Privacy Policy

INTAKEACCESS.AI LLC (DBA: IntakeAccess Health Solutions) is an AI-powered healthcare platform headquartered at 181 W Valley Ave STE 245-1742, Birmingham, AL 35209. We provide a comprehensive suite of services including:

• AI Staff Scheduling – Automated shift scheduling and conflict detection
• AI Bed Management – Real-time bed tracking and occupancy predictions
• AI Walk-In Management – Digital check-in and wait time predictions
• AI Medication Management – Drug interaction checking and reconciliation
• AI Meals & Activities – Dietary and activity recommendations
• AI Assistant – Conversational AI for staff and patient inquiries
• AI PAC Management – Post-acute care coordination
• AI Referral Management – Automated referral generation and tracking
• AI Medicaid Center – Eligibility verification and coverage estimates
• AI Inventory Management – Stock level predictions and reorder alerts
• AI Order Management – Order set suggestions and protocol management
• Chemotherapy Order Sets – Oncology-specific protocol management
• Lab Monitoring Protocol – Abnormal result alerts and follow-up
• Tumor Registry – Cancer data abstraction and reporting
• eMAR – Electronic Medication Administration Record
• MDS Assessments – Minimum Data Set completion and CMS submission
• Progress Notes – AI-assisted clinical documentation
• Clinical Trial Enrollment – Patient matching and enrollment tracking
• Survivorship Care Plan – Post-treatment care planning
• Claims Management (RCM) – Full revenue cycle management
• Facility Billing – Complete billing suite with claim scrubber
• EHR Integration – Bidirectional data exchange
• AI Specialty Templates – 50+ specialty-specific templates
• Telemedicine Suite – Secure HIPAA-compliant video consultations
• Telepsychiatry Suite – Psychiatric assessments and crisis resources
• AI Appointments Management – Smart scheduling and reminders
• Patient Portal – Secure 2FA-protected patient access
• Family Portal – HIPAA-compliant family member access
• MCO Cards – Managed care organization card scanning
• Onboarding – AI-guided credentialing and setup
• Audit Logs – Complete activity tracking with AI anomaly detection
• Support Center – AI-powered knowledge base and ticket management
• Security Center – Threat detection and compliance monitoring
• Trust Center – HIPAA compliance dashboard and transparency reports
• AI Patient Intake – Voice-enabled forms and 50+ specialty templates
• Prior Authorization Processing – AI-assisted PA generation and submission
• Insurance Verification – Real-time eligibility and benefits verification
• E-Prescribing – Electronic prescription management (including EPCS)
• Wound Imaging AI – AI-assisted wound staging and measurement
• Secure Messaging – Encrypted patient-provider communications

As a healthcare technology platform, we function as a Business Associate under HIPAA with respect to the covered entity healthcare providers and facilities using our platform, and as a Covered Entity in certain direct-service contexts. All Protected Health Information (PHI) is governed by the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164) and the HITECH Act.

This Privacy Policy applies to all users of IntakeAccess.ai, including patients, healthcare providers, licensed clinicians, facility administrators, and any other individuals or entities interacting with our platform or Website at https://intakeaccess.ai.

We collect information from multiple sources across several user categories. All PHI is collected solely for lawful healthcare purposes.

Patient Data (Protected Health Information — PHI)

Provider & Facility Data

• Full name, professional credentials, National Provider Identifier (NPI) numbers
• PTAN (Provider Transaction Access Number), CCN (CMS Certification Number), Facility ID, state license numbers
• Practice and facility information, specialty designations, licensure records
• Login credentials (hashed), multi-factor authentication data, role assignments (RBAC)
• Activity logs, audit trails, session data with 15-minute timeout enforcement
• Billing, claims, onboarding documents, and vendor authorization records
• EHR integration connection data and API access logs
• Support center tickets and security center alerts

Technical & Platform Data

• IP addresses, device type, browser type and version, operating system
• Cookies, session tokens (encrypted, time-limited), usage analytics, and page interaction data
• Complete audit logs of all PHI access (who accessed, when, from where) with 6-year retention
• Session data used for 15-minute automatic timeout enforcement and security monitoring
• AWS CloudTrail logs for infrastructure monitoring
• AWS WAF and Shield security event data
• MFA/2FA authentication attempt logs

We use collected information for the following lawful purposes. PHI is used only to the minimum extent necessary (the HIPAA "Minimum Necessary Standard") for each stated purpose.

Treatment, Payment & Healthcare Operations (TPO)

• Treatment: Coordinating care between providers, facilitating telemedicine and telepsychiatry consultations, supporting e-prescribing (including EPCS), enabling AI clinical decision support (assistive only), generating chemotherapy order sets, monitoring lab protocols, managing tumor registry data, creating survivorship care plans, and processing MDS assessments.
• Payment: Processing insurance claims (837P, 837I) to Medicare, Medicaid, and commercial payers via Stedi; prior authorization generation and submission; insurance eligibility verification; ERA enrollment on facility behalf; denial management; payment posting; patient and family payment processing via Stripe Connect; facility billing and accounts receivable.
• Healthcare Operations: Quality improvement, HIPAA compliance, staff training, accreditation support, platform security and audit functions, AI model improvement (using de-identified data only), clinical trial enrollment tracking, and survivorship care plan management.

Clinical AI & Decision Support

• AI Staff Scheduling: Analyzing staff credentials and patient needs to generate shift recommendations
• AI Bed Management: Processing occupancy data for bed availability predictions
• AI Walk-In Management: Using patient intake data to predict wait times and prioritize patients
• AI Medication Management: Analyzing medications and allergies for interaction alerts
• AI Meals & Activities: Processing dietary restrictions for meal and activity recommendations
• AI Assistant: Conversational AI for staff and patient inquiries (assistive only)
• AI PAC Management: Analyzing patient condition for post-acute care transition recommendations
• AI Referral Management: Matching patients with specialists based on diagnosis and insurance
• AI Medicaid Center: Processing eligibility data for coverage predictions
• AI Inventory Management: Using usage patterns for stock level predictions
• AI Order Management: Generating order set suggestions and protocol management
• Chemotherapy Order Sets: Managing oncology-specific protocols and safety checks
• Lab Monitoring Protocol: Flagging abnormal results and triggering follow-up protocols
• AI Specialty Templates: Providing 50+ specialty-specific documentation templates
• Wound Imaging AI: Processing wound photographs for staging and progression tracking
• Mental Health Assessments: Scoring PHQ-9, GAD-7, MDQ and transmitting results to providers

RCM & Claims Processing

• Submitting professional and institutional claims (837P, 837I) via Stedi EDI clearinghouse
• Automated ERA enrollment on behalf of facilities with payer contracts
• Real-time insurance verification and eligibility checks
• Prior authorization generation, submission, and tracking
• MDS assessment submissions to iQIES/HARP for SNF facilities
• Patient and family payment processing through Stripe Connect
• Automated denial tracking and resubmission workflows
• Payment posting and accounts receivable management

Operational & Administrative Uses

• Appointment scheduling, reminders, and follow-up communications via AI appointments management
• Post-acute care coordination (SNFs, rehab centers, assisted living, senior homes)
• Clinical trial enrollment patient matching and tracking
• Survivorship care plan generation and management
• EHR integration for bidirectional data exchange
• MCO card scanning and data extraction
• Provider/facility onboarding and credentialing verification
• Security monitoring via Security Center with threat detection
• Audit log maintenance with AI anomaly detection
• Support center ticket management and AI knowledge base
• Trust center compliance dashboard and transparency reporting
• Breach prevention, incident response, and compliance monitoring
• Platform improvement and aggregate analytics (de-identified data only)

For Treatment

• Treating physicians, nurse practitioners, therapists, and their clinical staff
• Facilities where you receive care (hospitals, clinics, SNFs, rehab centers, assisted living facilities, senior homes, home health agencies)
• Specialists and consulting providers involved in your care (including oncology, dermatology, cardiology, neurology, behavioral health)
• Clinical trial coordinators and research staff for trial enrollment
• Post-acute care providers (SNFs, rehab centers, home health) for care coordination via AI PAC Management

For Payment

• Medicare and Medicaid programs for claims submission and reimbursement
• Commercial insurance companies for prior authorization and claims processing
• Managed Care Organizations (MCOs) and Third-Party Administrators (TPAs)
• Stedi EDI clearinghouse for electronic claims submission (837P, 837I), ERA enrollment, and insurance verification
• CMS iQIES/HARP system for MDS assessment submissions
• Stripe for patient and family payment processing
• Collection agencies for unpaid patient balances (with appropriate BAAs)

For Healthcare Operations

• Quality improvement organizations and accreditation bodies
• Audit and compliance reviewers (internal and external)
• Legal and compliance consultants
• Business Associates providing services under BAA (see Section 5)

For RCM & Billing Services

• PTAN, CCN, and Facility ID shared with payers for provider enrollment and vendor authorization
• Claims data shared with Stedi for EDI transaction processing
• MDS assessments transmitted to iQIES/HARP for CMS compliance
• ERA enrollment data shared with payers on facility behalf
• Denial information shared with payers for appeals and resubmissions

As Required by Law

• Court orders, subpoenas, or other lawful legal process
• HHS and Office for Civil Rights (OCR) for compliance investigations
• Public health activities (reportable conditions, disease surveillance)
• Government audits of Medicare/Medicaid programs
• Law enforcement in limited circumstances (e.g., suspected crime on premises)
• Coroners, medical examiners, and funeral directors (limited to identification)
• Organ procurement organizations (for organ donation)

Disclosures Requiring Your Authorization

For any disclosure not described above — including disclosure to employers, life insurers, or for marketing — we will obtain your written authorization first. You may revoke any authorization in writing at any time. Psychotherapy notes (where maintained separately) require specific authorization for most disclosures.

