Skip to main content
Quick reference for patient and team questions about recording consent, data handling, and platform security. We recommend a two-step approach that covers both intake and the moment of care.
1

Written waiver at intake

Have patients sign a written waiver as part of their intake paperwork, before the visit begins.
2

Verbal permission at the encounter

Ask the patient verbally for permission to use a note-taking tool at the start of each encounter, before activating recording.
Verify your consent workflow against applicable local, state, and federal requirements. Requirements vary by jurisdiction.

Platform FAQ

When recording is activated, the platform captures ambient audio from the patient encounter along with patient demographic data. That audio is converted into transcripts and structured clinical outputs.
Both are retained. Patient demographic data, audio recordings, transcripts, generated clinical outputs, and usage logs are all retained for 6 years.
For US-based customers, all data is processed and stored within the United States.
Data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted with AES-256.
Access is role-based on a least-privilege model and provisioned only through documented requests. Comprehensive audit logs capture access, edits, and exports at the individual record level. Access permissions are reviewed monthly.
Commure holds a SOC 2 Type II attestation. Full security documentation is available at the Commure Trust Center.
Yes. Subprocessors are involved. All are HIPAA-compliant, have Business Associate Agreements (BAAs) in place, and undergo security reviews at least annually.
No. Models are never trained using Protected Health Information (PHI). There is no opt-out required.
The breach notification process and timeline are defined in the active Business Associate Agreement (BAA). Please refer to that document for specifics.
For additional questions, visit the Commure Trust Center.