De-identification Statement for Not A Doctor .AI

The Not A Doctor .AI ("Notadoctor") app uses artificial intelligence (AI) to read your medical records and reason about your health through several processes.

We separate health and identity data to protect your privacy

First, we distinguish two kinds of basic data, which we work hard to process and store separately, and only look at them as needed to debug and improve our systems:

• identity data — this means your username, name, birth date, email, and other contact information;
• health data — this means your health timeline and chat information.

Then, we define four data categories with increasingly strict privacy levels:

1. de-identified health data — that's health data with no identity data attached, which we sometimes look at when working on improving our analysis tools;
2. non-health identity data — that's identity data with no health data attached, which we sometimes look at when corresponding with a user about their account, or debugging a non-health problem with an account, or for coarse-grained usage analysis;
3. identified health data — that's identity data with health data attached; we almost never need to look at this data combination, except occasionally when working on extracting it from raw records, or during correspondence with a user who wants us to talk about both in the same conversation; and
4. raw medical records data — that's the raw medical records you import to your account from doctors' offices or other healthcare providers, using our record collection system(s).

All data types are strictly confidential information within the company, and all staff are sworn to secrecy about user data.

Also, approval from at least two humans is needed to authorize access to level 3 and 4 data categories (identified health data or raw records), which requires both people to document and endorse the reason for access, which should always be beneficial in expectation to the user in question.

In other words, the first thing our automated system does with your raw medical records data (category 4) is to separate the information in it, yielding health data that can be stored separately from identity data. Our human team members only need to see raw records specifically when needed to debug issues with this separation process, which is rare and requires a two-human approval process. From there, we store your health data separately from your identity data, so that our staff are typically only working with either health data or identity data at any given time, and not both. If we ever need to look at your health and identity data together (category 3), that requires a two-human approval process.

So in summary: yes, our staff sometimes see your data, but only as needed to help improve our services for you, and we work hard to make it unnecessary to see your health data and identity data at the same time.

Q: How do these procedures relate to HIPAA?

A: These procedures are not the same as HIPAA requirements, because Notadoctor isn't a doctor's office or even associated with one. Rather, these policies are intended for us to optimize our service to you as a software company helping you to organize and process your data.

Q: Is it impossible to determine my identity from my de-identified data?

A: No; if someone already knows enough about your health or healthcare history, they may be able to guess your identity from your health data.

Q: If I enter my name in a chat about my health, does my name get removed?

A: No, not currently, although in general there is no need to enter your name in chats about your health on Notadoctor.

Q: Where can I read your official website privacy policy?

A: Here: notadoctor.ai/privacy