We engage third-party service providers ("Business Associates") who may receive, create, maintain, or transmit PHI. All Business Associates must sign a Business Associate Agreement (BAA) before accessing PHI.

IntakeAccess.ai uses artificial intelligence and machine learning across 35+ features to assist healthcare providers, facility staff, and administrators. All AI features are assistive tools only — designed to support, not replace, licensed clinical professionals or facility decision-makers.

Clinical AI Features That Process PHI

• AI Patient Intake: Voice-enabled forms and 50+ specialty templates process patient data to populate clinical records, reviewed and confirmed by the treating provider.
• AI Staff Scheduling: Analyzes staff credentials, availability, and patient needs to generate shift recommendations. Final scheduling decisions remain facility responsibility.
• AI Bed Management: Processes bed occupancy data, patient diagnoses, and discharge predictions. Bed availability forecasts are estimates only.
• AI Walk-In Management: Uses patient intake data and provider availability to predict wait times and prioritize patients. Clinical triage remains staff responsibility.
• AI Medication Management: Analyzes patient medications, allergies, and conditions for interaction alerts. All prescribing decisions are provider responsibility.
• AI Meals & Activities: Processes dietary restrictions, preferences, and activity orders to generate recommendations. Final approval by clinical/dietary staff.
• AI Assistant: Conversational AI that accesses patient data and clinical information. Responses may contain errors and should not be relied upon for clinical decisions.
• AI PAC Management (Post-Acute Care): Analyzes patient condition, discharge plans, and facility availability. Care transition recommendations are estimates only.
• AI Referral Management: Matches patients with specialists based on diagnosis, insurance, and location. Provider must verify referral appropriateness.
• AI Medicaid Center: Processes patient eligibility data to predict coverage and benefits. Final eligibility verification is facility responsibility.
• AI Inventory Management: Uses usage patterns to predict stock needs. Inventory decisions remain facility responsibility.
• AI Order Management: Generates order set suggestions and protocol management. Provider must verify all orders.
• Chemotherapy Order Sets: AI-suggested protocols require oncologist review and approval before execution.
• Lab Monitoring Protocol: AI-flagged abnormal results are preliminary alerts only. All critical results require independent clinical confirmation.
• Tumor Registry: AI-assisted abstraction and staging are decision support tools. Final cancer registry reporting is facility responsibility.
• eMAR (Electronic Medication Administration Record): AI administration reminders and alerts are support tools. Medication administration remains nursing/provider responsibility.
• MDS Assessments: AI-assisted MDS coding and RUG calculations are suggestions. Facility retains full responsibility for MDS accuracy and CMS compliance.
• Progress Notes: AI-generated note drafts require provider review, editing, and signature. Provider is fully responsible for all documentation.
• Clinical Trial Enrollment: AI patient matching suggestions are algorithmic recommendations. Clinical team must verify all eligibility criteria.
• Survivorship Care Plan: AI-generated care plan drafts require oncology provider review and approval before patient distribution.
• Wound Imaging AI: Photographs and measurements are processed to assist with wound staging, sizing, and progression tracking. AI outputs are preliminary assessments only.
• Prior Authorization AI: Clinical data is analyzed to predict prior auth outcomes and generate supporting documentation. Predictions are not guarantees of approval.
• Mental Health Assessments: PHQ-9, GAD-7, and MDQ responses are scored and flagged. Clinical interpretation is the sole responsibility of the treating clinician.
• AI Clinical Decision Support: All suggestions are advisory only and require provider review before any clinical action.
• AI Specialty Templates: 50+ specialty-specific documentation templates are starting points only. Provider must customize and verify all clinical content.
• AI Appointments Management: Scheduling optimization and no-show predictions are estimates. Facility maintains final scheduling authority.

RCM & Operational AI Features

• Claims Management AI: AI-driven claim predictions and denial risk scores do not guarantee approval. Facility responsible for all claim accuracy.
• RCM Prediction AI: Analyzes claim data to predict denials and reimbursement timelines. Predictions are estimates only.
• Insurance Verification AI: AI-estimated coverage and patient responsibility estimates are not binding on payers.
• Denial Management AI: Identifies denial patterns and suggests appeal strategies. Facility must verify all appeal documentation.

Security & Compliance AI Features

• Audit Logs AI: AI anomaly detection flags suspicious access patterns but does not guarantee breach identification.
• Security Center AI: AI threat detection alerts are indicators only. Facility responsible for independent security incident response.
• Trust Center AI: AI-generated compliance estimates do not guarantee regulatory adherence.
• Support Center AI: AI chat responses may contain errors. Escalate complex issues to human support.

SMS Program Details

• Program Name: IntakeAccess.ai Healthcare Communications
• Message Frequency: Up to 4 messages per month (appointment reminders, intake links, confirmations, care notifications, family portal invitations)
• Message & Data Rates: May apply depending on your carrier plan
• Supported Carriers: AT&T, T-Mobile, Verizon, Sprint, Boost, Cricket, MetroPCS, U.S. Cellular, and most major U.S. carriers
• Support Line: Text HELP or call 205-855-4545

Types of Electronic Communications

• SMS Text Messages: Appointment reminders, intake links, confirmations, care notifications, family portal invitations, MCO card verification alerts
• Email Communications: Appointment confirmations, patient intake forms, prior authorization updates, claim status notifications (RCM), family portal invitations, billing notifications, security alerts, Trust Center updates
• Secure In-App Messaging: Encrypted patient-provider messages, staff-to-staff communications, secure document exchange, prior authorization requests, referral communications
• Push Notifications: Appointment reminders, medication alerts, lab result notifications, AI assistant responses, walk-in wait time updates, bed availability alerts (provider/facility only)
• Telehealth Session Invites: Secure video consultation links via telemedicine and telepsychiatry suites
• Family Portal Invitations: SMS/email links for family member access to patient health information (with patient authorization)
• RCM Notifications: Claim submission confirmations, ERA posting alerts, denial notifications, payment posting updates
• MDS Submission Alerts: CMS submission confirmations and rejection notifications

Opt-In / Opt-Out

SMS Opt-In: Opt in during patient intake, by texting START, via portal registration, or through family portal invitation acceptance. Opt-in consent is documented and logged.

SMS Opt-Out: Text STOP at any time to unsubscribe immediately from all SMS communications. Opt-out requests are logged in our HIPAA-compliant audit system with 4-year retention.

Email Opt-Out: Click "Unsubscribe" link in any marketing or non-essential email. Essential healthcare communications (appointment reminders, prior auth updates, claim notifications) cannot be opted out of via unsubscribe.

Push Notification Opt-Out: Manage through device settings. Essential security alerts may override user preferences for critical notifications.

Secure Messaging Opt-Out: Patients may disable secure messaging through portal settings. Providers/facilities cannot opt out of secure messaging for PHI transmission.

Family Portal Communications

• Family members receive SMS/email invitations for portal access with patient authorization
• Separate opt-in consent required for family member communications
• Family members may opt out of SMS/email independently of patient preferences
• Patient may revoke family access at any time, which automatically opts out family member from all related communications

RCM & Billing Communications

• Facilities receive email notifications for claim submissions, ERA postings, denials, and payment postings
• Patients receive billing notifications via email and/or SMS (with consent)
• Payment confirmation receipts sent via email and SMS
• Prior authorization status updates sent to providers/facilities via email and secure messaging

IntakeAccess.ai implements a multi-layered security framework in accordance with the HIPAA Security Rule (45 C.F.R. §§ 164.302–164.318), NIST cybersecurity framework, and industry best practices. All PHI is protected using enterprise-grade security controls across AWS HIPAA Eligible infrastructure.

