Mediphant Guardian
Back to home

Privacy Policy

Mediphant Guardian Platform

Last Updated: June 11, 2026

Version: 2.0

Introduction

This Privacy Policy describes how Mediphant Corporation ("Mediphant," "we," "our," or "us") collects, uses, discloses, and protects information in connection with the Mediphant Guardian platform (the "Service" or "Platform").

Mediphant Guardian is a healthcare technology platform designed for healthcare organizations to securely receive, manage, and organize patient health information shared by individuals using the Mediphant consumer application.

This Privacy Policy applies to:

  • Healthcare organizations that use Mediphant Guardian ("Organizations" or "Customers")
  • Authorized Users (healthcare providers, staff, and other personnel authorized by the Organization)
  • Connected Patients (individuals who grant Organizations access to their health data through Mediphant)

Our Commitment: We are committed to protecting the privacy and security of all information processed through the Platform in accordance with HIPAA, state privacy laws, and other applicable regulations.

HIPAA and consumer privacy laws: When Mediphant processes Protected Health Information on behalf of an Organization, that information is governed by HIPAA, the applicable Business Associate Agreement, and other healthcare privacy laws. Some state consumer privacy laws exempt PHI, medical information, or information processed by covered healthcare entities and business associates. For information not subject to HIPAA, you may have additional privacy rights depending on your state of residence, as described below.

1. Definitions

"Authorized User" means healthcare providers, administrative staff, and other personnel authorized by an Organization to access and use the Service.

"Connected Patient" means an individual who has granted an Organization access to their health data through the Mediphant consumer application.

"Organization" or "Customer" means a healthcare organization, medical practice, or healthcare provider entity that has entered into the Terms of Service and BAA with Mediphant.

"Protected Health Information" or "PHI" has the meaning set forth in 45 CFR § 160.103 and means individually identifiable health information transmitted or maintained in any form or medium by Mediphant as a Business Associate.

2. Information We Collect

2.1 From Organizations and Authorized Users

Account and Registration Information:

  • Organization name, address, and contact information
  • Tax identification number (EIN or SSN) and NPI numbers
  • Professional license information
  • Authorized User names, email addresses, job titles, and roles
  • Login credentials (email and encrypted passwords)
  • Payment information (credit card details processed by our payment processor)

Organization-Created Data:

  • Files that may be shared with patients
  • Notes, annotations, and tags related to patient care
  • Communication preferences and settings
  • Custom workflows and configurations
  • Messages and communications within the Platform

Usage and Activity Data:

  • Login times and session duration
  • Features accessed and actions taken
  • Clickstream data and navigation patterns
  • Search queries within the Platform
  • Audit logs of PHI access (required by HIPAA)

Device and Technical Information:

  • IP addresses (may be anonymized for analytics)
  • Browser type and version
  • Operating system
  • Device identifiers
  • Crash logs and error reports

2.2 Information About Connected Patients

Patient Health Information: When a Connected Patient grants an Organization access through Mediphant, we process:

  • Medical records, lab results, and diagnostic reports
  • Medications, allergies, and medical history
  • Visit summaries and clinical notes
  • Health data uploaded by the patient to their Mediphant account
  • Any other health information the patient has shared via Mediphant

Important: Patient Health Information is controlled by the patient through the Mediphant consumer application and shared with Organizations based on the patient's consent and connection settings. This information may constitute PHI under HIPAA when processed by Mediphant on behalf of an Organization or otherwise as required by applicable law.

Connection and Consent Data:

  • Date and time the patient granted access
  • Date and time the Organization accepted the connection
  • Consent preferences and permissions
  • Connection status (active, revoked, expired)

2.3 De-identified and Aggregated Information

We may create de-identified or aggregated information from the data we collect, in accordance with HIPAA standards. This information cannot reasonably be used to identify any individual or Organization.

3. How We Use Information

3.1 Primary Uses

We use information collected through the Service to:

  • Enable Organizations to receive and access Patient Health Information shared by Connected Patients
  • Facilitate secure storage and organization of health data
  • Enable communication between Organizations and patients
  • Process billing and payments
  • Provide customer support
  • Authenticate users and verify credentials
  • Detect and prevent unauthorized access
  • Monitor for security threats and vulnerabilities
  • Maintain audit logs of PHI access as required by HIPAA
  • Comply with legal and regulatory requirements
  • Analyze usage patterns to improve features and functionality

3.2 Artificial Intelligence and Automated Processing

The Service may use artificial intelligence, machine learning, and automated tools to generate summaries, drafts, insights, suggestions, and other outputs that support clinical and administrative workflows. When PHI or Organization Data is processed by AI vendors or infrastructure providers, we require those providers to process the information only to provide the Service, maintain security, troubleshoot issues, comply with law, or perform other functions permitted by our agreements and applicable law.

