Skip to main content

Privacy Policy - HIPAA Compliant

HIPAA Notice

MindHealthFlow AI is HIPAA compliant and serves as a Business Associate for covered entities. We implement administrative, physical, and technical safeguards to protect your health information.

Effective Date: 8/1/2025
Last Updated: 8/1/2025

1. Information We Collect

1.1 Protected Health Information (PHI)

  • Patient demographic information
  • Clinical notes and session recordings
  • Treatment plans and progress notes
  • Billing and insurance information
  • Communication records between providers and patients

1.2 Technical Information

  • Device information and IP addresses
  • Usage patterns and feature interactions
  • System logs and error reports
  • Performance metrics and analytics

2. AI System Data Usage

AI Training and Processing

  • PHI is NEVER used to train our AI models
  • All AI processing occurs in HIPAA-compliant environments
  • AI-generated content is subject to human oversight
  • Processing logs are encrypted and automatically deleted after 90 days

2.1 Third-Party AI Services

We use Business Associate Agreement (BAA) covered AI services including:

  • OpenAI GPT models for clinical note generation
  • Anthropic Claude for treatment planning assistance
  • Microsoft Azure Cognitive Services for voice transcription

3. Data Security Measures

3.1 Technical Safeguards

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication (MFA) required
  • Regular security audits and penetration testing
  • SOC 2 Type II compliance

3.2 Administrative Safeguards

  • Regular HIPAA training for all employees
  • Background checks for personnel with PHI access
  • Audit logs for all system access and changes
  • Incident response procedures and breach notifications

4. Your Rights Under HIPAA

  • Right to Access: Request copies of your health information
  • Right to Amend: Request corrections to your health information
  • Right to Restrict: Request limits on how we use your information
  • Right to Confidential Communications: Request alternative communication methods
  • Right to Accounting: Request a list of disclosures we have made
  • Right to Complaint: File complaints with us or the Department of Health and Human Services

5. Data Retention and Deletion

Retention Periods

  • Clinical records: 7 years after last treatment
  • Billing records: 7 years after final payment
  • System logs: 90 days (automatically deleted)
  • Backup data: 30 days (encrypted and segregated)

Upon request or account termination, we will securely delete your data according to NIST 800-88 guidelines for media sanitization.

6. International Data Transfers

Data may be processed in the United States and other countries where we operate. We ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by relevant authorities
  • Additional technical and organizational measures

7. Breach Notification

In the event of a data breach involving PHI, we will:

  • Notify affected individuals within 60 days
  • Report to the Department of Health and Human Services within 60 days
  • Notify media if breach affects 500+ individuals in a jurisdiction
  • Provide credit monitoring services if appropriate

8. Contact Information

Privacy Officer

Email: privacy@mindhealthflow.ai

Phone: 1-800-MINDFLOW

Address: 123 Healthcare Blvd, Suite 100, Austin, TX 78701

Department of Health and Human Services

Office for Civil Rights

Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

Phone: 1-800-368-1019

9. Policy Updates

We may update this privacy policy to reflect changes in our practices or applicable law. Material changes will be communicated through:

  • Email notification to all registered users
  • Prominent notice on our website for 30 days
  • In-app notifications for active users

Emergency Situations

In emergency situations, we may disclose PHI without authorization to prevent or lessen a serious and imminent threat to health or safety, as permitted by 45 CFR 164.512(j).