AWS HIPAA Infrastructure

• AWS HIPAA Eligible Services: All PHI processed on AWS services with executed AWS Business Associate Agreement (BAA)
• Virtual Private Cloud (VPC): Isolated network environment with private subnets and NAT gateways
• No Public Database Access: Databases accessible only within VPC, never directly exposed to internet
• AWS CloudTrail: Complete API activity logging for all infrastructure access
• AWS WAF & Shield: Web application firewall and DDoS protection
• AWS Config: Continuous compliance monitoring and configuration auditing
• AWS GuardDuty: Intelligent threat detection and continuous security monitoring
• Multi-AZ Deployment: High availability with automatic failover across Availability Zones
• SOC 2 Type II Certified: AWS infrastructure maintains SOC 2 Type II certification

Technical Safeguards

• Encryption at Rest: AES-256 encryption for all PHI stored in AWS RDS, S3, and Firebase/Firestore
• Encryption in Transit: TLS 1.3 for all data transmitted between clients and servers; TLS 1.2 minimum enforced
• Multi-Factor Authentication (MFA): Required for all provider, facility, and administrator accounts
• Two-Factor Authentication (2FA): Required for all patient portal and family portal access
• Role-Based Access Controls (RBAC): Least-privilege access enforcement with regular access reviews
• Automatic Session Timeouts: All sessions terminate after 15 minutes of inactivity (HIPAA Security Rule compliant)
• Audit Logging: Every PHI access event logged with user identity, timestamp, IP address, action type, and accessed resource
• Audit Log Retention: 6-year retention for all PHI access logs (HIPAA Security Rule § 164.312(b))
• API Rate Limiting: Prevents brute force attacks and DDoS
• Input Validation & Sanitization: Protection against SQL injection, XSS, and other injection attacks
• Automated Backups: Daily automated backups with 30-day retention; point-in-time recovery enabled
• Disaster Recovery: Multi-region replication for critical data; RTO < 4 hours, RPO < 15 minutes
• Vulnerability Scanning: Weekly automated vulnerability scans of all infrastructure
• Penetration Testing: Annual third-party penetration testing with remediation tracking

Administrative Safeguards

• Designated HIPAA Security Officer: Named individual responsible for security program oversight
• Annual Workforce Training: Mandatory HIPAA and security awareness training for all employees
• Risk Assessments: Comprehensive annual risk assessments per HIPAA Security Rule
• Risk Management: Documented risk management plan with remediation tracking
• Incident Response Plan: Documented IR plan with quarterly tabletop exercises
• Business Associate Agreements (BAAs): Signed BAAs with all subcontractors prior to PHI access
• Sanction Policy: Documented disciplinary process for HIPAA/Security violations
• Contingency Plan: Documented disaster recovery and emergency mode operation plan

Physical Safeguards

• AWS Data Centers: AWS physically secure facilities with biometric access controls
• 24/7/365 Security: Continuous physical security monitoring, guards, and surveillance
• Access Controls: Role-based physical access with audit logging
• Workstation Security: Encrypted company devices with remote wipe capability
• Facility Access Logs: All physical access to infrastructure logged and retained

Security Monitoring & Incident Response

• 24/7 Security Monitoring: Continuous monitoring via AWS GuardDuty, CloudTrail, and custom SIEM
• Security Information & Event Management (SIEM): Centralized logging and alerting for security events
• Intrusion Detection Systems (IDS): Network and host-based intrusion detection
• Breach Response: Documented breach notification procedures per HIPAA Breach Notification Rule
• Security Incident Response Team (SIRT): Dedicated team for incident investigation and remediation
• Threat Intelligence: Real-time threat feeds integrated into monitoring systems

Data Backup & Disaster Recovery

• Automated Daily Backups: Full database backups every 24 hours
• 30-Day Backup Retention: Backups retained for 30 days with point-in-time recovery
• Cross-Region Replication: Critical data replicated to separate AWS region
• Recovery Time Objective (RTO): < 4 hours for critical systems
• Recovery Point Objective (RPO): < 15 minutes for PHI data
• Annual DR Testing: Full disaster recovery exercise conducted annually

Third-Party Security Validations

• SOC 2 Type II: AWS infrastructure SOC 2 Type II certified
• HIPAA Compliance Validation: Annual third-party HIPAA risk assessment
• Penetration Testing: Annual independent penetration test with findings remediation
• Vulnerability Scanning: Weekly automated vulnerability scans
• Bug Bounty Program: Private bug bounty program for security researchers

Data Deletion Process: Upon expiration of the applicable retention period, PHI is permanently deleted using NIST 800-88 compliant methods (cryptographic erasure for encrypted data, physical destruction for media). De-identified data meeting HIPAA Safe Harbor standard (45 C.F.R. § 164.514(b)) may be retained indefinitely for research, analytics, and AI model improvement.

Data Export Requests: Facilities and providers may request a complete export of their clinical, operational, claims, and MDS data within 30 days of account termination. Export is provided in standard electronic format (CSV, JSON, or CCDA).

As a patient whose PHI is processed through IntakeAccess.ai, you have the following rights under the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164). Contact your healthcare provider, use the Patient Portal, or refer to Section 20 to exercise these rights.

Right of Access (45 C.F.R. § 164.524)

Inspect and obtain a copy of your PHI within 30 days of request. Electronic copies provided at no or reasonable cost-based fee. Access includes:

• Medical records and progress notes
• MDS assessments (for SNF patients)
• Prior authorization records
• Claim and billing records
• Telehealth session recordings (with consent)
• Secure messaging history
• AI-generated clinical summaries (where incorporated into medical record)
• Wound imaging photos and AI assessments
• Mental health assessment results (PHQ-9, GAD-7, MDQ)
• Clinical trial enrollment records
• Survivorship care plans
• eMAR administration records

Right to Amend (45 C.F.R. § 164.526)

Request amendment to PHI you believe is inaccurate or incomplete. We will act within 60 days. AI-generated content may be amended through provider correction workflows.

Right to Accounting of Disclosures (45 C.F.R. § 164.528)

Request a list of disclosures of your PHI made in the prior six years, excluding TPO disclosures and those you authorized. Disclosures include:

• Claims submissions to Medicare, Medicaid, and commercial payers
• MDS submissions to iQIES/HARP (SNF patients)
• Prior authorization requests to payers
• Disclosures to Business Associates (Stedi, AWS, etc.)
• Legal or regulatory disclosures (e.g., HHS, court orders)

Right to Request Restrictions (45 C.F.R. § 164.522)

Request restrictions on certain uses and disclosures of your PHI. We must restrict disclosure to a health plan for services you paid out-of-pocket in full. We will consider other restriction requests but are not required to agree unless required by law.

Restrictions may impact your provider's ability to submit claims or prior authorizations on your behalf.

Right to Confidential Communications

Request communication by alternative means (e.g., email instead of phone) or at an alternative location. We will accommodate all reasonable requests through your Patient Portal settings.

Right to Receive Notice of Privacy Practices

You have the right to receive a paper copy of this Notice of Privacy Practices upon request, even if you have previously agreed to receive it electronically.

Right to Restrict PHI from AI Processing

You may request that your PHI not be used for AI model training or AI feature improvement. Opt out by contacting your provider or submitting a request to privacy@intakeaccess.ai. Opt-out requests are processed within 30 days. Note that AI features used for your direct treatment may still process your PHI as necessary for your care.

Right to Access Family Portal Controls

You have the right to:

• Authorize or revoke family member access to your PHI through the Family Portal
• Set granular permissions for what information family members can see (e.g., clinical, billing, or both)
• Receive a log of family member access to your PHI

Right to an Electronic Copy of Your Record

You have the right to obtain an electronic copy of your PHI in a standard format (e.g., CCDA, PDF, CSV) for portability to another provider or platform. Requests fulfilled within 30 days.

Right to Designate a Personal Representative

You may designate a personal representative to act on your behalf regarding PHI access and management, subject to applicable state laws (e.g., healthcare power of attorney, guardianship).

Right to File a Complaint

File a complaint with IntakeAccess.ai (Section 20) or with HHS Office for Civil Rights (OCR) at www.hhs.gov/ocr or 1-800-368-1019 (TDD: 1-800-537-7697). We will not retaliate against you for exercising any HIPAA right or filing a complaint.

How to Exercise Your Rights

• Patient Portal: Most rights can be exercised directly through your Patient Portal account
• Email: privacy@intakeaccess.ai
• Mail: 181 W Valley Ave STE 245-1742, Birmingham, AL 35209
• Phone: 205-855-4545

IntakeAccess.ai maintains a documented Breach Notification Policy in compliance with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414) and the HITECH Act.

Definition of Breach

For purposes of this policy, a "Breach" means the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the PHI. Exceptions include:

• Unintentional acquisition, access, or use by workforce members acting within their scope of duties
• Inadvertent disclosures to authorized persons within the same facility/organization
• Disclosures where there is a low probability PHI has been compromised (risk assessment factors considered)

Notification Timelines

• Individual Notification: Affected individuals notified within 60 days of discovery via first-class mail (or email if authorized). Notice includes: description of breach, types of PHI involved, protective steps, and our response measures.
• HHS Notification: Breaches affecting 500+ individuals reported to HHS simultaneously with individual notification. Smaller breaches logged and reported to HHS annually within 60 days of discovery.
• Media Notification: Breaches affecting 500+ residents of a state reported to prominent media in that state within 60 days.
• Covered Entity Notification: Where acting as Business Associate, the relevant Covered Entity (provider or facility) is notified within 60 days of discovery.

