Wellis Privacy Policy
Wellis Privacy Policy
Effective date: July 6, 2026
Artha Technologies LLC ("Artha," "we," "us") provides Wellis, a read-only clinical operations assistant for primary care practices. This policy describes how Wellis accesses and handles information when a practice authorizes an EHR integration (such as Practice Fusion via FHIR).
Scope
This policy applies to Wellis when deployed for a healthcare practice that has authorized an EHR connection and entered into appropriate agreements with Artha (including a Business Associate Agreement where required by HIPAA).
Information we access
Wellis accesses read-only health information from connected EHR systems, only after a practice administrator authorizes the integration and selects permitted data categories. Depending on the EHR and configuration, this may include:
- Patient demographics and identifiers
- Insurance coverage information
- Encounter records
- Explanation of benefit data
Wellis does not write to, modify, or delete EHR records. It does not access data from practices that have not authorized the application.
How we use information
Information accessed through Wellis is used solely to:
- Respond to authorized staff requests for clinical and billing operations support
- Summarize relevant chart, coverage, and encounter context for the requesting user's task
We do not sell patient data. We do not use PHI for advertising or unrelated product development.
Where processing happens
Wellis is designed to operate on HIPAA-eligible infrastructure configured per practice requirements. Typical components include:
- Microsoft Teams — staff interaction channel (practice's Microsoft 365 tenant)
- Azure OpenAI or equivalent BAA-covered LLM — natural language understanding and response generation, when enabled
- Artha-operated services — secure token management and EHR API integration (e.g. Practice Fusion FHIR)
Subprocessors are bound by agreements consistent with the practice's compliance requirements.
Data retention
Query responses are transient by default — generated to answer a staff request in Teams. Operational logs may retain metadata (timestamps, resource types accessed) for security and troubleshooting, not full chart exports. Retention specifics are documented in the practice's BAA and deployment configuration.
Per-practice isolation
Each practice is a separate tenant. Credentials, EHR endpoints, and staff access controls are isolated per practice. One practice's authorization does not grant access to another practice's data.
Security
We use industry-standard controls including encrypted transport (TLS), least-privilege API scopes, short-lived access tokens, and staff allowlists on communication channels. Private signing keys used for EHR authentication are stored securely and never committed to source control.
Your rights and practice responsibilities
The practice is the covered entity or business associate responsible for workforce authorization, minimum necessary use, and staff training. Staff should only request information needed for their role.
Patients with questions about how their provider uses Wellis should contact their practice directly. Practices may direct privacy inquiries about Wellis to Artha using the contact below.
Changes
We may update this policy as the product or regulatory landscape changes. Material updates will be reflected on this page with a revised effective date.
Contact
Artha Technologies LLC Privacy inquiries: dtalati@artha-tech.com