, in accordance with the HIPAA minimum necessary standard.

4. Your Individual Rights Regarding PHI

As the individual whose PHI is processed through the platform, you have the following rights under HIPAA. These rights must be exercised through your healthcare provider (the Covered Entity), not directly with DocReport, unless your provider directs you to contact us.

  • Right of Access: You have the right to inspect and receive a copy of your PHI maintained in a designated record set. Submit requests to your healthcare provider.
  • Right to Amend: You may request that your healthcare provider amend your PHI if you believe it is inaccurate or incomplete.
  • Right to an Accounting of Disclosures: You may request a list of disclosures of your PHI made by your provider or by DocReport on their behalf.
  • Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI. Your provider will relay any approved restrictions to DocReport.
  • Right to Confidential Communications: You may request that your provider communicate with you through alternative means or at an alternative location.
  • Right to File a Complaint: You have the right to file a complaint if you believe your privacy rights have been violated. See Section 7 below.

5. Data Security Safeguards

We protect PHI using the following administrative, physical, and technical safeguards:

  • Encryption: PHI is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • Access controls: Role-based access controls ensure only authorized personnel and systems can access PHI.
  • Audit logging: All access to and modifications of PHI are logged and monitored.
  • US-only hosting: PHI is processed and stored exclusively in US Google Cloud regions.
  • Workforce training: All personnel with access to PHI receive HIPAA training.
  • Subcontractors: Downstream subcontractors who access PHI on our behalf execute their own BAA with us.

6. Breach Notification

In the event of a breach of unsecured PHI, we will notify the affected Covered Entity within 60 days of discovery (or sooner as required by HIPAA) and will provide the information required by 45 CFR § 164.410. The Covered Entity is responsible for notifying affected individuals and HHS in accordance with HIPAA requirements.

7. Filing a Complaint

If you believe your HIPAA privacy rights have been violated, you may file a complaint with:

We will not retaliate against you for filing a complaint.

8. Business Associate Agreements

If you are a Covered Entity or Business Associate and wish to use the DocReport platform to process PHI, you must execute a BAA with us before doing so. To request a BAA, email info@be-smart-business.de with the subject line "BAA Request."

BAAs are available for all paid subscription tiers (Professional, Ultimate, and Enterprise).

9. Changes to This Notice

We reserve the right to change this Notice at any time. We will notify Covered Entities with whom we have executed BAAs of any material changes. The current version of this Notice is always available at docreport.us/us/legal/hipaa-notice.

10. Contact Us

Be Smart Global, LLC (dba DocReport)
Privacy / HIPAA Officer
Email: info@be-smart-business.de
Registered Agent: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA

© 2026 Be Smart Global, LLC. All rights reserved.

Privacy PolicyTerms of ServiceCookie PolicyBack to DocReport