Breach Scenarios Specific to IntakeAccess.ai

• Claims Data Breach: Unauthorized access to claims data (837P, 837I) submitted via Stedi
• MDS Data Breach: Unauthorized access to MDS assessment data submitted to iQIES/HARP
• AI Model Data Exposure: Unauthorized access to AI training data or AI feature inputs/outputs
• Third-Party Vendor Breach: Security incident at Stedi, AWS, Twilio, SendGrid, Stripe, Hathr AI, Comp AI, or Doesspot affecting IntakeAccess.ai PHI
• Family Portal Breach: Unauthorized access to patient PHI via family member account compromise
• API Breach: Unauthorized access via API endpoint (RCM API, claims API, prior auth API, e-prescribing API)
• EHR Integration Breach: Unauthorized access via third-party EHR integration
• Backup Data Breach: Unauthorized access to backup data storage
• Workforce Breach: Unauthorized access by employee outside scope of duties
• Credential Compromise: Unauthorized access using compromised provider, facility, or patient credentials

Risk Assessment Factors

When a potential breach is identified, IntakeAccess.ai conducts a risk assessment considering:

• Nature and extent of PHI involved (including MDS, claims, mental health, AI-generated data)
• Unauthorized person who used/disclosed PHI (including third-party vendors)
• Whether PHI was actually acquired or viewed
• Risk mitigation measures applied (encryption, access controls, audit logs)

Breach Response Team

IntakeAccess.ai maintains a designated Breach Response Team including:

• HIPAA Security Officer
• HIPAA Privacy Officer
• IT/Security Lead
• Legal Counsel
• Communications Lead

Remediation Actions Following Breach

• Immediate containment to prevent further unauthorized access
• Mitigation measures to reduce risk to affected individuals
• Security control improvements to prevent recurrence
• Workforce retraining and disciplinary action where applicable
• Vendor remediation for third-party breaches (Stedi, AWS, Twilio, etc.)
• Credit monitoring offers where financial information or SSN compromised
• Law enforcement notification where criminal activity suspected

Breach Documentation

For each breach (including those determined to have low probability of compromise), IntakeAccess.ai maintains documentation including:

• Date of breach discovery
• Description of PHI involved
• Steps taken to investigate and mitigate
• Risk assessment findings
• Notifications sent (with copies)
• Remediation actions taken

Documentation retained for 6 years from breach discovery (HIPAA Security Rule § 164.312(b)).

Third-Party Vendor Breach Protocol

If a Business Associate (Stedi, AWS, Twilio, SendGrid, Stripe, Hathr AI, Comp AI, Doesspot) experiences a breach affecting IntakeAccess.ai PHI:

• Vendor must notify IntakeAccess.ai within 5 business days of discovery
• IntakeAccess.ai conducts independent risk assessment
• IntakeAccess.ai responsible for patient/facility notification within 60 days of vendor notification
• Vendor remediation and future prevention required

Facility Responsibility for Breach Response

Facilities using IntakeAccess.ai RCM, MDS, or claims services remain responsible for:

• Notifying patients of breaches originating from facility side (e.g., facility credential compromise)
• Cooperating with IntakeAccess.ai breach investigations
• Providing accurate contact information for affected patients
• Maintaining their own breach documentation for CMS compliance

Information qualifying as Protected Health Information (PHI) under HIPAA is exempt from the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) to the extent maintained as PHI. However, certain non-PHI personal information collected by IntakeAccess.ai (e.g., website analytics, marketing preferences, non-clinical account data) is subject to CCPA/CPRA. This section describes rights for California residents regarding that non-PHI information.

Your CCPA/CPRA Rights

• Right to Know (Categories & Specific Pieces): Request disclosure of categories and specific pieces of personal information collected, sources, business purposes, and third-party disclosures.
• Right to Delete: Request deletion of personal information, subject to legal retention requirements (including HIPAA, CMS, and other regulatory obligations).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: IntakeAccess.ai does not sell or share personal information for cross-context behavioral advertising. No opt-out necessary.
• Right to Limit Use of Sensitive Personal Information: IntakeAccess.ai does not use sensitive personal information (e.g., SSN, driver's license) for purposes other than those permitted under CCPA/CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right (e.g., denying services, charging different rates).
• Right to Opt Out of Automated Decision-Making: You have the right to opt out of automated decision-making technology used for eligibility, employment, housing, credit, or insurance decisions. IntakeAccess.ai's AI features are assistive only and do not make final determinations in these contexts.

Categories of Non-PHI Personal Information Collected

• Identifiers: Name, email address, IP address, device ID (when not linked to PHI)
• Commercial Information: Billing preferences, marketing preferences, demo account usage
• Internet Activity: Website browsing history, clickstream data, pages visited
• Geolocation Data: Approximate location derived from IP address (not precise location)
• Inferences: Preferences derived from website usage (not clinical)

Sources of Non-PHI Personal Information

• Directly from you (website forms, newsletter signups, demo requests)
• Automatically from your device (cookies, analytics tools)
• Marketing partners (with your consent)

Business Purposes for Collection

• Website operation and security
• Marketing and advertising (with consent)
• Analytics and platform improvement (de-identified)
• Customer support and demo inquiries

Third-Party Disclosures of Non-PHI

• Analytics Providers: Google Analytics, Mixpanel (de-identified data only)
• Marketing Platforms: HubSpot, Mailchimp (with consent)
• Service Providers: Website hosting, email delivery

IntakeAccess.ai does not sell non-PHI personal information to third parties.

CCPA/CPRA Request Process for California Residents

Submitting a Request: Submit verifiable requests to privacy@intakeaccess.ai with subject line "California Privacy Rights Request." You may also call 205-855-4545.

Verification Process: We will verify your identity using information you provide (e.g., email, name, account details). For requests involving sensitive information, additional verification may be required.

Response Timeline: Responses within 45 days of verified request (extendable by an additional 45 days with notice).

Authorized Agent: You may designate an authorized agent to submit requests on your behalf. Agent must provide written authorization signed by you.

Fee: No fee for most requests. Excessive or repetitive requests may incur a reasonable fee.

CCPA/CPRA Metrics (Annual Disclosure)

IntakeAccess.ai annually discloses CCPA/CPRA request metrics as required by law. Request previous year's metrics by emailing privacy@intakeaccess.ai.

Shine the Light (California Civil Code § 1798.83)

California residents may request information about disclosures of personal information to third parties for direct marketing purposes. IntakeAccess.ai does not disclose personal information to third parties for direct marketing purposes. Submit requests to privacy@intakeaccess.ai with subject line "Shine the Light Request."

Minors Under 16

IntakeAccess.ai does not knowingly sell the personal information of minors under 16 years of age. No opt-in consent mechanism is provided because we do not engage in such sales.

IntakeAccess.ai is committed to protecting the privacy of children in compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6505), HIPAA, and applicable state minor patient privacy laws.

Collection of Minor PHI

IntakeAccess.ai does not knowingly collect personal information from children under 13 except as part of a legitimate healthcare relationship where a parent or legal guardian has:

• Established a patient-provider relationship with a licensed healthcare provider using the Platform
• Provided verifiable consent for the minor's treatment through the Platform
• Completed intake forms and authorized telehealth services for the minor
• Registered for the Patient Portal as the minor's legal representative

Parental Access to Minor PHI

Parents and legal guardians generally have the right to access their minor child's PHI through the Patient Portal, subject to the following exceptions where state law or professional judgment restricts parental access:

• Reproductive Health: Certain state laws allow minors to consent to reproductive health services (e.g., STI testing, contraception, pregnancy care) without parental notification or consent
• Mental Health: Many states permit minors to consent to mental health treatment (e.g., therapy, counseling) without parental access to records
• Substance Use Treatment: 42 C.F.R. Part 2 and some state laws restrict parental access to substance use disorder treatment records for minors who consented to treatment
• Emancipated Minors: Emancipated minors have full control over their PHI regardless of age
• Mature Minor Doctrine: Some states allow mature minors (typically 12-17) to control certain health information
• Provider Discretion: Providers may restrict parental access if reasonably believed to endanger the minor

COPPA Compliance

For children under 13 who are patients receiving care through the Platform:

• All information collection is solely for healthcare purposes permitted under COPPA's healthcare exception
• Parental consent is obtained before any non-healthcare information collection
• No personal information is collected from children under 13 for marketing or advertising purposes
• Parents may review and request deletion of their child's information (subject to medical record retention laws)
• IntakeAccess.ai does not knowingly collect information from children under 13 outside a healthcare relationship

Minor Patient Rights by State

IntakeAccess.ai supports state-specific minor consent laws. Examples include:

This table is for illustrative purposes only and not legal advice. Providers are responsible for knowing the minor consent laws in their jurisdiction.

