Security & compliance posture for healthcare workflows.
Security, auditability, and interoperability are part of the architecture — designed for clinical environments where trust and accountability matter.
Architecture overview
Secure authentication
Architecture includes OAuth2 PKCE-based authentication, JWT-based authorization, and role-aware access controls designed for multi-clinician environments.
Encryption
TLS enforced for data in transit. AES-256 encryption via AWS KMS for data at rest. Key management follows AWS best practices for healthcare workloads.
Auditability
Audit logging and traceability for clinical and operational workflows. Designed to support accountability, incident response, and compliance readiness.
Interoperability-aware foundation
FHIR R4 resources, SMART on FHIR authorization, C-CDA export and ingest, and HL7 v2 ADT processing are part of the product's technical direction for standards-based data exchange.
Clinician-in-the-loop AI
AI-generated documentation is always a draft. Clinicians review, correct, and finalize every note. No autonomous clinical decisions are made by the system.
Responsible AI
- Scribe Mutual is clinical documentation assistance software. It is not intended to diagnose, treat, cure, or prevent disease.
- AI-generated content is intended to be reviewed, corrected, and finalized by a licensed clinician before use in the medical record.
- Scribe Mutual does not make autonomous clinical decisions. Clinicians remain responsible for the accuracy and completeness of all documentation.
Current posture
| Area | Public Statement |
|---|---|
| Authentication | Architecture includes OAuth2 PKCE, JWT authorization, and role-aware access |
| Encryption in transit | TLS enforced |
| Encryption at rest | AES-256 via AWS KMS |
| Audit logging | Audit logging and traceability for clinical and operational workflows |
| Row-level security | Enforced on clinical data tables |
| FHIR R4 | FHIR R4 resources are part of the product's technical direction |
| SMART on FHIR | SMART on FHIR authorization is part of the product's technical direction |
| C-CDA | C-CDA export, ingest, and validation capabilities are implemented |
| HL7 v2 | HL7 v2 ADT message processing and HL7-to-FHIR transformation are implemented |
| ONC certification | ONC 2015 Edition Cures Update certification process: in progress. Scribe Mutual is not currently ONC certified. |
| EHI export format documentation | Public reference page: /ehi-export-format. Canonical technical documentation: app.scribemutual.com/ehi-export-format/ndjson-v1. |
| HIPAA posture | Designed for HIPAA-covered workflows (HIPAA has no certification) |
What Scribe Mutual does not claim
Transparency matters. Scribe Mutual does not claim:
- HIPAA certification (HIPAA does not have a certification program)
- ONC certification (certification process is in progress but not complete)
- SOC 2 certification
- HITRUST certification
- FDA approval or clearance
- Guaranteed accuracy of AI-generated content
- Flawless model output without clinician review or verification
- Guaranteed clinical outcomes
Learn more about Scribe Mutual
If you have questions about our security approach or would like to discuss your practice's documentation needs, request a conversation.