Security & HIPAA Posture

We are in pre-launch — and we are intentionally cautious about PHI.

This page is meant to be read by partners, vendors, attorneys, and anyone evaluating whether AutoQME is appropriate for their workflow. We will be direct about what is true today and what is not.

Where AutoQME stands today

AutoQME is in pre-launch development. The product is not yet generally available, and the public website you are reading is informational. We are not currently accepting protected health information through this site or any open channel.

What we do not claim

  • AutoQME does not claim to be HIPAA compliant.
  • AutoQME does not claim to be a fully launched product.
  • AutoQME does not invite users to submit PHI today.

Any vendor, partner, or evaluator who needs a current compliance attestation should understand that AutoQME, in its present pre-launch state, has no compliance certifications to offer. Rather than overstate, we say so plainly.

Our position on protected health information

No protected health information should be submitted unless appropriate agreements and safeguards are in place.

This is a hard rule, not a default we expect to bend. If you are evaluating AutoQME on behalf of an organization that handles PHI, the path forward starts with a conversation, not with a file upload.

Workflows we are evaluating

AutoQME is evaluating secure healthcare workflows, including workflows that may require a Business Associate Agreement before any PHI is processed. Among the operational principles guiding that evaluation:

  • PHI should be handled only inside environments with executed BAAs and appropriate technical, administrative, and physical safeguards.
  • The physician must remain the supervising and approving party for any clinical content the tool surfaces.
  • Audit trails and provenance for any AI-assisted summarization or surfacing should make every claim traceable back to the source record.
  • Access should follow the principle of least privilege, with role-based controls.
  • Encryption of data in transit and at rest should be standard, not optional.
  • Vendor selection — for cloud, model, storage, and any third-party processing — should be governed by HIPAA-aware contracting, not by convenience.

These are the principles we are using to design the product. They are not yet attestations. We will not claim a control we have not implemented.

Verifying AutoQME as a business

If you are a vendor, partner, or counterparty trying to verify AutoQME for a Business Associate Agreement, an API access request, or a procurement workflow:

  • The operating individual is Varun Patibanda, MD, a board-certified physician.
  • AutoQME is currently pre-incorporation and pre-revenue, in development.
  • Public-facing contact: reportwriter@autoqme.com.
  • The domain autoqme.com is verifiably operated by the same individual; web hosting is provided through Cloudflare with HTTPS enforced.

We are happy to provide further information through an executed mutual NDA, and to participate in good-faith vendor diligence.

Reporting a concern

If you believe AutoQME’s public materials are misrepresenting the product’s current state, or if you have a security concern about anything on this website, please email reportwriter@autoqme.com. We will respond.

Looking forward

As AutoQME approaches general availability, this page will be updated to reflect the specific compliance posture, vendor agreements, and technical controls in place at launch. Until then, we will continue to err on the side of saying less than we could rather than more than is true.

Contact us →