Notice of Privacy Practices — Version 2.0 — Effective March 27, 2026
Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Apodixis, Inc.
350 E 400 S STE 54408
Salt Lake City, UT 84111
Privacy Officer: Christopher Crandall
Email: chris@apodixis.ai
Phone: TBD — phone line being established; in the interim, contact via email or mail
What is Apodixis?
Apodixis provides a clinical AI verification service used by hospitals and healthcare systems. Our service automatically checks AI-generated clinical documentation — such as notes written by AI scribes — against your medical records to identify errors, omissions, and inaccuracies before those notes become part of your permanent medical record.
Apodixis acts as a Business Associate of your healthcare provider. We only receive and use your health information because your healthcare provider has engaged our service to help ensure the accuracy of your clinical records.
1. Information We Use
When your healthcare provider uses our service, we may receive and process the following categories of Protected Health Information (PHI):
- •Clinical notes: Text of AI-generated clinical notes about you
- •Medications: Your current and past medications and dosages
- •Allergies: Your documented allergies and reactions
- •Diagnoses: Your medical diagnoses and conditions
- •Laboratory results: Blood tests, urinalysis, and other laboratory values
- •Vital signs: Blood pressure, heart rate, temperature, oxygen saturation, and similar measurements
- •Procedures: Medical procedures documented in your record
We receive this information directly from your healthcare provider's electronic health record (EHR) system via a secure, encrypted connection.
2. How We Use Your Information
For Treatment and Health Care Operations
We use your health information to verify the accuracy of AI-generated clinical documentation. Specifically, we compare the content of AI-generated clinical notes against your existing medical record to identify discrepancies, errors, and omissions. The results are provided to your healthcare provider to review and correct the clinical note before it is finalized.
This use of your health information is part of your healthcare provider's treatment and health care operations activities.
Third-Party AI Processing
As part of our verification process, the text of your clinical note is securely transmitted to a third-party AI service (Anthropic, an artificial intelligence company) for structured analysis. This service extracts factual claims from the clinical note text so they can be compared against your medical record. Anthropic operates under a Business Associate Agreement with Apodixis.
- •Your clinical note text is processed by the AI service and the results are returned to our system
- •The AI service does not permanently store your clinical note text
- •Your name, date of birth, and medical record number are removed from the text before it is sent to the AI service
- •The AI service is prohibited from using your information to train AI models
What We Do Not Do
We will never sell your health information.
We will never use your health information for marketing without your written permission.
We will never use psychotherapy notes about you without your written permission (except as required by law).
We also do not:
- •Use your health information to make treatment recommendations or diagnoses
- •Share your health information with other healthcare providers (unless directed by your provider)
- •Use your health information to train AI models without explicit written authorization from you and your healthcare provider
- •Contact you directly for appointment reminders, treatment alternatives, or health-related benefits
- •Use your health information for fundraising purposes
For Payment
We do not use your health information for payment or billing purposes. Any billing for our verification services is handled through our agreement with your healthcare provider and does not involve your individual health information.
3. Other Permitted Uses and Disclosures
In addition to the verification purpose described above, we may use or disclose your health information in the following circumstances as permitted or required by HIPAA:
Required by law: We will disclose your health information when required by federal, state, or local law.
Public health activities: We may report to public health authorities as required (for example, reporting communicable diseases).
Health oversight: We may disclose information to health oversight agencies (such as the U.S. Department of Health and Human Services) for audits, investigations, or inspections.
Judicial and administrative proceedings: We may disclose information in response to a court order or subpoena.
Law enforcement: We may disclose limited information to law enforcement in specific circumstances as permitted by law.
Research: We may use de-identified information (information from which your identity has been removed per HIPAA standards) for research without your authorization.
Serious threat to health or safety: We may disclose information if we believe it is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
4. Uses Requiring Your Authorization
The following uses require your written authorization:
- •Most uses and disclosures of psychotherapy notes
- •Marketing communications using your health information
- •Sale of protected health information
- •Use of your health information to train AI models
- •Any other use or disclosure not described in this notice
You may revoke an authorization in writing at any time. Revocation does not affect actions already taken in reliance on the authorization.
5. How We Protect Your Information
Encryption: All health information is encrypted when transmitted between systems using TLS 1.2 or higher (the same standard used by banks). Health information stored in our systems is encrypted at rest using AES-256 encryption with keys managed by hardware security modules.
