Health Information Practices
How we handle health-related data
Our Approach: Vigil is designed as a clinical reference and decision support tool. We do not collect, store, or process Protected Health Information (PHI). The Service is built to work without patient data.
1. What Vigil Is
Vigil is a clinical decision support and medical education platform. We provide:
- AI-powered medical information retrieval from published literature
- Medication dosing calculators using general clinical parameters
- Reference materials for clinical guidelines and protocols
- Board examination study resources
Think of us like a smart medical textbook or drug reference—a tool to help clinicians find information, not a system for managing patient records.
2. What Vigil Is NOT
Vigil is NOT:
- An Electronic Health Record (EHR) system
- A patient data management platform
- A telemedicine or patient communication service
- A repository for medical records
- A Business Associate under HIPAA
3. Protected Health Information (PHI)
Do Not Enter Patient Data: Users should NOT enter Protected Health Information, patient names, medical record numbers, dates of birth, or any other information that could identify a specific patient into Vigil.
3.1 Why We Don't Collect PHI
Our Service is designed to answer clinical questions without needing patient-specific data. For example:
- Instead of: "What dose for John Smith, MRN 12345?"
- Use: "What propofol dose for a 75-year-old, 70kg patient with reduced EF?"
Clinical parameters (age, weight, lab values) can be entered without identifying the patient.
3.2 If PHI Is Accidentally Entered
If you inadvertently enter patient-identifying information:
- Delete the conversation immediately using the delete function
- Contact us at privacy@usevigil.org if you have concerns
- We will work to remove any such data from our systems
4. Our Security Practices
While we do not handle PHI, we still implement reasonable security measures to protect user data:
Data encrypted in transit using TLS. Passwords hashed and salted.
User authentication required. Individual accounts only.
Cloud infrastructure with standard security controls.
Procedures to address security issues promptly.
5. HIPAA and Regulatory Compliance
The Health Insurance Portability and Accountability Act (HIPAA) applies to "covered entities" (healthcare providers, health plans, clearinghouses) and their "business associates" who handle PHI on their behalf.
Because Vigil:
- Does not receive, create, maintain, or transmit PHI
- Is designed as a general reference tool, not a patient data system
- Does not need patient-identifying information to function
We operate as a clinical reference tool rather than a Business Associate under HIPAA. We do not execute Business Associate Agreements (BAAs) because the Service is not designed to handle PHI.
Your Responsibility: If you choose to enter patient-identifying information against our guidance, you—not Vigil—bear responsibility for any compliance implications. We strongly advise against entering PHI.
6. For Institutional Users
If your institution requires specific security documentation or has questions about how Vigil fits into your compliance framework, please contact us. We can provide:
- Security questionnaire responses
- Documentation of our practices
- Clarification on our service design
However, we do not modify our service to accept or manage PHI, and we do not sign BAAs.
7. Data Retention
Conversation data is retained for 90 days by default to provide continuity and allow users to reference past queries. Users may delete individual conversations at any time. Upon account deletion, all associated data is removed within 30 days.