Our Legal Mandate (POPIA)
As a South African company, our primary legal obligation is to the Protection of Personal Information Act (POPIA). This comprehensive law ensures the secure and responsible handling of all personal information, including sensitive health data, for our South African clients and their patients. We have designed our systems and processes to fully comply with POPIA's eight conditions for lawful processing, ensuring your data is protected according to South African law.

Our Proactive Security Standard (HIPAA)
While HIPAA is a U.S. federal law and not a legal requirement for us, it is a globally recognized benchmark for health data security. We proactively choose to align our security practices with HIPAA's stringent standards. This demonstrates our commitment to the highest international best practices for data security, providing an elevated level of protection for all our clients. We believe that by building our services to this standard, we offer you peace of mind and an exceptional level of care for your patients' data.

World-Class Security Built-In
You don't have to build a secure platform from scratch—we've done it for you. We've established formal Business Associate Agreements (BAAs) with industry leaders like AWS and OpenAI. These agreements are a crucial part of our security posture.
Our AWS BAA ensures that the underlying cloud infrastructure we use is compliant with HIPAA's rigorous security requirements. AWS contractually commits to protecting data at the foundational level, providing a secure, encrypted, and monitored environment for your information.
Our OpenAI BAA is vital for our AI-powered services. This legal agreement ensures that any sensitive health data processed by OpenAI adheres to strict HIPAA standards. It leverages OpenAI's 'HIPAA Workflow' with 'Zero Data Retention,' meaning your data is processed transiently in memory and is not logged, stored, or saved to a disk. This is a level of security you cannot get with free or low-cost internet tools.
By choosing our service, you are leveraging this advanced security framework without the burden of building it yourself.

Your Responsibilities in the Shared Security Model
Data protection is a shared responsibility. We provide you with a compliant platform, but you play a critical role in ensuring compliance within your practice.
By using our platform, you are already meeting a significant portion of your POPIA obligations for data security. However, it is essential to understand that:

• You must follow the rules of the platform. This includes using our secure services as intended and not trying to bypass security protocols.
• Your team must be trained on POPIA. You are responsible for ensuring your staff understands their obligations regarding patient consent, data access, and proper data handling.
• You must not use insecure alternatives. Free storage solutions, public AI tools, or other unencrypted services available online often lack the security protocols and legal agreements (BAAs) required by POPIA and HIPAA standards. Using such tools puts you at risk of a data breach and makes you non-compliant.

We have built our platform so you can focus on your patients, not on IT security. We follow the rules, and by using our services, you can too.

AURALIT-i employs advanced, HIPAA-compliant (Health Insurance Portability and Accountability Act) speech-to-text technology and listens to the live audio from your consultations. It then uses a sophisticated blend of proprietary processing algorithms and large language models (LLMs) to produce a transcript in real-time. Following this, the clinician uses AURALIT-i to format the transcript into recognised templates like SOAP, or custom layouts. These templates have been compiled and reviewed by a panel of specialist clinicians in their respective fields.
A temporary audio recording of the consultation is maintained to cater for any interruption in connectivity. This allows the clinician to manually upload the consultation without the risk of the transcript being lost.
Once finalised, the reports generated by the clinician are saved into the patient’s official medical record file, and the temporary audio recording can be deleted or downloaded locally by the clinician immediately. The audio file is then stored by us for a maximum of three days before it is permanently deleted.

No, AURALIT-i does not provide medical advice. It has not been designed or intended to offer medical guidance. Any medical questions or concerns should be addressed by a qualified healthcare professional. The role of AURALIT-i is to enhance your documentation process, not to replace your clinical judgement. We transcribe and generate reports for your approval.

