Privacy Policy

Our commitment to protecting your healthcare data and maintaining the highest standards of medical information privacy and security.

Last Updated: January 15, 2024 | Effective Date: January 15, 2024
HIPAA Compliant
SOC 2 Type II
GDPR Compliant

Table of Contents

1. Overview

LangExtract, developed by Google, is committed to protecting the privacy and security of healthcare data processed through our medical text extraction platform. This Privacy Policy explains how we collect, use, protect, and handle medical information and other data when you use LangExtract services.

As a healthcare technology platform that processes Protected Health Information (PHI), we maintain the highest standards of data protection and comply with all applicable healthcare privacy regulations, including HIPAA, GDPR, and other international privacy laws.

Healthcare Focus

LangExtract is specifically designed for healthcare organizations and medical professionals. We understand the sensitive nature of medical data and have implemented comprehensive safeguards to ensure patient privacy and data security throughout our platform.

2. Information We Collect

2.1 Medical Text Data

When you use LangExtract services, we process medical text data that may include:

  • Clinical notes and physician documentation
  • Radiology reports and imaging study results
  • Pathology reports and laboratory findings
  • Discharge summaries and care plans
  • Consultation reports and specialist assessments
  • Other medical documentation as specified by your organization

2.2 Account and Usage Information

We collect information necessary to provide and improve our services:

  • Account registration details (name, email, organization)
  • Usage statistics and performance metrics
  • API access logs and processing records
  • Error logs and diagnostic information
  • System configuration and integration settings

2.3 Technical Information

For service optimization and security purposes:

  • IP addresses and network information
  • Browser type and operating system
  • Device identifiers and hardware specifications
  • Performance metrics and error reports

3. Medical Data Processing

3.1 PHI Handling

LangExtract processes Protected Health Information (PHI) as defined under HIPAA. We act as a Business Associate to covered entities and ensure all PHI processing complies with applicable healthcare privacy regulations.

3.2 Data Minimization

We process only the minimum amount of medical data necessary to provide our text extraction services. Our systems are designed to:

  • Automatically detect and protect PHI elements
  • Process data locally when possible to minimize transmission
  • Use anonymization and pseudonymization techniques
  • Implement role-based access controls

3.3 Processing Purposes

Medical data is processed exclusively for:

  • Extracting structured information from unstructured medical text
  • Providing clinical decision support insights
  • Generating reports and analytics as requested
  • Ensuring service quality and performance
  • Complying with legal and regulatory requirements

4. How We Use Your Information

4.1 Service Provision

We use collected information to:

  • Process medical text and extract structured data
  • Provide API access and integration support
  • Generate reports and analytics dashboards
  • Maintain service performance and reliability
  • Provide technical support and troubleshooting

4.2 Service Improvement

We may use aggregated, de-identified data to:

  • Improve AI model accuracy and performance
  • Develop new features and capabilities
  • Enhance security measures and threat detection
  • Optimize system performance and scalability

4.3 Legal Compliance

Information may be used to:

  • Comply with healthcare regulations and audits
  • Respond to legal requests and court orders
  • Investigate security incidents and breaches
  • Maintain accurate business records

5. Information Sharing

5.1 Prohibited Sharing

We do not sell, rent, or trade medical data or PHI to third parties for commercial purposes. Medical information is never used for advertising, marketing, or any non-healthcare related activities.

5.2 Authorized Sharing

We may share information only in the following circumstances:

  • With Your Organization: Processed data is returned to your healthcare organization as requested
  • Service Providers: With authorized subcontractors who assist in service delivery (under strict confidentiality agreements)
  • Legal Requirements: When required by law, regulation, or valid legal process
  • Emergency Situations: To prevent imminent harm to patients or public health

5.3 Business Associate Agreements

All sharing of PHI occurs under comprehensive Business Associate Agreements (BAAs) that ensure HIPAA compliance and establish appropriate safeguards for medical information protection.

6. Security Measures

6.1 Technical Safeguards

  • End-to-end encryption using AES-256 encryption
  • TLS 1.3 for all data transmission
  • Multi-factor authentication for all users
  • Role-based access controls and permission management
  • Automated security monitoring and threat detection

6.2 Physical Safeguards

  • Secure data centers with 24/7 monitoring
  • Biometric access controls and surveillance systems
  • Environmental controls and disaster recovery systems
  • Secure disposal of hardware and storage media

6.3 Administrative Safeguards

  • Comprehensive security policies and procedures
  • Regular security training for all personnel
  • Background checks for employees with data access
  • Incident response and breach notification procedures
  • Regular security audits and compliance assessments

7. Data Retention

7.1 Medical Data Retention

Medical data and PHI are retained only as long as necessary to provide services or as required by law. Default retention periods are:

  • Processing Data: Deleted immediately after successful extraction
  • Audit Logs: Retained for 6 years as required by HIPAA
  • Backup Data: Automatically purged according to retention schedules
  • Account Data: Retained during active service period plus 30 days

7.2 Secure Deletion

All data deletion follows NIST guidelines for secure data destruction, ensuring that deleted information cannot be recovered or reconstructed.

8. Your Rights

8.1 HIPAA Rights

As a covered entity, you maintain all HIPAA rights regarding PHI, including:

  • Right to access and receive copies of PHI
  • Right to request amendments to PHI
  • Right to request restrictions on PHI use and disclosure
  • Right to request alternative communication methods
  • Right to file complaints regarding PHI handling

8.2 Additional Privacy Rights

Depending on your jurisdiction, you may have additional rights:

  • Right to data portability
  • Right to deletion (subject to legal retention requirements)
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent

9. HIPAA Compliance

9.1 Business Associate Status

LangExtract operates as a HIPAA Business Associate when processing PHI on behalf of covered entities. We maintain comprehensive Business Associate Agreements with all healthcare organization clients.

9.2 Compliance Measures

  • Regular HIPAA compliance audits and assessments
  • Comprehensive workforce training on HIPAA requirements
  • Documented policies and procedures for PHI handling
  • Incident response procedures for potential breaches
  • Risk assessments and vulnerability management

9.3 Breach Notification

In the event of a data breach involving PHI, we will notify affected covered entities within 60 days and provide all necessary information for breach reporting to the Department of Health and Human Services.

10. International Data Transfers

10.1 Data Residency

For healthcare organizations with specific data residency requirements, LangExtract can be configured to process and store data within specified geographic regions to comply with local regulations.

10.2 Cross-Border Transfers

When international data transfers are necessary, we implement appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) for GDPR compliance
  • Adequacy decisions where applicable
  • Additional security measures for sensitive data
  • Local data processing options where required

11. Policy Updates

This Privacy Policy may be updated periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify users of material changes through:

  • Email notifications to registered users
  • Prominent notices on our website
  • Direct communication with healthcare organization administrators
  • Updates to Business Associate Agreements as necessary

Continued use of LangExtract services after policy updates constitutes acceptance of the revised terms.

12. Contact Information

Privacy Questions & Concerns

If you have questions about this Privacy Policy, need to exercise your privacy rights, or want to report a privacy concern, please contact us:

Email: privacy@langextract.ai
Privacy Officer: privacy-officer@langextract.ai
HIPAA Compliance: hipaa@langextract.ai

Compliance Commitment

LangExtract is committed to maintaining the highest standards of healthcare data protection. We undergo regular third-party security audits, maintain comprehensive compliance certifications, and continuously monitor our systems to ensure the privacy and security of medical information.