EMRDesk
Press / or Ctrl+K
Sign in
EMRDesk
Sign in
English (US)
MXDE

Privacy

Privacy Policy

Read the current document, see when it was updated, and use support if you need clarification.

Protecting the privacy of users and the integrity of the medical data housed in EMRDesk is core to the product.

By engaging with the service, organizations entrust EMRDesk with professional, operational, and potentially regulated information. That responsibility is treated as a security and compliance obligation, not a marketing claim.

Information We Collect

EMRDesk collects account and operational information needed to provide the platform. This can include user contact details, professional and practice details, and data entered or uploaded while using the service, including patient, encounter, scheduling, eligibility, claims, and billing-related information.

Technical and usage information is also collected, such as sign-in activity, pages and features used, timestamps, device or browser metadata, and service logs. Payment card transactions are processed by Stripe. EMRDesk does not store full card numbers.

How We Use Your Information

Personal and operational information is used to provide the services, including clinical, billing, eligibility, and support workflows.

Information may also be used to communicate about the service, improve product quality, maintain security, and provide customer support. EMRDesk does not sell or rent personal information to third parties.

Data Security and Privacy

EMRDesk implements administrative, technical, and physical safeguards designed to protect data from unauthorized access, disclosure, alteration, and destruction.

Security rule assessments, qualified third-party reviews, data backup systems, and disaster recovery processes are used to maintain and validate the security posture.

For HIPAA-regulated workflows, EMRDesk applies safeguards aligned with HIPAA requirements, including access controls, audit logging, and encryption controls. Claims, patient, and provider data are encrypted in transit and at rest.

  • Geofencing restrictions are used to limit access by region where appropriate.
  • VPN and dark web access controls are applied to reduce abuse.
  • reCAPTCHA protections are used on the app and patient-facing intake forms.

AI-Assisted Features and PHI Controls

EMRDesk offers optional AI-assisted features such as summarization of notes, encounters, claims, statuses, and reports. These features are not required to use EMRDesk.

  • Full opt-out is available at the account or organization level.
  • Organizations can restrict PHI from being sent to external AI processors. When enabled, EMRDesk de-identifies or suppresses PHI fields and transmits only the minimum necessary data.
  • EMRDesk maintains a Business Associate Agreement with AI processing vendors acting as Business Associates under HIPAA.
  • Vendors are not permitted to use customer data to train generalized third-party models.
  • AI requests are logged in audit trails, including who initiated the request and the scope of data involved.
  • Settings can be managed in-app under Settings > Privacy & AI or through support for organization-level changes.

Access Control Measures

EMRDesk uses role-based and clinic-scoped access controls so each user receives permissions aligned with job responsibilities.

  • Organizations can assign nurse roles that are restricted from billing tools and billing-specific information.
  • Clinical roles can still access patient information needed for care workflows.
  • Authorized administrators can review, assign, and update permissions as staffing changes.

Comprehensive Audit Trails

Detailed logs of access and activity are maintained, including sign-ins, record views, billing actions, and permission changes. These logs can be reviewed by authorized users.

Credit Card Information

EMRDesk does not store credit card information directly and uses Stripe APIs for payment processing.

Data Integrity

Validation controls are applied at points of entry across the system to support data integrity.

Breach Notification

EMRDesk maintains breach response policies consistent with HIPAA and HHS requirements for medical data incidents.

Data Retention

To comply with legal and regulatory requirements, EMRDesk retains medical and billing records for a minimum of 7 years, or longer where required by law or contract.

For terminated accounts, certain non-clinical account data may remain available for up to 30 days to support customer retrieval, after which it is securely deleted. During required retention periods, patient records are soft-deleted and access-restricted rather than immediately purged.

Your Rights

Depending on jurisdiction and the role in which EMRDesk is used, users may have rights to access, correct, export, or request deletion of personal information, subject to legal and contractual limits.

HIPAA-related access, amendment, and accounting rights for Protected Health Information are handled in accordance with HIPAA and applicable agreements. Information may be retained where required for legal compliance, patient safety, fraud prevention, or records management obligations.

Changes to this Privacy Policy

EMRDesk may update this privacy policy as the service, legal requirements, or security posture changes.

Contact

By using EMRDesk, users agree to this privacy policy. EMRDesk is built for HIPAA-aligned workflows and is committed to protecting the privacy and security of personal and operational information.

For questions, contact support@emrdesk.com.

Need help?

If you need the right trust document or support path, start here.

Support hubSystem status