Security & Compliance

Cleo and Aether Hub are built for clinical environments. Patient data is protected at every step — from your EHR to your screen and everywhere in between.

Tip

A Business Associate Agreement (BAA) is included with your Aether account. Aether Health Solutions Inc. is your HIPAA Business Associate, which means your compliance obligations for using our platform are covered. View BAA →

Data stays in your account

Patient information is only accessible to you and your authorized team — never shared with other providers or third parties.

AI vendors are HIPAA covered

Every AI service Aether uses has a signed Business Associate Agreement. Your patients’ data is handled under the same legal protections as any other covered vendor.

Encrypted everywhere

All data is encrypted whether it’s stored in your account or traveling between your browser and our servers.

Sessions auto-lock

The Hub locks automatically after a short period of inactivity to prevent unauthorized access if you step away.

---

Where does patient data go?

When you open a patient’s chart in your EHR, Cleo reads the information displayed on screen — the same data you’re already viewing. It does not independently log into your EHR, access records in the background, or store your EHR credentials.

That patient data is then synced to your secure Aether account, where it’s accessible to you through the Hub. Think of it as a personal, encrypted copy tied to your login — no one else can see it.

AI features and patient privacy

When Cleo generates a patient brief, surfaces a drug interaction, or answers a clinical question, it may use clinical content including patient information. Every AI service Aether uses — for summaries, insights, document analysis, and more — has a signed Business Associate Agreement with Aether. This is the same legal standard required of any HIPAA-covered vendor, and it means your patients’ data is handled with the same protections regardless of which underlying service powers a feature.

What Aether does not do

• No data sharing — patient information is never sold, shared with pharmaceutical companies, insurers, or used for advertising
• No background access — Cleo only reads data while you’re actively viewing a chart
• No cross-provider data — your patients’ records are not visible to other Aether users

---

Are you HIPAA compliant using Aether?

Yes — and here’s what Aether does to ensure that:

Business Associate Agreement

A BAA is in place with every Aether account. This is the formal agreement that designates Aether as a Business Associate under HIPAA and documents our obligations to protect the PHI you share with us. View BAA →

Minimum necessary standard

Aether follows the HIPAA principle of minimum necessary access. Patient identifiers are removed before AI processing, and our systems are designed to handle only the data required to deliver each feature.

Encryption

All patient data is encrypted at rest and in transit using industry-standard encryption. Whether data is stored in your account or traveling between your browser and Aether’s servers, it is protected.

Access controls

Your account requires authentication on every session. The Hub locks automatically after inactivity, with a PIN required to resume — reducing the risk of unauthorized access if you leave your workstation.

Breach notification

If a security incident ever affected your data, Aether is contractually and legally required to notify you within 14 days under our BAA, consistent with HIPAA’s Breach Notification Rule.

---

Questions

For questions about security, compliance, or to request documentation for your IT or compliance team, contact us at support@aether.inc.