Regulatory Compliance
Effective Date: November 26, 2025
Australian Regulatory Classification (TGA)
As an Australian company (AttendMe Pty Ltd, ABN pending), our primary regulatory framework is governed by the Therapeutic Goods Administration (TGA) under the Therapeutic Goods Act 1989.
TGA Exempt CDSS Classification
AttendMe qualifies as an exempt Clinical Decision Support System (CDSS) under Section 14G of the Therapeutic Goods (Excluded Goods) Determination 2018. This classification applies because:
- Professional Use Only: The software is intended exclusively for licensed healthcare professionals, not patients
- Does Not Replace Clinical Judgment: All outputs are recommendations and synthesized literature analysis that must be verified and evaluated by healthcare professionals using independent clinical judgment
- Information Can Be Verified: All responses include full citations to peer-reviewed medical literature, enabling professional verification against primary sources
- Supports, Not Directs: The software augments clinical decision-making by providing rapid access to medical literature but does not make autonomous clinical decisions
Regulatory Implications
Under TGA regulations, exempt CDSS status means:
- No ARTG Registration Required: The software is not required to be included in the Australian Register of Therapeutic Goods (ARTG)
- Ongoing Compliance: We maintain compliance with applicable adverse event reporting and quality management standards consistent with exempt CDSS requirements
- TGA Oversight: While exempt from registration, the software remains subject to TGA oversight including advertising standards and post-market surveillance
HIPAA Compliance (US Healthcare Providers)
For healthcare providers operating in the United States, AttendMe maintains HIPAA-compliant security measures to protect healthcare information.
Privacy Commitment
AttendMe is committed to protecting the privacy and security of our users' information. While AttendMe is designed as a research tool and users should not input Protected Health Information (PHI), we maintain HIPAA-compliant security measures as part of our commitment to healthcare data protection.
Important Notice About PHI
How We Protect Your Information
Even though PHI should not be entered into our system, we implement comprehensive security measures:
- Physical Safeguards: Secure data centers with controlled access
- Technical Safeguards: Encryption, access controls, and audit logs
- Administrative Safeguards: Employee training, access policies, and security procedures
Security Measures
Encryption
- All data transmitted between your device and our servers is encrypted using TLS 1.3
- Data at rest is encrypted using AES-256 encryption
- Encryption keys are managed using industry best practices
Access Controls
- Role-based access control (RBAC) for all system components
- Multi-factor authentication available for user accounts
- Regular access reviews and privilege audits
- Automatic session timeouts for inactive users
Audit Logging
- Comprehensive logging of all data access and modifications
- Tamper-proof audit trails
- Regular review of access logs
- Retention of audit logs for minimum of 6 years
User Rights and Responsibilities
As a user of AttendMe, you have the right to:
- Access your account information and usage history
- Request corrections to your account information
- Request deletion of your account and associated data
- Receive notifications of any security breaches
- File a complaint if you believe your privacy rights have been violated
Your responsibilities include:
- NOT entering any PHI or patient-identifiable information
- Maintaining the security of your account credentials
- Reporting any suspected security incidents immediately
- Using the service only for its intended research purposes
Business Associate Agreements
While AttendMe is not intended to handle PHI, we maintain Business Associate Agreements (BAAs) with our key service providers who meet HIPAA standards, including:
- Cloud infrastructure providers
- Database service providers
- Security monitoring services
These agreements ensure that our partners maintain appropriate safeguards for any data they process on our behalf.
Breach Notification
In the unlikely event of a data breach, we will:
- Notify affected users within 72 hours of discovery
- Provide details about what information was involved
- Describe steps we are taking to investigate and mitigate
- Offer guidance on protective measures you can take
- Comply with all applicable breach notification laws
Workforce Training
All AttendMe employees and contractors with access to user data receive:
- Initial HIPAA privacy and security training
- Annual refresher training
- Role-specific security training
- Regular updates on privacy best practices
Compliance and Auditing
We maintain our security posture through:
- Regular security risk assessments
- Third-party security audits
- Penetration testing
- Compliance monitoring and reporting
- Continuous improvement of security measures
Questions and Complaints
If you have questions about our privacy practices or believe your privacy rights have been violated:
Email: harry@attendme.ai
You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:
Changes to This Notice
We reserve the right to change this notice and our privacy practices. Any changes will be posted on our website and will apply to all information we maintain. The effective date of the notice is listed at the top of this page.
Remember:
AttendMe is a research and educational tool. Never input patient-identifiable information. Always maintain patient privacy in accordance with your professional obligations and applicable laws.