Hashing: We do not store your clinical note text in our long-term database. Instead, we store only a cryptographic hash (SHA-256) — a mathematical fingerprint of the text. The full text of your clinical note is never stored permanently.
Ephemeral processing: Your clinical note text is held in a temporary, encrypted cache during the time needed to complete verification (typically under 30 seconds). It is automatically deleted from our systems within a maximum of 5 minutes. Your note text is also transmitted to our AI processing partner (Anthropic) for analysis during this period; Anthropic does not permanently store the text.
Audit trail: Every access to your health information is recorded in an immutable audit log. This log is protected against tampering using cryptographic chain-linking. The log is retained for 6 years as required by HIPAA.
Access controls: Access to systems containing your health information is restricted to authorized personnel with a legitimate need. Multi-factor authentication is required for all administrative accounts.
Business Associate Agreements: All third-party vendors that process health information on our behalf are required to sign a Business Associate Agreement committing to the same level of protection before any health information is shared with them.
6. Your Rights
You have the following rights with respect to your health information that Apodixis processes. Because Apodixis processes your information on behalf of your healthcare provider, most rights are best exercised directly with your healthcare provider. We will cooperate with your healthcare provider to fulfill these rights.
6.1 Right to Access Verification Reports
You have the right to request access to the verification reports generated about your clinical notes. Contact your healthcare provider to request these reports. If your healthcare provider directs the request to us, we will provide the reports to your healthcare provider within 30 days.
6.2 Right to Request Amendment
If you believe that information in a verification report is inaccurate or incomplete, you have the right to request an amendment. Requests should be submitted to your healthcare provider, who will work with us if needed.
6.3 Right to Request Restrictions
You have the right to request restrictions on how we use or disclose your health information. We are not required to agree to a restriction unless it concerns disclosures to a health plan for payment or operations purposes and you have paid out-of-pocket in full. Contact chris@apodixis.ai to make a restriction request.
6.4 Right to Request Confidential Communications
You have the right to request that we communicate with you about your health information in a specific way or at a specific location. Because Apodixis communicates verification results to your healthcare provider (not directly to you), confidential communication requests should be directed to your healthcare provider. If you need Apodixis to accommodate a specific communication method for any correspondence related to your rights, contact chris@apodixis.ai.
6.5 Right to an Accounting of Disclosures
You have the right to receive a list of disclosures we have made of your health information (other than for treatment, payment, or healthcare operations) for the past 6 years. Contact chris@apodixis.ai to request an accounting of disclosures.
6.6 Right to a Copy of This Notice
You have the right to receive a paper copy of this Notice of Privacy Practices at any time. Contact chris@apodixis.ai to request one.
7. Our Legal Duties
We are required by law to:
- •Maintain the privacy of your protected health information
- •Provide you with this notice of our legal duties and privacy practices with respect to your health information
- •Follow the terms of this notice currently in effect
- •Notify you if there is a breach of your unsecured health information that compromises its security or privacy
When required by the HIPAA Breach Notification Rule, we will notify your healthcare provider (and, where applicable, you directly) if there is a breach of your unsecured health information. Notification will be provided without unreasonable delay and within the timeframes required by federal and state law.
8. How to File a Complaint
If you believe your privacy rights have been violated, you have the right to file a complaint with:
Apodixis Privacy Officer
Christopher Crandall
350 E 400 S STE 54408
Salt Lake City, UT 84111
Email: chris@apodixis.ai
Phone: TBD — phone line being established
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Telephone: 1-800-368-1019
TTY: 1-800-537-7697
We will not retaliate against you for filing a complaint.
9. Changes to This Notice
We reserve the right to change the terms of this Notice of Privacy Practices. Changes will apply to health information we already hold as well as information we receive in the future. We will post the revised notice on our website (apodixis.ai) and make it available upon request. The effective date appears at the top of this notice.
10. Contact Us
For questions about this notice or your privacy rights:
Apodixis, Inc.
350 E 400 S STE 54408
Salt Lake City, UT 84111
Privacy Officer: Christopher Crandall
Email: chris@apodixis.ai
Website: apodixis.ai
This Notice of Privacy Practices is effective as of March 27, 2026. Version 2.0.