  • We do not use PHI to train general-purpose AI models
  • We require vendors that process PHI to maintain appropriate contractual protections, including Business Associate Agreements or subcontractor business associate agreements where required by HIPAA
  • We do not permit human review of PHI except where necessary for support, security, abuse monitoring, legal compliance, or incident response and only under appropriate confidentiality and access controls
  • We configure vendor retention settings, where available, to limit retention of prompts, inputs, outputs, and logs containing PHI to the minimum period reasonably necessary to provide the Service, maintain security, troubleshoot issues, or comply with law
  • AI-generated outputs must be reviewed and verified by an appropriate Authorized User before being placed into a medical record, sent to a patient, used for billing, or used to make a clinical decision

3.3 Uses We DO NOT Engage In

We do not:

  • Sell Personal Information, PHI, or Organization Data to third parties
  • Use PHI to train general-purpose AI models
  • Use Patient Health Information for marketing purposes without proper authorization
  • Share PHI with third parties except as permitted by the BAA and HIPAA
  • Use data in any manner inconsistent with the purposes described in this Privacy Policy

4. How We Share Information

4.1 Sharing Patient Data with Organizations

Patient Health Information is shared with Organizations only when:

  • The Connected Patient has granted the Organization access through the Mediphant consumer app, AND
  • The Organization has accepted the connection

Patients control which Organizations can access their data and may revoke access at any time through the Mediphant consumer app.

4.2 Service Providers and Subcontractors

We engage third-party service providers to help us deliver the Service. These providers have access only to the minimum information necessary to perform their functions.

Current service providers include:

  • Amazon Web Services (AWS): Cloud infrastructure and hosting services
  • Microsoft Azure: Cloud infrastructure, hosting, and AI-related infrastructure services
  • Groq: AI inference services
  • Pinecone: Vector database and search infrastructure
  • Payment Processors: Credit card processing (PCI-DSS compliant)
  • Customer Support Tools: To provide support to Organizations
  • Analytics and Monitoring Tools: For service improvement and security monitoring

All service providers that may access PHI are required to maintain appropriate contractual protections with Mediphant, including Business Associate Agreements or subcontractor business associate agreements where required by HIPAA.

4.3 Legal Compliance and Protection

We may disclose information, including PHI, when we believe in good faith that disclosure is necessary to:

  • Comply with a court order, subpoena, search warrant, or other legal process
  • Comply with legal or regulatory requirements
  • Protect the rights, property, or safety of Mediphant, our users, or others
  • Prevent or investigate potential fraud, security issues, or technical problems
  • Enforce our Terms of Service or other agreements

5. Data Security

Mediphant implements comprehensive administrative, physical, and technical safeguards designed to protect information against unauthorized access, use, disclosure, alteration, and destruction. Our security program complies with the HIPAA Security Rule and industry best practices.

Administrative Safeguards:

  • Security management process with regular risk assessments and risk management
  • Workforce security policies and training programs
  • Information access management with role-based access controls
  • Security awareness and training for all personnel
  • Security incident procedures and response protocols
  • Contingency planning including data backup and disaster recovery

Physical Safeguards:

  • Use of HIPAA-compliant cloud infrastructure with robust physical access controls enforced by our service providers
  • Facility security plans and procedures
  • Workstation security policies
  • Device and media control procedures

Technical Safeguards:

  • Encryption: AES-256 encryption for all data at rest; TLS 1.2+ for all data in transit
  • Access Controls: Unique user identification, automatic logoff, and emergency access procedures
  • Audit Controls: Comprehensive logging of system activity and PHI access
  • Integrity Controls: Mechanisms to ensure data is not improperly altered or destroyed
  • Authentication: Multi-factor authentication (MFA) for administrative access
  • Transmission Security: End-to-end encryption for all data transfers

6. Data Retention

6.1 Organization Data

We retain Organization Data for as long as the Organization maintains an active account with Mediphant. Upon termination:

User-Generated Content:

  • Organization-created data (notes, annotations, files, tags) will be available for export for 30 days after termination
  • After 30 days, user-generated content files will be permanently deleted from our systems
  • Organizations may submit a written request to compliance@mediphant.com during the 30-day period to request their data

Account Records and Compliance Data:

  • Account records, user profiles, metadata, connection records, and compliance-related data are retained indefinitely in a deactivated state for:
    • HIPAA compliance and audit trail requirements
    • Legal and regulatory obligations
    • Dispute resolution and fraud prevention
    • Business continuity and record-keeping purposes
  • Deactivated accounts are marked as inactive and cannot access the Service
  • This data may be available upon written request to compliance@mediphant.com, subject to verification and legal requirements

Backup Copies:

  • Backup copies may persist for up to 90 days but will not be accessible through the Service

6.2 Patient Health Information

Important: Patient Health Information shared through the Mediphant consumer application is controlled by patients through their Mediphant account and connection settings.

