Legal · HIPAA
HIPAA Compliance & Notice of Privacy Practices
MedFlow is a HIPAA-covered entity. This Notice of Privacy Practices describes how we use and disclose your Protected Health Information (PHI) and your rights under federal law.
Effective: March 7, 2026 · As required by 45 CFR § 164.520
What is Protected Health Information?
Protected Health Information (PHI) is any information that can identify you and relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for that care. On MedFlow, PHI includes: consultation notes, diagnoses, prescriptions, vital signs, uploaded medical documents, and health records — including any combination of identifiers such as your name, date of birth, or account ID linked to health data.
Technical Safeguards
AES-256 Encryption at Rest
All health records stored on MedFlow are encrypted using AES-256-GCM before being written to disk.
TLS 1.3 in Transit
All data transmitted between your device and MedFlow servers is protected by TLS 1.3 encryption.
End-to-End Encrypted Messaging
Messages use ECDH key exchange + AES-256 encryption. MedFlow staff cannot read your messages.
Role-Based Access Controls
Patient PHI is accessible only to that patient and their consulting Providers — not to other patients or uninvolved staff.
Immutable Audit Logs
Every access to PHI is logged with user ID, timestamp, action, and IP address. Logs are write-only and retained for 6 years.
Business Associate Agreements
All vendors who process PHI on behalf of MedFlow have executed legally binding BAAs per 45 CFR § 164.504(e).
How We Use and Disclose PHI
Treatment
We share PHI with your consulting Providers to enable diagnosis and treatment. With your consent, a Provider may share records with another specialist.
Payment
We use PHI to process payments, submit insurance claims (where applicable), and verify coverage. Payment processors operate under BAAs.
Healthcare Operations
PHI may be used for quality assurance, provider performance assessment, compliance audits, and training — always subject to the minimum necessary standard.
Legal Requirements
We may disclose PHI when required by law, including responses to court orders, subpoenas, or public health reporting obligations (e.g., communicable disease reporting).
Emergency Circumstances
If you are unable to consent and disclosure is necessary to prevent serious harm, we may share PHI with emergency responders or next of kin.
We Never Sell PHI
MedFlow does not sell, rent, trade, or exchange your Protected Health Information with any third party for commercial purposes. This commitment is unconditional and not subject to change.
Your HIPAA Rights
Right to Access
You have the right to inspect and obtain a copy of your Protected Health Information (PHI) held by MedFlow. We will provide this within 30 days of your request.
Right to Amend
If you believe PHI we hold is incorrect or incomplete, you may request an amendment. We will respond within 60 days.
Right to an Accounting
You may request a list of disclosures of your PHI made by MedFlow for purposes other than treatment, payment, and health care operations.
Right to Restrict
You may request restrictions on how MedFlow uses or discloses your PHI. We are required to agree to certain restrictions, particularly where you have paid out-of-pocket.
Right to Confidential Communications
You may request that MedFlow communicate with you about your health matters in a specific way or at a specific location.
Right to File a Complaint
If you believe your privacy rights have been violated, you may file a complaint with MedFlow or with the U.S. Department of Health & Human Services Office for Civil Rights — without retaliation.
Contact Our Privacy Officer
HIPAA Privacy Officer: MedFlow Technologies, Inc.
Email: hipaa@medflow.health
Address: 350 Fifth Avenue, Suite 4100, New York, NY 10118
You may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights, at www.hhs.gov/hipaa/filing-a-complaint — MedFlow will not retaliate against you for filing a complaint.