HIPAA Notice — MedFlow CRM

Important: This notice explains how MedFlow CRM relates to HIPAA. MedFlow is a marketing and CRM tool — not an EHR. If your practice is a HIPAA-covered entity, please read this page carefully and contact us to discuss your compliance obligations.

1. Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of certain health information. This notice explains how MedFlow CRM relates to HIPAA, what obligations you may have as a healthcare provider using our platform, and the steps we take to support your compliance.

This notice is intended for customers who are covered entities under HIPAA — primarily healthcare providers, including physician practices, med spas providing medical services, and aesthetic clinics.

2. What Is Protected Health Information (PHI)?

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate in connection with the provision of healthcare or healthcare payment.

PHI includes any information that could identify a patient combined with health-related information, such as:

Patient names combined with appointment dates or treatment types
Contact information (phone, email, address) combined with medical history
Diagnosis, treatment records, or prescription information
Billing or insurance information linked to a patient identity
Any other information that could identify an individual and relate to their health condition or treatment

Practical example: A patient's name and phone number alone are generally not PHI. A patient's name combined with the fact that they receive Botox injections at your clinic could constitute PHI depending on the context and how it is used.

3. MedFlow's Role Under HIPAA

MedFlow CRM is designed as a marketing automation and CRM platform — not as an Electronic Health Record (EHR) or clinical documentation system. When you use MedFlow to store contact information, send appointment reminders, or automate follow-up communications, MedFlow may function as a Business Associate under HIPAA to the extent it handles PHI on your behalf.

As a Business Associate, MedFlow:

Uses PHI only to provide the contracted services to you
Does not use or disclose PHI in ways not permitted by the HIPAA Privacy Rule
Implements appropriate safeguards to protect PHI
Reports any suspected breach of PHI to you as required by law
Makes its practices available to the Secretary of HHS for compliance review

4. Your Responsibilities as a Covered Entity

If your practice is a HIPAA-covered entity, you bear primary responsibility for HIPAA compliance in your use of MedFlow CRM. Your responsibilities include:

Minimum necessary standard

Only enter the minimum amount of patient information necessary for the specific purpose. For appointment reminders and follow-ups, this typically means name, phone number or email, and appointment details — not full medical records.

Patient authorization

Ensure you have appropriate patient authorization or a valid HIPAA exception before sending marketing communications. Appointment reminders for treatment the patient is already receiving may qualify under HIPAA's treatment communications exception, but promotional communications typically require authorization.

Notice of Privacy Practices

Your practice's Notice of Privacy Practices should disclose how you use patient information for communications and marketing, including through third-party tools like MedFlow.

Staff training

Ensure staff who use MedFlow CRM are trained on proper handling of patient information and your organization's HIPAA policies.

5. Business Associate Agreement (BAA)

If your practice is a HIPAA-covered entity and you intend to store or process PHI within MedFlow CRM, a signed Business Associate Agreement (BAA) between your practice and MedFlow CRM is required under HIPAA.

Required action: Do not use MedFlow CRM to store or process PHI without a signed BAA in place. Operating without a BAA when one is required constitutes a HIPAA violation for which your practice could be held liable.

To request a Business Associate Agreement, contact us at compliance@medflowcrm.com. We will review your request and provide a BAA for execution. BAA execution is included at no additional cost for Growth plan and above subscribers.

Business Associate Agreement

Need a BAA for your practice?

If your clinic is a covered entity under HIPAA, contact us to execute a Business Associate Agreement before using MedFlow to process patient data.

6. Our Safeguards

MedFlow CRM implements the following safeguards to protect data processed through our platform:

Technical safeguards

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
Data at rest is encrypted using AES-256 encryption
Access to production systems is restricted to authorized personnel using multi-factor authentication
Audit logging of all access to sensitive data
Regular security vulnerability assessments

Physical safeguards

Data is hosted in SOC 2 Type II certified data centers
Physical access controls at all data center facilities
Data is backed up regularly with encrypted backups stored in geographically separate locations

Administrative safeguards

Designated privacy and security officer
Workforce training on data security and privacy practices
Incident response plan for data breaches
Vendor risk management for all third-party subprocessors

7. Practical Guidance for Med Spa Owners

Here is practical guidance for how to use MedFlow CRM in a HIPAA-conscious way:

What is generally lower risk to store in MedFlow

Patient name, phone number, and email for communication purposes
Appointment dates and general appointment type (e.g., "consultation")
Marketing preferences and communication opt-in/opt-out status
General notes about communication history

What you should keep in your EHR/clinical system, not MedFlow

Detailed clinical notes, diagnoses, or treatment records
Medical history forms and intake documents
Before/after photos linked to patient identity
Prescription information or medication history
Insurance or billing records with diagnosis codes

SMS and email compliance

When using MedFlow's automated messaging features, ensure message content is appropriate. Appointment reminders should not include specific treatment details that could constitute PHI in the message body. Use general language: "Your appointment at [Clinic Name] is confirmed for [date/time]" rather than "Your Botox treatment at [Clinic Name] is confirmed."

8. Important Disclaimer

Not legal or compliance advice: This notice is provided for informational purposes only and does not constitute legal advice or a guarantee of HIPAA compliance. HIPAA compliance is complex and fact-specific. MedFlow CRM strongly recommends consulting with a qualified healthcare attorney or HIPAA compliance consultant to assess your specific obligations and ensure your use of any technology platform — including MedFlow — meets applicable legal requirements.

Compliance obligations vary based on your practice type, the services you provide, the states in which you operate, and how you use our platform. MedFlow CRM is not responsible for your practice's compliance with HIPAA or any other applicable law.

9. Contact Us

For HIPAA-related inquiries, BAA requests, or compliance questions:

MedFlow CRM — Compliance
Columbus, Ohio, United States
Email: compliance@medflowcrm.com
General: hello@medflowcrm.com

We aim to respond to all compliance inquiries within 2 business days.