Telehealth for Minors

Telehealth consultations with minors require:

• Parental/guardian consent for treatment (unless minor consent applies per state law)
• Provider determination that telehealth is appropriate for minor's condition
• Compliance with state laws regarding minor telemedicine consent
• Private consultation space for minor if appropriate (e.g., mental health visits)

Mental Health Assessments for Minors

PHQ-9, GAD-7, MDQ, and other mental health assessments for minors:

• May be administered with parental consent (or minor consent where applicable)
• Results shared with parents only as permitted by state law and provider judgment
• Crisis alerts (e.g., suicidal ideation) override confidentiality for safety

Deletion of Minor Information

Upon a minor reaching the age of majority (typically 18), they may:

• Request that parents/guardians be removed from accessing their records
• Establish their own Patient Portal account with full access
• Request deletion of childhood records (subject to medical record retention laws - typically 7-10 years)

Reporting Obligations

IntakeAccess.ai complies with mandatory reporting laws for:

• Child abuse or neglect (reported to appropriate authorities)
• Threats of harm to self or others (including minors)
• Certain communicable diseases (reportable conditions)

Confidentiality protections do not override mandatory reporting obligations.

Our Website and Platform use cookies and similar tracking technologies. See our separate Cookie Policy for full details. This section summarizes our cookie practices as they relate to PHI and privacy.

Types of Cookies We Use

• Strictly Necessary Cookies: Required for platform authentication, session management, security (including 2FA and MFA), and core functionality. Cannot be disabled without breaking platform access.
• Preference Cookies: Remember your settings (e.g., language preference, view mode, notification preferences). Disabling may affect user experience.
• Analytics Cookies: Used on public marketing pages only to understand Website usage (e.g., page views, referral sources, time on site). Never linked to PHI. Data is aggregated and de-identified.
• Security Cookies: Used for CSRF protection, rate limiting, and bot detection. Essential for platform security.
• Session Cookies: Temporary cookies that expire upon logout or 15-minute timeout. Store encrypted session tokens only.

Cookies Within Authenticated Platform Areas

No Advertising Cookies: No advertising, behavioral tracking, or third-party marketing cookies are used within authenticated provider, facility, or patient sessions. This includes:

• Patient Portal
• Provider Dashboard
• Facility Administration Panel
• Family Portal
• Telemedicine and Telepsychiatry suites
• RCM and claims management modules
• AI feature interfaces
• Secure messaging and e-prescribing modules

Cookies on Public Marketing Pages

On public-facing marketing pages (https://intakeaccess.ai), we may use:

• Google Analytics: Understand traffic sources and page performance (anonymized IP addresses)
• HubSpot: Demo request forms and newsletter signups (with consent)
• LinkedIn Insights: Career page tracking (anonymized)

These cookies never collect PHI. You may opt out of analytics cookies via cookie consent banner.

Cookie Duration

Third-Party Tracking Technologies

• Google Analytics: Used on marketing pages only. IP addresses are anonymized. Data retention: 26 months. Opt-out available.
• HubSpot: Used for demo forms and newsletter signups (with explicit consent). Data subject to HubSpot's privacy policy and BAA where applicable.
• No Social Media Pixels: Facebook, Twitter, LinkedIn pixels are not used on authenticated platform areas.
• No Heatmaps: Tools like Hotjar, CrazyEgg are not used on authenticated platform areas.

PHI and Cookies

PHI is never stored in cookies. Key protections:

• Session tokens are encrypted and contain no identifiable PHI
• Session tokens are invalidated upon logout or 15-minute timeout
• No patient names, MRNs, diagnoses, or other PHI in cookies
• 2FA/MFA state cookies contain only reference to authentication step
• Cookie data never shared with third parties for advertising

Cookie Consent Management

Consent Banner: First-time visitors to marketing pages see a cookie consent banner. Options include:

• Accept all (analytics + necessary)
• Accept necessary only
• Customize preferences

Withdraw Consent: You may withdraw cookie consent at any time by clearing browser cookies or using the "Cookie Settings" link in the website footer.

Browser Settings: Most browsers allow you to block or delete cookies. Note that blocking strictly necessary cookies will prevent platform login and authentication.

Do Not Track (DNT)

IntakeAccess.ai honors Do Not Track signals from browsers. If DNT is enabled, analytics cookies are not set on marketing pages. Authenticated platform areas never use advertising or tracking cookies regardless of DNT setting.

Session Management & Timeout

• 15-Minute Automatic Timeout: All platform sessions terminate after 15 minutes of inactivity (HIPAA Security Rule compliant)
• Logout: Click "Logout" to immediately invalidate session tokens
• Multiple Sessions: Concurrent sessions permitted but each independently timed out
• Session Audit: All session creations and terminations logged in audit trail

Local Storage & IndexedDB

In addition to cookies, the Platform uses:

• Local Storage: Stores user preferences, theme settings, and cached non-PHI data. No PHI stored in local storage.
• IndexedDB: Used for offline capability in patient portal (e.g., viewing downloaded records). Data encrypted at rest.
• Session Storage: Temporary storage for form data during active session. Cleared on logout.

Beyond the Business Associates listed in Section 5, our platform may integrate with or link to additional third-party services. This section describes our practices regarding these third-party relationships.

Third-Party Integrations with BAA (PHI Access)

The following third-party services have executed Business Associate Agreements (BAAs) with IntakeAccess.ai and may process PHI as part of platform functionality:

• Stedi: Claims submission (837P, 837I), prior authorization, insurance verification, ERA enrollment (BAA executed)
• Hathr AI: Healthcare-specific AI models for prior authorization and RCM predictions (BAA executed)
• Comp AI: AI-powered clinical documentation and specialty templates (BAA executed)
• Doesspot: E-prescribing (EPCS for controlled substances) (BAA executed)
• Stripe: Patient and family payment processing (BAA executed)
• AWS (Amazon Web Services): HIPAA-eligible cloud infrastructure (BAA executed)
• Twilio: SMS communications and secure messaging (BAA executed)
• SendGrid: Email delivery for patient and family notifications (BAA executed)
• iQIES/HARP (CMS): MDS assessment submissions (CMS system, BAA equivalent)
• Firebase/Google Cloud: Database, hosting, authentication (BAA executed)
• EDI Clearinghouses: Various EDI partners for claims routing (BAAs executed)

Third-Party Integrations Without PHI Access (No BAA Required)

The following services may process non-PHI data (e.g., analytics, marketing, preferences) and do not require BAAs because they never receive PHI:

• Google Analytics: Website usage analytics (marketing pages only, anonymized IP, no PHI)
• HubSpot: Demo request forms and newsletter signups (explicit consent, no PHI)
• Make.com: Automation for demos and non-PHI workflows (BAA not yet executed; no live PHI processed)
• LinkedIn Insights: Career page tracking (anonymized, no PHI)

Third-Party Links on Platform

The Platform may contain links to external websites not operated by IntakeAccess.ai, including:

• CMS and government resources (cms.gov, medicare.gov, medicaid.gov)
• Professional association resources (AMA, APA, etc.)
• Pharmacy benefit information (via e-prescribing module)
• Payer portals (for claims status, prior auth status)
• 988 Suicide & Crisis Lifeline (988lifeline.org)
• Educational resources for patients

We are not responsible for the privacy practices of these external websites. We encourage you to review their privacy policies before providing any personal information.

Third-Party API Calls

The Platform makes API calls to third-party services for various functions. These calls may transmit necessary data as described in Section 4 (Permitted Disclosures):

• Stedi API: Claims submission, prior auth, insurance verification (transmits PHI as necessary)
• Stripe API: Payment processing (transmits billing information)
• Twilio API: SMS and messaging (transmits appointment data, notifications)
• SendGrid API: Email delivery (transmits email addresses, notifications)
• iQIES/HARP API: MDS submissions (transmits MDS assessment data)
• Doesspot API: E-prescribing (transmits prescription data)
• Hathr AI API: Prior auth predictions (transmits clinical data for AI processing)
• Comp AI API: Clinical documentation (transmits clinical notes for AI assistance)

Third-Party Data Retention

Third-party services may retain data according to their own retention policies. IntakeAccess.ai requires BAAs to include data deletion provisions that align with HIPAA requirements. Specific third-party retention periods:

• Stedi: Claims data retained per CMS requirements (10 years)
• Stripe: Payment data retained for 7 years (IRS requirements)
• Twilio: SMS logs retained for 4 years (TCPA requirements)
• AWS: Infrastructure logs retained per IntakeAccess.ai configuration

Third-Party Service Changes & Discontinuation

IntakeAccess.ai does not control third-party services. Changes to third-party APIs, terms of service, or service discontinuation may impact platform functionality. We will notify affected users of material changes or discontinuations that impact PHI processing.

