AI Transparency & Ethics Policy

Introduction

Rymeda, Inc. ("Rymeda," "we," "us") integrates artificial intelligence ("AI") and machine learning ("ML") systems into its healthcare technology platform to assist licensed healthcare providers with clinical documentation, transcription, decision support, and operational workflows. This AI Transparency & Ethics Policy describes the AI systems we use, how they process data, the safeguards we employ, and the rights of patients and providers.

This policy is guided by a core principle: AI assists healthcare providers — it does not replace them. Every AI-generated output on the Rymeda platform requires human review, validation, and approval by a licensed clinician before it becomes part of a patient's medical record or influences clinical decisions.

1. AI Systems Inventory

Rymeda employs the following AI systems in its platform. Each system is disclosed with its purpose, data inputs, and risk classification:

2. Training Data and Data Usage

2.1 Third-Party No-Training Agreements

Rymeda maintains contractual agreements with all AI providers that prohibit the use of Rymeda customer data for model training:

• OpenAI: Data submitted through the API is not used to train or improve OpenAI models, per OpenAI's API Data Usage Policy and our Business Associate Agreement with OpenAI. Zero data retention (ZDR) is configured where available.
• Google Gemini: Processing under Google Cloud's enterprise terms, which prohibit use of customer data for model training. Data processed subject to Google Cloud HIPAA BAA.
• Anthropic: Data submitted through the API is not used to train or improve Anthropic models, per Anthropic's API Terms of Service and our Business Associate Agreement. API usage is covered under Anthropic's enterprise data handling commitments.
• ORIS: Healthcare-specific AI with contractual guarantees against using client data for training. API keys are kept server-side only and never exposed to clients.

2.2 Data Handling During AI Processing

• Voice recordings are transmitted to OpenAI Whisper via encrypted API calls (TLS 1.3) and are not retained by OpenAI after transcription
• Clinical note content sent to AI models passes through Rymeda's PHI redaction pipeline before reaching external processors where technically feasible
• All AI API communications use authenticated, encrypted channels with unique session identifiers for auditability
• AI processing is logged in Rymeda's immutable audit trail with model version, timestamp, and input/output metadata

3. Human-in-the-Loop Requirements

Rymeda enforces mandatory human oversight for all AI-generated clinical content. No AI output is automatically incorporated into a patient's medical record or used for clinical decisions without explicit human review and approval.

3.1 AI Draft Status

All AI-generated clinical content is assigned an "AI_DRAFT" status upon creation. This status is prominently displayed in the platform interface and persists until a licensed provider reviews and signs the content. The status lifecycle is:

3.2 Provider Signature Requirements

Only providers with full clinical chart access may sign clinical documents. This is restricted to:

• Physicians (MD/DO)
• Nurse Practitioners (NP)
• Physician Assistants (PA)

The signing provider must have verified credentials (verification status: "verified") through Rymeda's NPI/NPPES validation system. Signing is an irreversible action — once signed, a clinical note cannot be deleted or unsigned, only amended with a documented addendum.

3.3 No Auto-Approval

Rymeda does not and will not implement any mechanism that automatically approves, signs, or incorporates AI-generated content into clinical records. There is no batch signing, no timed auto-approval, and no workflow that bypasses explicit human review. Each clinical document requires individual review and signature.

4. AI Labeling and Transparency

All AI-generated content on the Rymeda platform is labeled with the following metadata to ensure full transparency and traceability:

The full provenance chain for every AI-generated document — from original voice recording through transcription, AI generation, human review, and signature — is recorded in Rymeda's immutable audit trail and available via the voice note audit trail endpoint.

5. Model Governance

5.1 Model Versioning

Every AI-generated output records the specific model version used (ai_model_version). This ensures traceability and enables retrospective analysis if model behavior changes. When AI providers release new model versions, Rymeda evaluates the new version in a staging environment before deploying to production.

5.2 Change Management

Changes to AI systems follow a structured change management process:

• Model upgrades: New model versions are tested against a validation dataset of representative clinical scenarios before production deployment
• Provider changes: Adding or replacing an AI provider requires a Data Protection Impact Assessment (DPIA), security review, BAA execution, and Sub-processor notification per the DPA
• Prompt engineering: Changes to system prompts and AI instructions undergo clinical review by licensed healthcare professionals
• Rollback capability: All AI system changes are reversible, with the ability to revert to a previous model version within 24 hours

5.3 Monitoring

Rymeda continuously monitors AI system performance, including:

• Transcription accuracy metrics and error rates
• Clinical note quality indicators (provider edit rates, rejection rates)
• ICD-10 suggestion acceptance rates and confidence calibration
• ORIS guardrail trigger rates (emergency, blocked, off-topic)
• AI system latency and availability (API response times, failure rates)
• Trust & Safety moderation accuracy and false positive/negative rates

6. Bias and Fairness

6.1 Commitment to Fairness

Rymeda is committed to ensuring that AI systems do not introduce or amplify bias in healthcare delivery. We acknowledge that AI models may reflect biases present in their training data and take active measures to monitor and mitigate such biases.

