HIPAA Notice

Lumen Notes is documentation software for licensed mental-health clinicians. When you bring session audio, transcripts, or notes containing protected health information (PHI) into Lumen, we act as a business associate under the Health Insurance Portability and Accountability Act (HIPAA) to you or your practice — the covered entity. This page summarizes how that works; the controlling document is the executed Business Associate Agreement (BAA) between us.

BAA available on Solo and Group plans — contact us

We offer a Business Associate Agreement on both Solo and Group plans, including during the free trial. Email support@lumen.1labs.app with your practice name and the account email, and we'll send the BAA for signature. Execute the BAA before bringing PHI into Lumen — until it's signed, use the product only with de-identified or test data.

How Lumen handles PHI

• Purpose-limited processing. PHI is processed solely to provide the documentation service: transcription, note drafting, and storage of the records you keep. No advertising, no model training, no secondary use.
• Audio deletion by default. Session audio is permanently deleted when the clinician signs the note. We do not archive audio.
• Clinician-controlled signing. Only a licensed clinician can finalize a record. Every signature is bound to the signer's identity with a timestamp, and notes are versioned after signing.
• Safeguards. Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, audit logging, and least-privilege internal access. Details on the Security page.
• Subprocessors under BAA. Every subprocessor that touches PHI is bound by a BAA or equivalent obligations — see the Subprocessors list.

Breach notification

If we discover a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and within the timelines required by the HIPAA Breach Notification Rule and the executed BAA, with enough detail for you to meet your own notification obligations.

Your responsibilities as the covered entity

• Execute the BAA before introducing PHI.
• Obtain any recording consent your jurisdiction and your clients require.
• Manage workspace roles so PHI is visible only to workforce members with a legitimate purpose.
• Respond to your clients' requests regarding their records — if a therapy client contacts us directly, we will refer them to you, as HIPAA requires of a business associate.

What this page is not

This page is a plain-language summary, not legal advice and not a Notice of Privacy Practices for your clients (that notice is yours to provide as the covered entity). For contractual terms, rely on the executed BAA and the Data Processing Agreement.

Contact

BAA requests and HIPAA questions: support@lumen.1labs.app.