Third-Party Security Incidents

If a third-party service with a BAA experiences a security incident affecting IntakeAccess.ai PHI:

• The third party must notify IntakeAccess.ai within 5 business days of discovery
• IntakeAccess.ai conducts independent risk assessment
• Affected patients/facilities notified within 60 days of IntakeAccess.ai discovery
• Third-party remediation required per BAA terms

Third-Party Service Provider Due Diligence

Before engaging any third-party service that may access PHI, IntakeAccess.ai conducts due diligence including:

• SOC 2 Type II report review (or equivalent)
• HIPAA compliance validation
• Security control assessment
• BAA execution
• Annual reassessment

Third-Party Service Subprocessors

Our third-party service providers may themselves use subprocessors. Where applicable, BAAs require notification of subprocessor changes. A current list of subprocessors is available upon request to compliance@intakeaccess.ai.

IntakeAccess.ai is operated exclusively in the United States. All Protected Health Information (PHI) is stored and processed in HIPAA-compliant U.S.-based data centers and is not transferred outside the United States under any circumstances.

U.S.-Only Data Storage

• AWS US Regions: All PHI stored exclusively in AWS US East (N. Virginia) or US West (Oregon) regions
• Firebase/Firestore: Data stored in US-based clusters only
• Backup Locations: Backups remain within AWS US regions; cross-region replication only to other US regions
• No International Servers: IntakeAccess.ai does not operate servers or data centers outside the United States

No PHI Transfer Outside United States

IntakeAccess.ai maintains a strict policy of NO PHI transfer outside the United States. This includes:

• No cloud servers in non-US jurisdictions
• No subcontractors with access to PHI located outside US
• No international backup or disaster recovery sites
• No data processing by international subsidiaries
• All Business Associates contractually prohibited from transferring PHI outside US

Third-Party Service Locations

Third-party services with BAAs that process PHI are contractually restricted to US-based infrastructure:

• Stedi: US-based infrastructure only
• AWS: US regions only for PHI processing
• Twilio: US-based processing for PHI-related communications
• SendGrid: US-based email infrastructure
• Stripe: US-based payment processing
• Doesspot: US-based e-prescribing infrastructure
• Hathr AI / Comp AI: US-based AI processing only

Non-PHI Data Transfers

Non-PHI data (e.g., marketing analytics, de-identified usage statistics) may be processed through services with international infrastructure:

• Google Analytics: May transfer anonymized data to international servers (no PHI included)
• HubSpot: EU-US Data Privacy Framework certified for marketing data (no PHI)
• Make.com: Demo automation only (no live PHI until BAA executed)

International User Access

While IntakeAccess.ai is designed for U.S. healthcare providers and patients, international users may access the platform (e.g., U.S. citizens abroad, international researchers). In such cases:

• All PHI remains stored exclusively in US data centers
• User access is encrypted in transit (TLS 1.3) regardless of location
• International access does not constitute international data transfer of PHI
• Users are responsible for compliance with their local laws

GDPR for EEA Residents

For individuals located in the European Economic Area (EEA), certain personal information (non-PHI, such as marketing preferences) may be subject to the General Data Protection Regulation (GDPR). Important GDPR notes:

• PHI Exempt from GDPR: PHI processed under HIPAA is exempt from GDPR to the extent it falls under the healthcare data exception
• Non-PHI GDPR Rights: EEA residents have rights including access, rectification, erasure, restriction, portability, and objection
• Lawful Basis: For non-PHI processing, lawful basis is typically consent (marketing) or legitimate interest (analytics)
• Data Protection Officer (DPO): Contact our HIPAA Privacy Officer at privacy@intakeaccess.ai for GDPR inquiries

UK Data Protection Act

For individuals in the United Kingdom, the UK Data Protection Act 2018 applies to non-PHI personal information. IntakeAccess.ai complies with UK data protection requirements for non-PHI data. Contact privacy@intakeaccess.ai for UK-specific inquiries.

Data Privacy Framework (EU-US, UK-US, Swiss-US)

IntakeAccess.ai does not currently participate in the EU-US Data Privacy Framework, UK-US Data Bridge, or Swiss-US Data Privacy Framework. However, our third-party service providers (e.g., HubSpot) may be certified. For non-PHI data transfers, appropriate safeguards (SCCs or DPF certification) are in place.

International Patient Rights

International patients receiving care from U.S. providers through IntakeAccess.ai retain all HIPAA rights described in Section 10, regardless of location. International location does not reduce HIPAA protections.

International Provider/Facility Obligations

Healthcare providers and facilities located outside the United States using IntakeAccess.ai must:

• Comply with all U.S. healthcare laws (HIPAA, CMS requirements, etc.) for any U.S. patient data
• Comply with local data protection laws for their jurisdiction
• Not export PHI to non-US jurisdictions outside authorized platform access
• Maintain BAAs with IntakeAccess.ai as required

Data Subject Access Requests (DSAR) for Non-PHI Data

For non-PHI personal information (EEA/UK residents), submit DSARs to privacy@intakeaccess.ai. Response within 30 days (extendable to 60). Verification required.

International Compliance Certifications

IntakeAccess.ai maintains the following international compliance posture:

• HIPAA: Full compliance (U.S. only)
• GDPR: Compliant for non-PHI data processing
• UK Data Protection Act: Compliant for non-PHI data processing
• No GDPR Article 45 Certification: Not applicable (no EEA-US PHI transfers)

Mental health information — including PHQ-9, GAD-7, MDQ results, telepsychiatry session notes, virtual meeting recordings (with consent), group therapy session data, crisis assessments, and substance use disorder treatment records (42 C.F.R. Part 2 where applicable) — receives heightened protection. Mental health PHI will not be disclosed without explicit authorization except as required for emergency treatment, imminent safety threats, or applicable law.

Telepsychiatry Suite — Special Protections

The IntakeAccess.ai Telepsychiatry Suite includes the following features with enhanced privacy protections:

• Individual Virtual Meetings: One-on-one secure video consultations between provider and patient. Sessions are encrypted end-to-end (TLS 1.3). Recordings only with explicit patient consent.
• Group Therapy Sessions: Secure virtual group therapy sessions with multiple participants. Group confidentiality rules apply. Participants agree not to disclose other participants' information.
• Group Management Tools: Provider tools for scheduling group sessions, managing participant rosters, sending group reminders, and tracking attendance. Group participant lists are protected PHI.
• Virtual Waiting Room: Secure digital waiting area before sessions. No PHI visible to other waiting participants.
• Mental Health Assessments: PHQ-9 (depression), GAD-7 (anxiety), MDQ (bipolar), and other screening tools. Results transmitted securely to providers.
• Crisis Resources Integration: One-click access to 988 Suicide & Crisis Lifeline and emergency resources directly within the platform.
• Secure Messaging: Encrypted patient-provider messaging specific to mental health concerns.

Group Therapy — Privacy Considerations

Group therapy sessions conducted through the Telepsychiatry Suite have specific privacy considerations:

• Participant Confidentiality: All group participants agree to maintain confidentiality of other participants' information as a condition of group enrollment
• No Recording by Participants: Recording of group sessions by participants is strictly prohibited and violates these Terms
• Provider Recording: Providers may record group sessions only with advance written consent of all participants
• Participant Roster: Participant names visible to other participants during group sessions (unless aliases requested)
• Group Chat: Text-based group chat within sessions is logged and retained as part of the medical record
• Breakout Rooms: Sub-groups within larger sessions may have separate privacy considerations

Virtual Meeting Protections

• End-to-End Encryption: All virtual meetings encrypted using TLS 1.3 and DTLS for media streams
• Waiting Room: Providers control admission to meetings
• Participant Management: Providers can mute, remove, or lock meetings
• No Passive Listening: Platform does not monitor or listen to sessions without explicit consent
• Session Recording: Recordings require explicit patient consent (individual) or all participant consent (group) before initiation. Recordings stored encrypted with restricted access.
• Recording Retention: Session recordings retained per medical record retention requirements (7-10 years) unless deleted earlier by provider
• Participant List: Virtual meeting attendee lists are logged as part of the medical record

Substance Use Disorder Records (42 C.F.R. Part 2)

For facilities and providers treating substance use disorders, additional federal protections apply under 42 C.F.R. Part 2:

• Part 2 records receive heightened confidentiality protections beyond standard HIPAA
• Disclosure requires specific patient consent separate from general HIPAA authorization
• Unauthorized disclosure of Part 2 records may result in criminal penalties
• IntakeAccess.ai supports Part 2 consent management workflows
• Providers are responsible for complying with Part 2 requirements when treating SUD patients

Mental Health Assessment Data

• PHQ-9, GAD-7, MDQ results are considered sensitive PHI
• Assessment results are not shared with family members without explicit patient consent (or as permitted for minors)
• Score trending and alerts are for provider use only
• Suicidal ideation flags (PHQ-9 Question 9) trigger crisis protocols regardless of confidentiality

Crisis Protocols & Confidentiality Exceptions

Confidentiality protections for mental health information are subject to exceptions where required by law or safety:

