Security & Privacy

VerifyChart verifies AI-generated clinical notes before you sign them. To do that, we send your note text to Claude (Anthropic's AI) for analysis. That note text is never stored in our database — not before analysis, not after, not ever. What we store is the result: scores, flags, and metadata. The note itself is gone the moment the analysis is complete.

This page explains exactly how that works.

VerifyChart is built for de-identified notes only. Before you paste a note, you are asked to remove all patient identifiers:

• Patient name → [PATIENT]
• Date of birth → [DOB]
• Medical record number → [MRN]
• Any other direct identifiers

Additionally, VerifyChart runs client-side PHI pattern detection before your note is submitted. Common PHI patterns — names, dates of birth, MRN formats — are flagged and blocked before any data leaves your browser. If PHI is detected, the analysis is rejected and you are asked to de-identify the note first.

No detection system catches everything. Manual de-identification before pasting is the primary protection. Client-side detection is a secondary safety layer.

When you submit a note for verification, here is the exact sequence:

• Your browser sends the de-identified note text to our server via an encrypted HTTPS connection (TLS)
• Our server passes the note to the Claude API (Anthropic) for clinical analysis
• Claude returns a structured analysis result: scores, flags, and findings
• We store the result in our database — scores, flag counts, PDSQI-9 dimensions, specialty, and timestamp
• The note text is never written to our database at any point in this sequence
• The note text exists only in transit and in server memory during processing — it is discarded when the analysis is complete

• Analysis scores and PDSQI-9 dimension results
• Flag count, flag titles, and flag descriptions
• Note specialty and note type
• Analysis timestamp and token usage (for internal cost tracking)
• For signed-in users: email address, subscription tier, and analysis history
• For anonymous users: session identifier (random browser-generated ID), IP address, and browser type
• Payment information: handled entirely by Stripe — we never see or store card details

• Clinical note text — in any form, de-identified or otherwise
• Patient information of any kind
• PHI of any type
• Audio recordings
• EHR data

• All data encrypted in transit via TLS (HTTPS)
• Database: Supabase — row-level security enforced on all tables
• Hosting: Vercel — enterprise-grade infrastructure with automatic SSL
• Analysis engine: Anthropic Claude API — enterprise API with Anthropic's data handling policies
• Payments: Stripe — PCI-compliant payment processing
• No EHR integration required — VerifyChart never connects to your EHR system

The VerifyChart Chrome extension opens a sidebar panel on any page. It reads your verifychart.ai session token to keep you signed in — using chrome.storage.session, which is cleared automatically when Chrome closes. The extension does not access data from any other website or tab. It does not read EHR page content.

VerifyChart uses Anthropic's Claude API to perform clinical note analysis. Note text submitted for analysis is sent to Anthropic's API under Anthropic's enterprise data handling terms. Anthropic does not use API inputs to train its models by default under enterprise API agreements.

For full details on how Anthropic handles API data, see anthropic.com/privacy.

VerifyChart is designed to operate without a Business Associate Agreement (BAA) by ensuring PHI never reaches our servers. Because note text is never stored — and because de-identification is required before submission — VerifyChart does not function as a Business Associate under HIPAA in its current form.

This is a deliberate architectural decision, not a gap. If your practice requires a BAA for any AI tool regardless of architecture, contact us at hello@verifychart.ai to discuss your requirements.

Questions about security or privacy? Email us at hello@verifychart.ai

VerifyChart is not a medical device. For documentation quality review only.