Wellis Privacy Policy

Wellis Privacy Policy

Effective date: July 6, 2026

Artha Technologies LLC ("Artha," "we," "us") provides Wellis, a read-only clinical operations assistant for primary care practices. This policy describes how Wellis accesses and handles information when a practice authorizes an EHR integration (such as Practice Fusion via FHIR).

Scope

This policy applies to Wellis when deployed for a healthcare practice that has authorized an EHR connection and entered into appropriate agreements with Artha (including a Business Associate Agreement where required by HIPAA).

Information we access

Wellis accesses read-only health information from connected EHR systems, only after a practice administrator authorizes the integration and selects permitted data categories. Depending on the EHR and configuration, this may include:

  • Patient demographics and identifiers
  • Insurance coverage information
  • Encounter records
  • Explanation of benefit data

Wellis does not write to, modify, or delete EHR records. It does not access data from practices that have not authorized the application.

How we use information

Information accessed through Wellis is used solely to:

  • Respond to authorized staff requests for clinical and billing operations support
  • Summarize relevant chart, coverage, and encounter context for the requesting user's task

We do not sell patient data. We do not use PHI for advertising or unrelated product development.

Where processing happens

Wellis is designed to operate on HIPAA-eligible infrastructure configured per practice requirements. Typical components include:

  • Microsoft Teams — staff interaction channel (practice's Microsoft 365 tenant)
  • Azure OpenAI or equivalent BAA-covered LLM — natural language understanding and response generation, when enabled
  • Artha-operated services — secure token management and EHR API integration (e.g. Practice Fusion FHIR)

Subprocessors are bound by agreements consistent with the practice's compliance requirements.

Data retention

Query responses are transient by default — generated to answer a staff request in Teams. Operational logs may retain metadata (timestamps, resource types accessed) for security and troubleshooting, not full chart exports. Retention specifics are documented in the practice's BAA and deployment configuration.

Per-practice isolation

Each practice is a separate tenant. Credentials, EHR endpoints, and staff access controls are isolated per practice. One practice's authorization does not grant access to another practice's data.

Security

We use industry-standard controls including encrypted transport (TLS), least-privilege API scopes, short-lived access tokens, and staff allowlists on communication channels. Private signing keys used for EHR authentication are stored securely and never committed to source control.

Your rights and practice responsibilities

The practice is the covered entity or business associate responsible for workforce authorization, minimum necessary use, and staff training. Staff should only request information needed for their role.

Patients with questions about how their provider uses Wellis should contact their practice directly. Practices may direct privacy inquiries about Wellis to Artha using the contact below.

Changes

We may update this policy as the product or regulatory landscape changes. Material updates will be reflected on this page with a revised effective date.

Contact

Artha Technologies LLC Privacy inquiries: dtalati@artha-tech.com