• Imminent Danger: If a patient poses a danger to self or others, providers may disclose PHI to prevent harm (Tarasoff duty to protect in applicable states)
• Child Abuse: Mandatory reporting laws require disclosure of suspected child abuse or neglect
• Elder Abuse: Mandatory reporting laws for vulnerable adult abuse
• Court Order: Subpoenas and court orders may compel disclosure
• Licensing Boards: Disclosures to professional licensing boards as required

Group Management Data Retention

• Group Session Records: Attendance, participant lists, session notes retained 7 years
• Group Chat Logs: Retained as part of medical record
• Participant Consent Forms: Retained indefinitely as legal records
• Recording of Sessions: Retained per medical record retention (7-10 years) or per provider policy

Provider Responsibilities for Group Therapy

Providers conducting group therapy through the Telepsychiatry Suite are responsible for:

• Obtaining informed consent from all participants regarding group confidentiality limits
• Enforcing group confidentiality rules
• Managing participant behavior (muting, removing disruptive participants)
• Documenting attendance and participation
• Securing appropriate consent before recording any session
• Reporting any breaches of group confidentiality

Patient Rights for Mental Health & Group Therapy Records

Patients have the following additional rights regarding mental health and group therapy records:

• Right to Request No Family Access: Patients (where legally permitted) may restrict family portal access to mental health records
• Right to Confidential Communications: Request that mental health communications be sent to alternative address/phone
• Right to Restrict Disclosure: Request that mental health PHI not be disclosed to certain payers (out-of-pocket requests)
• Right to Access Group Session Records: Access their own group session notes (but not other participants' information)

IntakeAccess.ai processes Medicare and Medicaid beneficiary data in accordance with CMS data use requirements, applicable CMS program integrity requirements, and federal healthcare program regulations. Medicare and Medicaid identifiers (including HICNs, MBI numbers, Medicaid IDs, PTANs, and CCNs) are treated as Protected Health Information (PHI) and receive all applicable HIPAA protections.

Medicare & Medicaid Information We Process

• Beneficiary Identifiers: HICN (Health Insurance Claim Number), MBI (Medicare Beneficiary Identifier), Medicaid ID numbers
• Provider Identifiers: PTAN (Provider Transaction Access Number), NPI, CCN (CMS Certification Number)
• Facility Identifiers: Facility ID, state license numbers, Medicare/Medicaid provider numbers
• Claims Data: 837P (professional claims), 837I (institutional claims), claim adjustments, appeals
• MDS Assessments: Minimum Data Set assessments for SNF facilities
• Prior Authorizations: Medicare Advantage and Medicaid prior authorization requests
• ERA Enrollment Data: Electronic Remittance Advice enrollment information
• Payment Data: Remittance advices, EOBs, payment posting

CMS Data Use Requirements

IntakeAccess.ai complies with CMS data use requirements including:

• Data Use Agreements (DUAs): Executed agreements with CMS where required for certain data access
• Limited Data Set: Where applicable, use of Limited Data Set with data use agreement
• No Unauthorized Disclosure: CMS data not disclosed to parties without authorization
• Data Destruction: CMS data destroyed per DUA requirements
• Security Controls: CMS data protected with HIPAA-compliant security controls

MDS Assessment Data (iQIES/HARP)

For Skilled Nursing Facilities (SNFs) and other providers submitting MDS assessments:

• MDS data is submitted to CMS through the iQIES/HARP system on facility behalf
• Facilities must maintain valid CCN (CMS Certification Number) for MDS submissions
• PSO (Patient Safety Organization) approval required for vendor authorization
• MDS data retained for 10 years per CMS requirements (42 C.F.R. § 483.20)
• Inaccurate MDS submissions are facility responsibility and may result in CMS penalties
• MDS data is used for RUG (Resource Utilization Group) calculation and Medicare reimbursement

Vendor Authorization for Medicare/Medicaid Billing

For facilities using IntakeAccess.ai RCM services for Medicare/Medicaid billing:

• Facilities must authorize IntakeAccess.ai as a billing vendor with CMS and applicable payers
• CMS-588 form (Medicare Authorization) must be executed before claims submission
• PTAN (Provider Transaction Access Number) required for each Medicare billing arrangement
• Facility must maintain current authorizations and notify IntakeAccess.ai of any changes or revocations
• Claims will not be submitted until vendor authorization is confirmed

Program Integrity & Anti-Fraud

IntakeAccess.ai supports CMS program integrity requirements and anti-fraud efforts:

• Claims data is submitted with accurate, complete, and medically necessary information
• Cooperation with CMS, OIG, MACs, and UPICs for audits and investigations
• Reporting of suspected fraud, waste, or abuse through appropriate channels
• No submission of false, fraudulent, or duplicate claims (violations reported to CMS)
• AI-driven claim predictions do not guarantee approval; facility responsible for claim accuracy

Program Integrity & Anti-Fraud

IntakeAccess.ai supports CMS program integrity requirements and anti-fraud efforts:

• Claims data is submitted with accurate, complete, and medically necessary information
• Cooperation with CMS, OIG, MACs, and UPICs for audits and investigations
• Reporting of suspected fraud, waste, or abuse through appropriate channels
• No submission of false, fraudulent, or duplicate claims (violations reported to CMS)
• AI-driven claim predictions do not guarantee approval; facility responsible for claim accuracy

Billing Accuracy & Audit Commitment

IntakeAccess.ai commits to the following billing accuracy and compliance standards for Medicare and Medicaid data:

• No Upcoding: IntakeAccess.ai does not and will not upcode any services submitted through the Platform (i.e., will not submit codes that reflect higher reimbursement than warranted by documented services). All claims are submitted based on accurate coding derived from documentation provided by the Facility.
• Regular Audits: IntakeAccess.ai conducts regular internal audits of claims submissions to verify coding and billing accuracy. Audit findings are documented, and corrective actions are implemented as needed. Audit logs are retained for compliance purposes.
• No Referrals: IntakeAccess.ai does not and will not refer individuals to any healthcare provider for services. The Platform processes claims and data only; it does not steer patients or generate referrals.
• Facility Responsibility for Coding: Clinical coding, medical necessity determinations, and documentation accuracy remain the sole responsibility of the Facility. IntakeAccess.ai's RCM services exclude clinical coding and billing decisions to comply with Anti-Kickback Statute safe harbors (42 C.F.R. § 1001.952(d)).
• Audit Cooperation: IntakeAccess.ai will cooperate fully with Facility audits, CMS audits, OIG investigations, and MAC reviews related to billing and coding accuracy. Platform audit logs, claims submission records, and related documentation will be made available as required by law or contractual obligation.
• Corrective Actions: If billing inaccuracies are identified through internal or external audits, IntakeAccess.ai will implement corrective actions, including retraining, process improvements, and, where necessary, voluntary refunds of overpayments to CMS or payers.

Medicare & Medicaid Data Retention

• Claims Records: 10 years (42 C.F.R. § 422.504(d))
• MDS Assessments: 10 years (CMS RAI Manual, 42 C.F.R. § 483.20)
• PTAN/CCN Records: Duration of facility relationship + 10 years
• Vendor Authorization Records: Duration of relationship + 7 years
• Audit Logs of CMS Data Access: 6 years

Provider & Facility Responsibilities

Providers and Facilities using IntakeAccess.ai for Medicare/Medicaid billing represent and warrant that:

• They are enrolled in Medicare/Medicaid and not excluded under OIG or SAM exclusion lists
• All claims submitted are accurate, medically necessary, and properly documented
• They will not submit false, fraudulent, or duplicate claims
• They maintain complete medical records supporting all billed services for 10 years
• They will cooperate with CMS, OIG, MACs, and UPIC audits
• They will notify IntakeAccess.ai immediately of any exclusion, sanction, or loss of billing privileges

Medicare & Medicaid Breach Notification

Breaches involving Medicare or Medicaid data follow HIPAA Breach Notification Rule (Section 11) with additional CMS reporting requirements:

• CMS Regional Office (RO) notified within 1 business day for breaches affecting 500+ individuals
• Medicare Administrative Contractor (MAC) notified within 5 business days
• State Medicaid agency notified per state requirements
• Potential OIG notification for fraud-related breaches

CMS Audits & Investigations

IntakeAccess.ai cooperates fully with CMS audits and investigations:

• CMS may request access to claims data, MDS data, and related documentation
• Facilities are responsible for providing documentation to support claims (medical records, etc.)
• IntakeAccess.ai will provide platform access logs and claims submission records as required
• Failure to cooperate with CMS audits may result in termination of RCM services

Medicare & Medicaid Disclaimers

IntakeAccess.ai reserves the right to amend this Privacy Policy and Notice of Privacy Practices at any time. We are required by law to abide by the terms of the Notice of Privacy Practices currently in effect. Material changes to this Policy will be implemented as described below.

