Effective Date: March 17, 2026 · Last Updated: March 17, 2026
CaseFlow acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) when handling Protected Health Information (PHI) on behalf of covered entities (surgical practices). We enter into a Business Associate Agreement (BAA) with each practice before any PHI is processed. View our BAA template →
CaseFlow ("we," "us," or "our") is an autonomous surgical practice operations platform operated by Polsia, Inc. We provide AI-powered fax processing, referral intake, insurance pre-authorization assistance, and scheduling tools for surgical practices.
This Privacy Policy explains how CaseFlow collects, uses, stores, and protects information — including Protected Health Information (PHI) — in connection with our services.
When a surgical practice uses CaseFlow to process patient referrals, we may receive and process PHI on their behalf, including:
This PHI is processed solely on behalf of the covered entity (your practice) in accordance with our Business Associate Agreement.
We use PHI exclusively to provide services to your practice as described in our BAA. This includes:
We do not use PHI for advertising, marketing, or any purpose beyond what is permitted under HIPAA and your BAA.
All data — including PHI — is encrypted at rest using AES-256 encryption. Our PostgreSQL database is hosted on Neon, a SOC 2 Type II certified cloud database provider.
All data transmitted between your browser or systems and CaseFlow is encrypted using TLS 1.2 or higher (HTTPS). Fax transmissions are received via secure, encrypted channels.
Access to PHI is restricted to authorized CaseFlow personnel and AI systems that require it to perform contracted services. We maintain detailed access logs and conduct regular security reviews.
Our application is hosted on Render (SOC 2 compliant). Our database is hosted on Neon (SOC 2 Type II). We do not store PHI on consumer-grade storage services.
We do not sell, rent, or trade your data or PHI to third parties.
We may share data only in these limited circumstances:
A complete list of our subprocessors is available upon request at caseflow@polsia.app.
We retain PHI for the duration of your active subscription plus a configurable retention period (default: 7 years, in accordance with HIPAA minimum retention guidelines). Practices can request shorter or longer retention windows.
Upon subscription termination, you may request deletion of your PHI within 90 days. We will provide a data export upon request before deletion.
As a covered entity, your practice retains all rights over PHI under HIPAA. CaseFlow, as your Business Associate, will support you in responding to patient rights requests including:
Contact us at caseflow@polsia.app to initiate any PHI rights request.
In the event of a breach of unsecured PHI, CaseFlow will notify the affected covered entity within 60 calendar days of discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). Notification will include the nature of the breach, categories of PHI involved, and steps being taken to investigate and mitigate.
Our public marketing website uses minimal analytics (anonymized) to understand how visitors discover CaseFlow. We do not use third-party advertising cookies. No PHI is ever transmitted to analytics providers.
CaseFlow is a B2B healthcare operations platform intended for use by medical practices and their staff. We do not knowingly collect personal information from children under 13.
We may update this Privacy Policy as our services evolve or as regulations change. We will notify active customers of material changes via email at least 30 days before they take effect. The effective date at the top of this page reflects the most recent revision.
For privacy questions, data requests, BAA execution, or breach reporting:
📧 caseflow@polsia.app
Subject: Privacy Inquiry or BAA Request
To download or review our standard BAA template: View Business Associate Agreement →