Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.
Who this notice covers
Tipulim provides the software your clinic uses to schedule appointments, keep records, communicate, and (where enabled) take payments. Your clinic is the “covered entity” responsible for your care; Tipulim acts as its “business associate” under a signed agreement. This notice explains how protected health information (PHI) is handled within the platform and the rights you have under HIPAA.
How your information is used
Your PHI is used to provide care and run the clinic: booking and managing appointments, maintaining your clinical records, sending you appointment confirmations and reminders, processing payments you authorize, and, where your clinician uses it, producing visit summaries with an AI scribe. We do not sell your information, and we do not use it for marketing without your separate, explicit consent.
When information is disclosed
PHI may be disclosed to: your treating clinician and authorized clinic staff; service providers that operate the platform under HIPAA Business Associate Agreements (for example, our cloud, email, and text-message providers); and others when you direct us to or when the law requires it (for example, public-health or legal obligations). Every disclosure to an outside provider is recorded in an accounting you can request.
How your information is protected
PHI is encrypted in transit (TLS) and at rest. Clinical record content is additionally encrypted at the application layer with per-patient keys. Access is restricted by role and is logged in a tamper-evident, append-only audit trail. AI transcription and summarization run inside Amazon Web Services under a HIPAA Business Associate Agreement, so your audio and notes are not shared with any outside AI vendor.
Recording consent
If your clinician records a session to generate a visit summary, they must confirm you were informed and consented before recording. Some states require that all parties consent to a recording. You may decline; tell your clinician if you do not wish to be recorded.
Your rights
You have the right to: access and obtain a copy of your information; request a correction (amendment) to it; receive an accounting of disclosures made to outside parties; request restrictions on certain uses or disclosures; and request that your account and personal data be closed and deleted, subject to the retention periods the law requires. You can exercise the access, amendment, and accounting rights from your patient portal.
Data retention
Clinical records are retained as required by law. When you close your account, identifying details are removed and records are retained only for the legally required period, then deleted. Transient data such as session audio is deleted within minutes of processing.
Breach notification
If a breach affecting your unsecured PHI occurs, you will be notified without unreasonable delay and no later than 60 days after discovery, consistent with the HIPAA Breach Notification Rule. Where required, regulators and, for large breaches, media outlets are also notified.
Changes & contact
We may update this notice; the current version is always available here. To exercise a right, ask a question, or file a privacy complaint, contact your clinic directly or email privacy@rafanest.com. You also have the right to complain to the U.S. Department of Health and Human Services, Office for Civil Rights, without retaliation.
Last updated 2026. Your clinic may provide an additional practice-specific notice.