  • While a patient-organization connection is active, Organizations can access Patient Health Information through the Service
  • When a connection is terminated, the Organization immediately loses access to Patient Health Information
  • Mediphant may continue to retain Patient Health Information on behalf of the patient after the connection terminates
  • Upon termination of an Organization's account, Patient Health Information is NOT provided to the Organization as part of any data export

6.3 Audit Logs and Compliance Records

We retain audit logs, access records, and other compliance documentation for at least 6 years from the date of creation or as required by applicable law, whichever is longer. This is required by HIPAA and supports our security and compliance obligations.

7. Your Rights and Choices

7.1 Rights of Organizations and Authorized Users

  • Access and Correction: Organizations may access and update their account information, organization profile, and settings at any time
  • Account Termination: Organizations may terminate their account at any time in accordance with the Terms of Service
  • Communication Preferences: Organizations may opt out of non-essential communications
  • Export of Data: Organizations may request an export of their Organization Data (exports do not include Patient Health Information)

7.2 Rights of Connected Patients

Connected Patients' rights are primarily exercised through the Mediphant consumer application. As required by HIPAA, patients have the following rights:

  • Right of Access: Individuals have the right to access their PHI maintained by Mediphant
  • Right to Amend: Individuals have the right to request amendments to their PHI
  • Right to an Accounting of Disclosures: Individuals have the right to receive an accounting of certain disclosures of their PHI
  • Right to Restrict Disclosures: Patients can control which Organizations have access to their data by managing connections
  • Right to Notification of Breach: If a breach of unsecured PHI affects a patient, we will notify them in accordance with HIPAA
  • Right to Complain: Individuals who believe their privacy rights have been violated may file a complaint

8. Cookies and Tracking Technologies

Mediphant Guardian uses cookies and similar tracking technologies to provide and improve the Service.

Essential Cookies: Session management and authentication, security and fraud prevention, load balancing and performance

Analytics and Performance Cookies: Understanding how Authorized Users interact with the Service, identifying bugs and performance issues, improving features and user experience

We use PostHog for product analytics, which helps us understand usage patterns and improve the Service.

We do not:

  • Use advertising or marketing tracking cookies
  • Allow third-party advertisers to place cookies on the Service
  • Track users across unrelated websites

9. Children's Privacy

Mediphant Guardian is designed for use by healthcare organizations and their staff, not by children. We do not knowingly collect information from individuals under 18 years of age through the Guardian platform.

10. State-Specific Privacy Rights

Depending on where you live and the type of information involved, state consumer privacy laws may provide additional rights with respect to Personal Information that is not exempt from those laws. These rights generally do not apply to PHI or medical information that is governed by HIPAA, a Business Associate Agreement, or other healthcare privacy laws.

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
  • Right to Correct: You have the right to request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information as defined by the CCPA
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

10.2 Other U.S. State Privacy Laws

If you reside in a state with a comprehensive consumer privacy law, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Jersey, New Hampshire, Nebraska, Kentucky, Maryland, Minnesota, or Rhode Island, you may have rights such as:

  • The right to confirm whether we process your Personal Information
  • The right to access, correct, or delete certain Personal Information
  • The right to receive a copy of certain Personal Information in a portable format
  • The right to opt out of the sale of Personal Information, targeted advertising, or certain profiling, where applicable
  • The right to appeal a denial of a privacy rights request, where required by law

We do not sell Personal Information, PHI, or Organization Data, and we do not use advertising or marketing tracking cookies on Mediphant Guardian. To exercise available state privacy rights, contact compliance@mediphant.com. We may need to verify your identity and may direct requests involving PHI to the appropriate HIPAA process or covered healthcare entity.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will update the "Last Updated" date at the top of this Privacy Policy.

If we make material changes that affect how we use or disclose PHI or that significantly affect your privacy rights, we will notify Organizations via email and through the Service at least 30 days before the changes take effect.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact:

Privacy Officer
Mediphant Corporation
539 W Commerce St. #7718
Dallas, TX 75208
Email: compliance@mediphant.com

For HIPAA complaints, you may also contact:

U.S. Department of Health and Human Services
Office for Civil Rights
Online: https://www.hhs.gov/ocr/complaints/index.html
Phone: 1-800-368-1019

We will not retaliate against anyone for filing a HIPAA complaint.

Version History

  • Version 2.0 (June 11, 2026): Updated all contact addresses from the mediphant.ai domain to mediphant.com; clarified HIPAA and state privacy law scope; added AI processing and vendor commitments; expanded state-specific privacy rights; and updated service provider disclosures. Mediphant Guardian is now available at guardian.mediphant.com.
  • Version 1.0 (October 20, 2025): Initial release.