AURALIT-i is equipped with a specialised AI model that has been trained to understand complex medical terminology, as well as a diverse range of dialects and languages. Our dedicated clinical governance team actively monitors and refines the system to maintain optimal performance and accuracy in various clinical settings. For South African purposes in general, English and Afrikaans are the preferred languages for use, as these languages have been thoroughly tested and approved by AURALIT-i. The AURALIT-i application offers settings to optimise transcription results for these two languages. We are excited and optimistic that other Southern African languages will follow as the LLMs progress.

While AURALIT-i excels at transcribing spoken dialogue, it also provides tools to capture clinical observations or other relevant information that the clinician wishes to include in their chosen clinical notes. Providing context or dictating physical findings and observations directly into AURALIT-i before or after the consultation enhances the quality of the document being prepared. Additionally, during the review process, clinicians can easily edit the AI-generated notes, ensuring a complete and accurate record.

We believe it is good practice to inform your client that you are using AURALIT-i. However, the law does allow for some exceptions.
The Law: What’s Permitted & What’s Not
Your smartphone, laptop, tablet, and even your watch allow you to record virtually anything, anywhere, and at any time. Technology enabling voice and/or video recording is pervasive, providing clinicians with a powerful tool for keeping accurate medical records and resolving disputes cost-effectively and speedily.
However, it is crucial to understand when a patient’s consent is required and when it is not. Whether you are communicating face-to-face, over the phone, or via digital platforms like WhatsApp, Zoom, Slack, Teams, or using AURALIT-i, the same principles apply.
The legal framework for recording conversations in South Africa is primarily governed by the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA). This Act aims not only to regulate government surveillance of its citizens but also to protect our general rights to privacy from each other.
Also relevant is the Protection of Personal Information Act (POPIA), which regulates the processing of personal information. Its impact on recording conversations relates primarily to how the recorded information is handled, stored, and shared.
Here are some key points to consider under RICA:
* Recording conversations you are not party to: Recording conversations between other people, to which you are not a party, is generally illegal unless explicit consent is obtained from all parties. This is because RICA has a general prohibition against “intercepting communications” without the knowledge and consent of those involved. There are very limited situations where such recordings may be legal, such as under a court order or for establishing a person’s location in an emergency rescue situation.
* Recording your own conversations: For example, a consultation between a clinician and a patient. If a person is directly involved in the conversation, they are legally allowed to record it without consent. RICA permits individuals to record communications to which they are a party, either as a direct participant or in their “immediate presence” and within audible range. There is no legal obligation to inform or obtain consent from the other participants before recording, but, as discussed below, there are often good practical reasons for doing so anyway.
* Recording "in connection with carrying on of business": RICA permits the recording of communications without explicit consent when it is done for the purpose of conducting business operations, meaning that for example, a clinician may record patient consultations. This is usually done with implied consent through a notice in the waiting area and/or rooms indicating that recordings are made, or the fact that the clinician is recording their consultations and it forms part of the clinician’s terms and conditions of practice.
As the clinician ,is a party to the consultation, these extra steps also comply with the exception of "in connection with carrying on of business". However, even when it might not be legally required, informing the other parties involved that you are recording can help prevent misunderstandings and build trust.

The rapid advancement of artificial intelligence (AI) technology, coupled with the increasing availability of data, is creating new opportunities and challenges across various industries. In the healthcare sector, AI is being integrated into medical practices with increasing frequency; one example is AI-powered platforms such as the AURALIT-i application. These tools assist healthcare professionals by documenting patient interactions, but it is essential to note that AI scribes and assistants do not make clinical decisions or provide medical advice. Their primary function is administrative, such as documenting conversations between doctors and patients.
Because healthcare involves sensitive personal health data, it is crucial that any data processing by AI systems complies with the Protection of Personal Information Act (POPIA) to ensure the secure handling of personal information. Let us explore the implications of AI-driven assistants in the context of POPIA, focusing on compliance with data protection rules, automated decision-making, the processing of unique identifiers, and the need for transparency and patient consent.

