At Platflow ("we," "us," or "our"), protecting the privacy and security of personal health information is our highest priority. This Privacy Policy outlines our practices for collecting, using, disclosing, and protecting medical data received from skilled nursing facilities through Point Click Care, as well as how we process this information to provide MDS form completion services and improve our artificial intelligence systems.
We receive protected health information (PHI) from skilled nursing facilities through Point Click Care. This information includes patient medical records, treatment information, healthcare provider notes, assessment data, demographic information, and other clinical documentation. Specifically, we process patient diagnoses and conditions, medication records, treatment outcomes, vital signs and measurements, care planning documentation, and staff notes and observations.
In addition to medical data, we collect technical information necessary for service operation and improvement. This includes system performance metrics, usage patterns, error logs, service interaction data, API call metadata, model performance metrics, and quality assurance data. This technical data helps us maintain and improve our services while ensuring the highest levels of accuracy and reliability.
Our primary use of collected information is to provide essential services to skilled nursing facilities. This includes completing MDS forms, processing medical data to generate accurate assessments, and providing recommendations for optimal reimbursement opportunities. We process this information using advanced artificial intelligence systems designed specifically for healthcare applications.
For AI development and optimization, we utilize de-identified and aggregated data. Our AI systems employ state-of-the-art large language models and custom fine-tuned models specifically developed for healthcare tasks. To ensure privacy, we implement comprehensive de-identification processes that include the removal of all HIPAA identifiers, application of k-anonymity principles, statistical disclosure control methods, and synthetic data generation techniques. We regularly conduct re-identification risk assessments to maintain the highest standards of privacy protection.
As a business associate under HIPAA, we maintain Business Associate Agreements (BAAs) with all skilled nursing facilities we serve, as well as with our cloud service providers, data processing subcontractors, and security vendors. We undergo regular HIPAA security training and assessments and penetration testing to ensure the ongoing protection of sensitive information.
Our security infrastructure implements multiple layers of protection. We use AES-256 encryption for data at rest and TLS 1.3 for data in transit, with Azure Key Vault for key management. Our real-time security monitoring system includes automated threat detection and response capabilities, complemented by regular vulnerability scanning.
We maintain clear data retention schedules that balance regulatory requirements with operational needs. Protected health information is retained for seven years from the last date of service, while de-identified data is kept for ten years to support quality assurance efforts. Audit logs are maintained for six years, and training data undergoes review every two years.
When data deletion is required, we follow secure deletion procedures that adhere to DOD 5220.22-M standards. We provide certificates of destruction upon request and conduct quarterly audits of retained data. Our automated deletion workflows and backup purge procedures ensure comprehensive data removal when required.
Our incident response team consists of key personnel including our Chief Privacy Officer, Information Security Officer, Legal Counsel, Communications Director, and Technical Response Team. In the event of a security incident, we notify affected facilities within 24 hours and provide patient notification as required by law. We conduct regular breach response drills and perform thorough post-incident analysis to continuously improve our security measures.
Our AI training procedures take place in segregated environments with documented protocols and regular model bias assessments. We implement rigorous validation methods that include statistical accuracy measurements and clinical validation by qualified healthcare professionals.Regular model performance audits, bias assessments, and error analysis ensure the highest levels of accuracy and fairness in our automated systems.
We respect and protect individual rights under HIPAA and other applicable regulations. Individuals may access their PHI within 30 days of request and request corrections within 60 days. We provide accounting of disclosures and honor requests to restrict processing where applicable. Regarding automated decision-making, individuals have the right to request human review of automated decisions, contest automated assessments, understand decision criteria, and opt out of certain automated processes.
For any international data transfers, we implement appropriate safeguards and comply with relevant international privacy laws. We maintain clear data residency commitments and implement necessary cross-border data transfer mechanisms. Where applicable, we comply with GDPR requirements and maintain relationships with local representatives in relevant jurisdictions.
We reserve the right to update this privacy policy as needed to reflect changes in our practices or legal requirements. We will notify facilities 30 days before implementing material changes and will inform individuals and regulators as required by law. All policy updates are documented with clear comparisons of changes provided to affected parties.
Our Privacy Office, led by our Chief Privacy Officer, can be reached at privacy@platflow.com or [Phone Number]. We maintain comprehensive insurance coverage, including cyber liability insurance, professional liability insurance, and business interruption coverage, to ensure we can meet our obligations to protect and secure your information.
© 2024-2025 Copyright by Platflow. All rights reserved