Types of Changes

• Material Changes: Significant changes to how we use, disclose, or protect PHI; changes to your HIPAA rights; changes to retention periods; changes to third-party BAAs; changes to AI feature data usage; changes to RCM or MDS data processing
• Non-Material Changes: Clarifications, typographical corrections, formatting updates, non-substantive wording changes
• Emergency Changes: Changes required by law, regulation, or security incident

Notification Methods for Material Changes

For material changes to this Privacy Policy, IntakeAccess.ai will provide notice through the following methods:

• Website Posting: Prominent notice posted on the IntakeAccess.ai website (https://intakeaccess.ai/privacy) at least 30 days before effective date
• Email Notification: Direct email to registered Providers, Facilities, and patients (where email address on file) at least 30 days before effective date
• Patient Portal Notification: In-app notification upon login for active patients
• Provider/Facility Dashboard Notification: Banner notification for all active provider and facility accounts
• Last Updated Date: "Last Updated" date at top of this Policy will be revised to reflect effective date

Notification Methods for Non-Material Changes

For non-material changes, IntakeAccess.ai will provide notice through:

• Website Posting: Updated Policy posted on website with revised "Last Updated" date
• In-App Notification: Brief notification upon next login (no 30-day advance notice required)

Emergency Changes

In the event of emergency changes required by law, regulation, or security incident:

• Policy updated immediately with effective date
• Notice provided as soon as practicable after change (typically within 7 days)
• Email notification sent to registered users explaining the change and reason
• Post-change notice includes effective date of change

Changes Affecting Specific Features

Material changes affecting specific platform features require additional notifications:

• AI Feature Changes: Changes to how AI processes PHI will be communicated with specific AI feature disclosure
• RCM Service Changes: Changes to claims, MDS, or billing data processing notified to affected Facilities
• Third-Party BAA Changes: Addition or removal of Business Associates with PHI access notified within 30 days
• Retention Period Changes: Changes to data retention periods notified at least 60 days before implementation
• HIPAA Rights Changes: Changes to patient HIPAA rights notified at least 60 days before effective date

Opt-Out Rights for Material Changes

If you do not agree to material changes to this Privacy Policy:

• Patients: You may request account deactivation and data export/transfer to another provider (see Section 10)
• Providers/Facilities: You may terminate your subscription with 30 days' written notice before the effective date of the change
• RCM Services: Facilities may terminate RCM services without penalty if material change affects claims or MDS data processing

Continued use of the Platform after the effective date of material changes constitutes acceptance of the revised Policy.

Acknowledgment of Receipt

We may request that you acknowledge receipt of this Notice of Privacy Practices (or material amendments) through:

• Electronic acknowledgment via Patient Portal or Provider Dashboard
• Signed acknowledgment form for paper delivery
• First visit acknowledgment for new patients

We will make a good faith effort to obtain written acknowledgment of receipt. We will document our efforts to obtain acknowledgment.

Historical Versions

IntakeAccess.ai maintains historical versions of this Privacy Policy for at least 6 years (HIPAA documentation retention requirement). Historical versions are available upon request to privacy@intakeaccess.ai. The current version supersedes all prior versions.

Paper Copies

A paper copy of this Notice of Privacy Practices (current or historical version) is available upon request at no charge. Submit requests to:

• Email: privacy@intakeaccess.ai
• Phone: 205-855-4545
• Mail: 181 W Valley Ave STE 245-1742, Birmingham, AL 35209

Paper copies will be provided within 7 business days of request.

Changes Required by Law

If changes to this Policy are required by changes in federal or state law (including HIPAA, CMS regulations, state privacy laws), the effective date may be earlier than 30 days from notice. We will provide as much advance notice as practicable under the circumstances.

Privacy & HIPAA Compliance Contacts

• HIPAA Privacy Officer: privacy@intakeaccess.ai (primary contact for patient privacy concerns)
• HIPAA Security Officer: security@intakeaccess.ai (breach reporting, security incidents)
• Compliance Officer: compliance@intakeaccess.ai (CMS compliance, vendor authorizations, BAA requests)
• Legal Department: legal@intakeaccess.ai (legal notices, subpoenas, court orders)
• RCM Billing Inquiries: billing@intakeaccess.ai (claims, ERA, MDS billing questions)
• Support Center: support@intakeaccess.ai (general platform support, technical issues)

Company Information

• Legal Name: INTAKEACCESS.AI LLC
• DBA: IntakeAccess Health Solutions
• Address: 181 W Valley Ave STE 245-1742, Birmingham, AL 35209
• Platform: https://intakeaccess.ai
• Phone: 205-855-4545
• Fax: (available upon request)
• Hours: Monday-Friday, 8:00 AM - 6:00 PM CST (excluding holidays)

How to Exercise Your HIPAA Rights

To exercise your HIPAA rights described in Section 10 (Right of Access, Amendment, Accounting of Disclosures, etc.):

• Patient Portal: Most rights can be exercised directly through your Patient Portal account (recommended for fastest response)
• Email: Send requests to privacy@intakeaccess.ai with subject line "HIPAA Rights Request - [Your Name]"
• Mail: Send written requests to the address above, attention "HIPAA Privacy Officer"
• Phone: Call 205-855-4545 and request to speak with the HIPAA Privacy Officer (response may be slower than written request)

Verification Required: For all rights requests (except through authenticated Patient Portal), we will verify your identity before processing. Verification may require government ID, account information, or other identifying data.

Business Associate Agreement (BAA) Requests

Covered Entities (healthcare providers and facilities) requiring a signed Business Associate Agreement:

• Request BAA: Email compliance@intakeaccess.ai with subject line "BAA Request - [Facility Name]"
• Timeline: Standard BAA provided within 3 business days
• Negotiated BAA: Enterprise customers may negotiate BAA terms; allow 10-14 business days for review
• BAA Status Check: Email compliance@intakeaccess.ai for BAA execution status

Filing a Privacy Complaint with IntakeAccess.ai

If you believe your privacy rights have been violated, you may file a complaint directly with IntakeAccess.ai. We will not retaliate against you for filing a complaint.

How to File:

• Email: privacy@intakeaccess.ai with subject line "PRIVACY COMPLAINT - [Brief Description]"
• Mail: Attn: HIPAA Privacy Officer, 181 W Valley Ave STE 245-1742, Birmingham, AL 35209
• Phone: 205-855-4545 (ask for HIPAA Privacy Officer)

Complaint Requirements:

• Your name and contact information (anonymous complaints accepted but may limit investigation)
• Description of alleged privacy violation (dates, parties involved, specific PHI at issue)
• Any supporting documentation
• Preferred resolution

Complaint Process:

• Acknowledgment within 3 business days
• Investigation completed within 30 days
• Written response with findings and resolution
• Appeal rights if not satisfied with resolution

Filing a Security Incident or Breach Report

To report a suspected or confirmed security incident or breach of PHI:

• Immediate Reporting (24/7): Call 205-855-4545 and ask for Security Officer (available 24/7 for emergencies)
• Email: security@intakeaccess.ai (monitored during business hours; for emergencies call)
• Required Information: Date/time of incident, description, PHI involved, number of affected individuals (if known)

Facilities and providers are required to report suspected breaches within 24 hours of discovery. Delayed reporting may result in termination of services.

Filing a Complaint with HHS Office for Civil Rights (OCR)

You have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your HIPAA privacy rights have been violated.

• Website: www.hhs.gov/ocr
• Online Complaint Portal: https://ocrportal.hhs.gov
• Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
• Mail: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Ave., S.W., Room 509F HHH Bldg., Washington, D.C. 20201
• Email: OCRMail@hhs.gov

Deadline: Complaints to OCR must be filed within 180 days of when you knew or should have known of the violation (unless waived by OCR for good cause).

Filing a Complaint with State Regulators

You may also file complaints with your state's Attorney General or state health department privacy office. Contact information varies by state.

Medicare/Medicaid Fraud Reporting

To report suspected Medicare or Medicaid fraud, waste, or abuse:

• CMS Fraud Hotline: 1-800-447-8477
• OIG Hotline: https://oig.hhs.gov/fraud/report-fraud
• Medicare Beneficiary Ombudsman: 1-800-633-4227

Response Times by Request Type

Language Assistance

Language assistance services are available for privacy and compliance communications. Contact privacy@intakeaccess.ai with your language preference. We provide:

• Translated versions of this Privacy Policy (Spanish, Chinese, Vietnamese, Arabic) upon request
• Telephonic interpretation services for complaint filing
• Written translations for privacy correspondence where required by law

TDD/TTY Accessibility

For individuals who are deaf, hard of hearing, or have speech disabilities:

• TDD/TTY Relay: Dial 711 for relay services
• Email: privacy@intakeaccess.ai (preferred for written communication)
• Video Relay Service (VRS): Compatible with all major VRS providers

For facilities utilizing Revenue Cycle Management services, additional data protections apply:

• Claims data submitted through Stedi is encrypted and transmitted via secure EDI channels
• PTAN, CCN, and Facility ID numbers are stored encrypted with restricted access
• ERA enrollment data shared only with authorized payers per facility authorization
• MDS submissions to iQIES/HARP transmit only required CMS data elements
• Patient payment information processed through Stripe is never stored on our servers