Overview of POPIA Compliance: In South Africa, POPIA regulates the processing of personal data, including that of patients in the healthcare sector. Healthcare practices adopting AI technologies like scribe tools and assistants must ensure they comply with relevant POPIA provisions to protect personal data, which we at AURALIT-i do.
The following key sections of POPIA are particularly relevant to the use of AI in healthcare:
Section 71(1) – Automated Decision-Making: POPIA’s section 71(1) safeguards individuals from automated decisions that could have significant legal consequences, particularly when predicting or profiling a person’s characteristics, behaviour, or health status. AURALIT-i does not engage in decision-making that directly influences a patient's healthcare or treatment plan. We merely transcribe conversations for documentation purposes. However, if the AI medical scribe were to make treatment recommendations based on the transcribed data, such as suggesting medical interventions based on previous patient interactions, it could violate the restrictions of section 71(1). As AURALIT-i does not make clinical decisions, its use does not trigger the limitations of this section.
Section 57(1)(a) – Processing Unique Identifiers: POPIA’s section 57(1)(a) requires that healthcare providers seek prior approval from the Information Regulator before processing unique identifiers (such as a patient’s ID number or medical record number) for purposes other than the original purpose for which the data was collected. In the case of AI scribe systems, healthcare providers must ensure that personal information, including identifiers, is processed strictly for documentation and record-keeping purposes. If an AI system links a patient’s data to external systems, such as connecting a patient’s history to a wider healthcare database, this would constitute a new use of unique identifiers. In such cases, the healthcare provider must seek prior authorisation from the Information Regulator.
AURALIT-i only processes clinician and/or patient unique identifiers, and solely for the purpose of documentation and record-keeping.
All personal information gathered during any consultation is for the specific purpose of generating a transcript and clinical notes and is not used for any other purposes whatsoever.
Clinician and client/patient records are not used to train or improve AI systems.
If client/patient data is to be used for purposes beyond the original scope (e.g., training an AI system), explicit consent must be obtained from you and your client/patient.

We retain all transcripts and reports generated by the clinician indefinitely by default. The clinician has complete control and may delete all data immediately or store the data with AURALIT-i.
The voice data of the consultation is retained by AURALIT-i temporarily, for a maximum of three days before we permanently delete the audio file. This data is solely kept to cater for any break in connectivity and is deleted after three days to free up space on our servers. All temporary audio recordings may be deleted or downloaded locally and retained by the clinician immediately (or within the three-day period) after the consultation.
All stored clinical data conforms to HIPAA, POPIA, and HPCSA standards and regulations.

All data processed by AURALIT-i is encrypted and securely stored by an international enterprise-grade data storage provider that adheres to South African legislation.
Only the account owner with secure login credentials, has access to the unencrypted data.

No, AURALIT-i does not use any personally identifiable or sensitive patient health information for model training. We only use data for the purposes for which it was collected, as outlined in our comprehensive privacy policy. Protecting your data privacy and that of your patients is our priority.

Absolutely not. AURALIT-i will never sell or use patient information for any reason. Our sole purpose is to assist clinicians in streamlining their documentation processes. We prioritise patient confidentiality and data security above all else.

AURALIT-i employs advanced language models and continuously monitors system performance to minimise errors. However, clinicians are responsible for reviewing and editing all AI-generated content before finalising it. This ensures accuracy and maintains professional accountability.

You can explain to your patient that AURALIT-i is a tool designed to enhance your focus on their care. By automating documentation, AURALIT-i allows you to give your full attention to the consultation while ensuring accurate and comprehensive records. Emphasise that patient privacy and data security are paramount.

AURALIT-i facilitates easy transfer of notes into any EHR with just a couple of clicks.
We are actively working on direct EHR integration with select systems to further streamline workflows. Please contact us to integrate your system.

Yes, AURALIT-i allows for extensive customisation of document templates. Clinicians may contact us to discuss tailoring documents to their specific needs and specialities, ensuring consistency and efficiency in documentation.