Admin and data handling guide

Use this page as a customer-facing summary of how to operate DictaFlow Medical in a HIPAA-regulated environment.

Before rollout

• Complete vendor review and execute any required BAA.
• Confirm users install the Medical build, not the consumer app.
• Confirm the backend is the Medical production backend and Medical & Clinical is the default work domain.
• Train users not to submit PHI through ordinary support or billing channels.

Retention, export, and deletion

DictaFlow Medical provides account export and deletion workflows for authenticated user-owned backend records. Metadata-only audit records may be retained where needed for security, legal, compliance, or BAA obligations. Customer-specific return, destruction, and retention requirements should be defined in the applicable customer agreement or BAA.

Support workflow

Support requests should include app version, platform, EHR or remote environment, and redacted error details. Do not include patient names, dates of birth, chart screenshots, note text, transcript text, audio files, or raw app data files unless an approved support workflow is in place.

Incident handling

If you suspect PHI exposure, stop the affected workflow, preserve request IDs or timestamps, and contact ryan@dictaflow.io. DictaFlow Medical can review audit/disclosure metadata and provider activity without asking for raw patient content through ordinary email.

Breach notification

Notification timing, recipients, and content for any breach of unsecured PHI should follow the applicable customer BAA and law. DictaFlow Medical's incident review process is designed to preserve evidence, identify affected accounts or workflows, stop ongoing exposure, and coordinate customer notice through the agreed channel.