the knowledge platform

openevidence governance checklist: privacy, phi, and ‘what are you signing?’

a practical governance checklist for openevidence use: privacy policy basics, phi handling, baas, and how to align personal use with organisational rules.

This is a non-clinical governance checklist. It does not judge the tool; it helps you use it responsibly. The practical problem: clinicians adopt tools faster than organisations can write policy. This gives you a defensible personal standard while you wait for formal guidance.

Don’t assume ‘free’ means ‘risk-free’

Before you paste anything sensitive into any AI tool, you need to understand: what data is collected, how it is used, what is retained, and what agreements govern that usage.

The checklist (10 items, done once per tool)

1

1) Read the Privacy Policy and Terms (yes, actually)

Extract four facts: what data is collected, what is stored, retention, and whether data is used to improve services/models.
2

2) Identify whether you will ever input PHI/identifiers

Default to ‘no’ unless your environment explicitly allows it and you understand the contractual/security position.
3

3) Confirm whether a BAA (or equivalent) is relevant to you

If you’re in a US context or dealing with PHI rules, understand whether a Business Associate Agreement is offered and what it implies.
4

4) Check for subprocessors and onward sharing

If the tool uses subcontractors, you need to know whether they are bound to similar restrictions.
5

5) Establish your personal ‘safe use’ policy

Write 3 rules for yourself: (a) no identifiers, (b) request citations, (c) verify in primary sources before action.
6

6) Keep an audit habit (lightweight)

If you use outputs in professional work, record a minimal note: what you asked and what sources were cited (no identifiers).
7

7) Avoid uploading documents you don’t own

Policies, internal documents, and protected content can create IP and confidentiality issues.
8

8) Define a breach/incident response behaviour

If you accidentally paste sensitive information, know the escalation route (local IG, supervisor, etc) rather than pretending it didn’t happen.
9

9) Keep personal vs organisational use separate

If your trust/practice later deploys an approved tool, follow that workflow. Don’t quietly run shadow tooling outside policy.
10

10) Re-check quarterly

Policies and product behaviour change. Recheck terms/privacy periodically (set a recurring reminder if you’re a heavy user).
SourceBack to Toolkits Directory
Open Link

References

OpenEvidence: Privacy Policy (latest)
OpenEvidence: Terms of Use
OpenEvidence: Security and compliance overview
OpenEvidence: Business Associate Agreement (BAA)