Transcribe Health Logo

Transcribe Health

Acceptable Use Policy

Standards of conduct and technical requirements for all workforce members accessing or using Transcribe Health information systems, data, networks, and devices.

Effective Date: March 9, 2026 | Version 1.0

Acceptable Use Policy

Transcribe Health Corporation Acceptable Use Policy

Document ID: TCH-POL-AUP-001 Version: 1.0 Effective Date: March 9, 2026 Classification: Internal / All Workforce Owner: Chief Information Security Officer Approved By: Information Security Committee

1. Purpose

Transcribe Health Corporation processes electronic protected health information on behalf of healthcare provider customers through its AI-powered medical transcription platform, and every member of the organization's workforce plays a role in protecting the confidentiality, integrity, and availability of that information. This Acceptable Use Policy defines the standards of conduct and the technical requirements that all workforce members must follow when accessing or using organizational information systems, data, networks, and devices. The policy establishes clear boundaries between acceptable and prohibited activities, ensuring that workforce behavior supports rather than undermines the organization's compliance posture and security objectives.

This policy satisfies the requirement at 45 CFR Section 164.308(a)(5)(i) of the HIPAA Security Rule, which mandates that covered entities and business associates implement a security awareness and training program for all members of the workforce, including management. The policy also addresses the information and communication expectations of SOC 2 criterion CC1.4, which requires that the entity has established and communicated policies and procedures related to the entity's objectives, and the security safeguards obligations of PIPEDA Principle 4.7, which requires that the methods of protection should include organizational measures such as security clearances and limiting access on a need-to-know basis, as well as technological measures such as the use of passwords and encryption.

The importance of this policy cannot be overstated. A single instance of unauthorized access, careless data handling, or failure to follow security procedures can expose the organization to regulatory enforcement actions carrying civil monetary penalties of up to $1.9 million per violation category per calendar year under the HIPAA Enforcement Rule, breach notification obligations that can cause reputational damage, litigation from affected individuals and covered entity customers, and the potential loss of business associate agreements that are essential to the organization's continued operations. Every workforce member bears personal responsibility for understanding and complying with the requirements set forth in this policy.

2. Scope

This policy applies to all workforce members of Transcribe Health Corporation, a term that encompasses full-time and part-time employees, contractors, consultants, temporary workers, interns, and any other individual who performs work for the organization, regardless of whether they receive compensation. The policy applies to all use of organizational information systems, which includes but is not limited to the self-hosted Kubernetes cluster and all workloads running therein, the PostgreSQL 16 databases, Redis 7 instances, MinIO object storage, the Go microservices (auth-service, billing-service, organization-service, and transcription-service), the Next.js 15 frontend application, email systems, messaging platforms, development tools, source code repositories hosted on GitHub, and any other hardware, software, or network resource owned, leased, or operated by Transcribe Health Corporation.

The policy further applies to all devices used to access organizational information systems, whether such devices are owned by the organization or by the workforce member personally. It applies regardless of the workforce member's physical location, encompassing use from the organization's offices, from home offices, from co-working spaces, and while traveling. The policy applies at all times, not solely during working hours, as unauthorized use of organizational systems can occur at any time and the organization's security obligations under HIPAA and PIPEDA are continuous.

3. Acceptable Use

Workforce members are expected to use organizational information systems in a manner that supports the organization's business objectives, protects electronic protected health information, and complies with all applicable laws, regulations, and organizational policies. Acceptable use is defined by the principles of business necessity, minimum necessary access, data classification compliance, and security consciousness.

All access to organizational information systems must be driven by a legitimate business purpose directly related to the workforce member's assigned duties and responsibilities. The HIPAA Privacy Rule's minimum necessary standard, codified at 45 CFR Section 164.502(b), requires that when using or disclosing protected health information, a covered entity or business associate must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. Transcribe Health Corporation implements this standard through its role-based access control system, which defines four distinct roles with a total of thirty-five granular capabilities that control access to specific system functions and data categories. Workforce members must access only the information and system functions that are necessary for the performance of their assigned duties, and must not attempt to access information or capabilities beyond those authorized for their assigned role.

Workforce members must comply with the organization's data classification policies when handling information. Electronic protected health information must be handled with the highest level of care, processed only within authorized systems, and never transferred to or stored in systems that have not been specifically approved for handling such data. Workforce members must maintain the confidentiality of all authentication credentials, including passwords and multi-factor authentication secrets. The organization requires multi-factor authentication using time-based one-time passwords for all access to production systems, and workforce members must not share, reuse, or record their authentication credentials in any insecure manner.

Workforce members who identify or suspect a security incident, policy violation, data breach, or other event that could compromise the security of electronic protected health information must report it to the Information Security Officer within one hour of identification. This reporting obligation is absolute and applies regardless of whether the workforce member was involved in the incident, whether the incident appears to be minor, or whether the workforce member believes the incident has already been addressed. Prompt reporting enables the organization to activate its incident response procedures, contain the incident, assess the scope of any compromise, and fulfill its breach notification obligations under 45 CFR Part 164, Subpart D and the applicable Business Associate Agreements.