6.2 Demographic Monitoring

Where technically feasible and legally permissible, Rymeda monitors AI system outputs for disparities across demographic groups, including:

• Transcription accuracy across accents, dialects, and languages
• Clinical suggestion patterns across patient demographics (age, gender, ethnicity)
• ICD-10 code suggestion distributions for potential coding bias
• Trust & Safety moderation actions for disparate impact across user groups

6.3 Testing and Validation

Rymeda conducts periodic fairness assessments including:

• Pre-deployment bias testing for new AI models and model versions
• Regular audits of AI-generated clinical content for systematic errors or biases
• Analysis of provider override patterns (edits and rejections of AI suggestions) for potential bias indicators
• Review of false positive and false negative rates in automated moderation across user demographics

6.4 Reporting Bias

Healthcare providers and patients who identify potential AI bias in the platform may report it to legal@rymeda.com. All reports are investigated, and confirmed biases are addressed through model adjustments, prompt refinement, or provider changes.

7. Liability and Clinical Responsibility

7.1 Provider Responsibility

The licensed healthcare provider who reviews and signs AI-generated clinical content assumes full clinical and legal responsibility for that content. By signing, the provider attests that they have:

• Reviewed the AI-generated content for accuracy and completeness
• Made any necessary corrections, additions, or modifications
• Confirmed that the content accurately reflects the clinical encounter
• Accepted the content as their own professional clinical documentation

7.2 Rymeda's Liability

Rymeda's liability with respect to AI systems is as follows:

• Platform availability: Rymeda is responsible for the availability and proper functioning of AI features per the Service Level Agreement
• Security: Rymeda is responsible for securing AI data pipelines and protecting PHI during AI processing per the BAA
• Transparency: Rymeda is responsible for disclosing AI use, labeling AI content, and maintaining this policy
• Clinical decisions: Rymeda explicitly disclaims liability for clinical decisions made by healthcare providers, including decisions informed by AI-generated content. The provider retains full clinical responsibility.

7.3 No Accuracy Warranty

AI-generated content (including transcriptions, SOAP notes, ICD-10 codes, diagnosis suggestions, and follow-up recommendations) is provided "as is" without warranty of accuracy, completeness, or fitness for a particular clinical purpose. Confidence scores are probabilistic estimates, not guarantees. This is why human review is mandatory.

8. Patient Rights

Patients have the following rights with respect to AI processing of their health data:

9. Prohibited Uses of AI

Rymeda explicitly prohibits the following uses of AI on its platform:

10. EU AI Act Compliance

10.1 Risk Classification

Under the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689), Rymeda's AI systems are classified as follows:

10.2 High-Risk Compliance Measures

For high-risk AI systems, Rymeda implements the following measures in alignment with the EU AI Act:

• Risk Management (Article 9): Continuous risk assessment and mitigation for all AI systems
• Data Governance (Article 10): Quality controls on training data (managed by AI providers under no-training agreements)
• Technical Documentation (Article 11): This policy and the AI Systems Inventory (Section 1)
• Record-Keeping (Article 12): Immutable audit trails with 6-year retention for all AI operations
• Transparency (Article 13): AI labeling system (Section 4) and AB 3030 disclosure
• Human Oversight (Article 14): Mandatory human-in-the-loop for all clinical AI (Section 3)
• Accuracy and Robustness (Article 15): Model monitoring (Section 5.3) and bias testing (Section 6)

11. Policy Review and Updates

This AI Transparency & Ethics Policy is reviewed and updated:

• Annually: As part of Rymeda's regular compliance review cycle
• When AI systems change: Upon adding, replacing, or significantly modifying any AI system
• When regulations change: Upon the effective date of new AI regulations (EU AI Act implementation timeline, state-level AI healthcare laws, updated FDA guidance)
• When incidents occur: Following any AI-related safety incident, bias discovery, or material error

Material changes to this policy will be communicated to users with thirty (30) days' advance notice via email and in-platform notification.

12. Contact Information

For questions about AI transparency, to report AI bias, or to exercise AI-related rights:

Related Policies