How we handle patient data, in plain language.

Sarthi LLC (“we,” “our,” “us”) operates a software platform that provides the operating layer for medical practices. Wherever we process Protected Health Information (PHI) on behalf of a covered entity, we do so under a signed Business Associate Agreement and the obligations described below.

We maintain administrative, physical, and technical safeguards aligned with the HIPAA Security Rule, including the January 2025 updates. We perform vulnerability scanning at least every six months and penetration testing annually across every environment that processes PHI.

We collect the information a practice needs us to process on its behalf — clinical notes, encounter data, billing identifiers, scheduling metadata, and the artifacts required to submit claims. We apply minimum-necessary principles to every workflow and restrict access to the specific fields required for each task.

All PHI is encrypted in transit (TLS 1.3) and at rest (AES-256). Our infrastructure runs on Google Cloud Platform with key management, isolated tenant boundaries, automated backups, and verified disaster recovery. Access is gated by role-based controls, hardware-key MFA, and continuous audit logging.

Customer PHI is never used to train foundation models. Any aggregate analytics we perform rely on de-identified data that satisfies HIPAA Safe Harbor or Expert Determination, and we monitor for re-identification risk when datasets are combined.

Covered entities and patients retain all rights to access, amendment, accounting of disclosures, and restriction of use that HIPAA guarantees. Requests are honored through the covered entity or, where permitted, directly with our privacy team.

Questions about this policy, a BAA request, or a suspected incident — write to privacy@sarthi.io. We respond within two business days.