4. Prohibited Activities

Certain activities are expressly prohibited because they present an unacceptable risk to the confidentiality, integrity, or availability of electronic protected health information, or because they violate the organization's legal, regulatory, or contractual obligations. Workforce members who engage in any of the following prohibited activities are subject to disciplinary action as described in Section 9 of this policy, and may also be subject to criminal prosecution under the HIPAA criminal penalty provisions at 42 USC Section 1320d-6.

No workforce member may access electronic protected health information without a documented business need directly related to their assigned duties. Unauthorized access to protected health information, commonly referred to as "snooping," constitutes a violation of the HIPAA Privacy Rule at 45 CFR Section 164.502(a) regardless of whether the information is subsequently used or disclosed, and is treated as a serious disciplinary matter. The organization's audit logging system, which captures events across eleven categories including data access, authentication, authorization, and administrative actions, is specifically designed to detect unauthorized access patterns, and workforce members should understand that all system access is logged and subject to review.

Sharing, lending, or transferring authentication credentials to any other person, whether a fellow workforce member or an external party, is strictly prohibited. Each workforce member's credentials are unique to that individual and serve as the basis for the organization's access accountability mechanisms required at 45 CFR Section 164.312(a)(2)(i). Credential sharing undermines the integrity of the audit trail and makes it impossible to attribute system actions to the individual who performed them.

Circumventing, disabling, or attempting to bypass any security control, including but not limited to the role-based access control system, multi-factor authentication requirements, session management controls implemented through the Redis blacklist with fail-closed architecture, TLS encryption, network segmentation enforced by the OPNsense firewall pair, or audit logging, is prohibited. This prohibition extends to the use of unauthorized tools, scripts, or techniques designed to escalate privileges, extract data from production systems, or interfere with the operation of security controls.

Installing unauthorized software on any organizational system, including development workstations and virtual machines within the Kubernetes cluster, is prohibited without prior written approval from the Chief Information Security Officer. Unauthorized software may introduce vulnerabilities, establish unauthorized network connections, or consume resources in a manner that degrades system availability.

Storing electronic protected health information on personal devices, including personal laptops, mobile phones, tablets, USB drives, or personal cloud storage accounts, is prohibited without exception. All electronic protected health information must remain within the authorized organizational systems, specifically the PostgreSQL 16 databases, MinIO object storage, and the Go microservices that process such information within the secured Kubernetes environment.

Using production data, including electronic protected health information, in development, testing, or quality assurance environments is prohibited. The services/db/migrations/ directory contains the schema definitions for development databases, and development environments must use synthetic or de-identified data that does not contain actual patient information.

Connecting unauthorized devices to the cluster network at 10.0.0.0/24, including personal laptops, network equipment, wireless access points, or any device not explicitly provisioned and approved for connection to the organizational network, is prohibited. The cluster network is segmented behind the OPNsense high-availability firewall pair with CARP virtual IP at 10.0.0.1, and unauthorized devices on this network could compromise the security of all production workloads.

Disabling, modifying, or interfering with audit logging on any organizational system is prohibited. The organization's audit logging system is a critical compliance control that supports the audit controls standard at 45 CFR Section 164.312(b) and provides the evidentiary basis for incident investigation, access reviews, and regulatory compliance demonstrations.

Exporting electronic protected health information outside of authorized organizational systems, whether by email, file transfer, screen capture, printing, or any other method, is prohibited unless the export is performed in accordance with an authorized and documented business process and is approved by the Information Security Officer. This prohibition prevents unauthorized disclosure of protected health information and supports the organization's compliance with the disclosure provisions of the HIPAA Privacy Rule.

5. Email and Communications

Electronic communications present particular risks in a healthcare technology environment because they can inadvertently become vehicles for the unauthorized disclosure of electronic protected health information. Workforce members must exercise diligence when composing, addressing, and transmitting electronic communications, and must adhere to the following requirements designed to prevent unauthorized disclosure.

Electronic protected health information must never be transmitted via unencrypted email. The HIPAA Security Rule at 45 CFR Section 164.312(e)(1) requires business associates to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Because standard email protocols do not provide end-to-end encryption by default, workforce members must not include any protected health information in email messages, email attachments, or email subject lines unless the communication is transmitted through an organizational email system configured with TLS encryption and the recipient is authorized to receive such information.

All electronic communications related to organizational business are subject to the organization's monitoring and retention policies. Workforce members should not have an expectation of privacy in their use of organizational communication systems. Communications containing information about the organization's security controls, network architecture, access credentials, or other security-sensitive details must be limited to recipients with a demonstrated need to know and transmitted through secure channels.

6. Remote Work Requirements

Workforce members who access organizational information systems from locations outside the organization's physical premises must adhere to heightened security requirements to compensate for the reduced physical security of the remote work environment. Remote access to any system containing or providing access to electronic protected health information, or to the organizational network at 10.0.0.0/24, is permitted only from company-approved devices using the organization's approved virtual private network connection.

Company-approved devices are those provisioned and configured by the organization with full disk encryption, current operating system patches and security updates, endpoint protection software, and multi-factor authentication. Personal devices that have not been provisioned and configured by the organization may not be used to access organizational information systems, regardless of whether the workforce member has installed security software on the personal device. This restriction ensures that the organization maintains control over the security configuration of all devices through which electronic protected health information may be accessed, consistent with the device and media controls standard at 45 CFR Section 164.310(d)(1).

Workforce members working remotely must ensure that their physical work environment provides reasonable protection against unauthorized viewing of electronic protected health information displayed on screens. This includes positioning displays away from windows and common areas, using privacy screens when working in shared spaces, locking workstations when stepping away even briefly, and ensuring that conversations involving protected health information are not conducted where they may be overheard by unauthorized persons.

7. Personal Device Policy

Transcribe Health Corporation prohibits the use of personal devices for accessing, processing, storing, or transmitting electronic protected health information. This prohibition is absolute and extends to all categories of personal devices, including personal laptops, desktops, tablets, smartphones, USB storage devices, external hard drives, and personal cloud storage services.

The rationale for this prohibition is grounded in the organization's obligation under the HIPAA Security Rule to implement physical safeguards at 45 CFR Section 164.310 and technical safeguards at Section 164.312 to protect electronic protected health information. Personal devices are outside the organization's administrative and technical control, making it impossible to ensure that appropriate encryption, access controls, patching, malware protection, and remote wipe capabilities are consistently maintained. Furthermore, personal devices may be shared with family members or other individuals, lost or stolen without timely reporting to the organization, or disposed of without proper data sanitization, all of which create unacceptable risks of unauthorized disclosure.

Workforce members who require mobile access to organizational information systems for legitimate business purposes must request a company-provisioned device through the standard equipment request process. Company-provisioned devices are configured with the organization's standard security baseline, enrolled in mobile device management, and subject to remote wipe in the event of loss, theft, or termination of the workforce member's relationship with the organization.

8. System Monitoring

Transcribe Health Corporation monitors all access to and use of its information systems to detect unauthorized access, policy violations, security incidents, and anomalous activity that may indicate a compromise. This monitoring is conducted in accordance with the audit controls standard at 45 CFR Section 164.312(b), which requires business associates to implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

The organization's monitoring capabilities encompass authentication events, including successful and failed login attempts, multi-factor authentication challenges, and session creation and termination through the Redis-based session management system with fail-closed architecture. Authorization events, including role-based access control decisions across all thirty-five capabilities and four roles, are logged and available for review. Data access events, including queries and modifications to PostgreSQL databases containing electronic protected health information, are captured through the audit logging system that spans eleven categories. Network activity through the OPNsense firewall pair, HAProxy ingress controller at 10.0.0.100, and inter-service communications within the Kubernetes cluster is logged and monitored for anomalous patterns.

Workforce members are hereby placed on notice that the organization monitors all system access and that they should not expect privacy in their use of organizational information systems. This notice satisfies the organization's obligation to inform workforce members of monitoring activities and supports the enforceability of disciplinary actions taken based on monitoring findings. Monitoring data is retained in accordance with the organization's data retention schedule and is available for use in security investigations, access reviews, compliance audits, and disciplinary proceedings.

9. Enforcement

Compliance with this Acceptable Use Policy is a condition of employment, engagement, or continued access to organizational information systems. All workforce members are required to acknowledge their understanding of and agreement to comply with this policy upon initial onboarding and annually thereafter. Acknowledgments are documented and retained as compliance artifacts in the Probo GRC system.

Violations of this policy are subject to disciplinary action commensurate with the severity, intent, and impact of the violation. Disciplinary actions may include verbal or written warnings, mandatory additional training, temporary suspension of system access, reassignment of duties, termination of employment or contract, and referral to law enforcement in cases involving criminal activity. The sanctions policy required at 45 CFR Section 164.308(a)(1)(ii)(C) mandates that appropriate sanctions be applied against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate, and Transcribe Health Corporation is committed to consistent and proportionate enforcement.

In cases where a policy violation results in or contributes to a breach of unsecured protected health information, the violation is documented as part of the breach investigation record and factored into the root cause analysis, corrective action plan, and determination of whether the breach resulted from willful neglect, which carries enhanced civil monetary penalties under the HITECH Act. Workforce members who discover violations by others are obligated to report them through the established reporting channels and are protected against retaliation for good-faith reporting, consistent with the anti-retaliation provisions applicable to health information privacy and security complaints.

© 2026 Transcribe Health Corporation. All rights reserved.

EFFECTIVE DATE: March 9, 2026 VERSION: 1.0 DOCUMENT ID: TCH-POL-AUP-001

Back to Home
Privacy PolicyTerms of ServiceCompliance