IntakeFlowIntakeFlow
Book Demo
Privacy policy

Your data, your terms.

How we collect, use, disclose, and safeguard information when you use IntakeFlow. Written plainly so you can actually read it.

Last updated: May 25, 2026

01 Our Commitment to Privacy

IntakeFlow, a product of Sigla LLC ("we," "us," or "our"), is committed to protecting the privacy and security of all personal information and Protected Health Information (PHI) entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our platform.

IntakeFlow is designed for use by home health agencies. We understand the sensitivity of healthcare data and comply with all applicable federal and state privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Virginia Consumer Data Protection Act (VCDPA), and other applicable state healthcare privacy and consumer data protection regulations.

02 Information We Collect

Information You Provide

  • Account information: name, email, phone number, facility name, role, state
  • Patient demographic data: names, dates of birth, Social Security numbers (last 4), addresses
  • Medical information: diagnoses, physician names, allergies, admission details
  • Insurance information: Medicare IDs, Medicaid IDs, insurance provider and policy numbers
  • Contact information: emergency contacts, Power of Attorney, family members
  • Electronic signatures and witness signatures
  • Referral pipeline data: referral sources, referring organizations, contact persons
  • Documents uploaded for AI-assisted data extraction (face sheets, referral forms, intake documents)

Information Collected Automatically

  • IP address, browser type, operating system, device information
  • Pages visited, time spent, clickstream data
  • Session duration and activity timestamps (for audit logging)
  • Authentication events and access logs

03 How We Use Your Information

  • Provide, maintain, and improve the IntakeFlow platform
  • Process intake workflows, generate agreement forms, and facilitate e-signatures
  • Manage referral pipelines and follow-up notifications
  • Generate PDF agreement packets and compliance reports
  • Extract data from uploaded documents using AI-assisted processing to auto-fill agreement fields
  • Maintain HIPAA-compliant audit logs of all PHI access
  • Send transactional communications (signing links, notifications)
  • Enforce session timeouts and security measures
  • Respond to legal requests and prevent fraud

04 Protected Health Information (PHI)

IntakeFlow processes PHI on behalf of covered entities (home health agencies) as a Business Associate under HIPAA. We:

  • Execute Business Associate Agreements (BAAs) with all covered entity customers
  • Encrypt all PHI at rest using AES-256 encryption
  • Encrypt all PHI in transit using TLS 1.2 or higher
  • Implement role-based access controls with facility-level isolation
  • Maintain comprehensive audit logs of all PHI access and modifications
  • Enforce automatic session timeouts after 15 minutes of inactivity
  • Will not use or disclose PHI except as permitted by the BAA and applicable law

05 Data Sharing

We do not sell, rent, or trade personal information or PHI. We do not share personal information for targeted advertising purposes. We may share information with:

  • Service providers (subprocessors): We use a limited number of HIPAA-compliant infrastructure, authentication, email delivery, fax transmission, and eligibility / EDI clearinghouse providers. each bound by appropriate confidentiality agreements and Business Associate Agreements. These providers process data solely on our behalf and under our instructions. A list of subprocessor categories is set forth in Schedule A of our Business Associate Agreement
  • Payers and the eligibility / EDI clearinghouse: When your facility initiates a real-time eligibility check, we transmit an X12 270 eligibility inquiry through our HIPAA-covered clearinghouse subprocessor to the patient’s payer (commercial, Medicare Advantage, Medicaid Managed Care Organization) or to the CMS Eligibility Transaction System (HETS) for Medicare fee-for-service and Medicare Beneficiary Identifier lookup. This disclosure is made for Payment activities as permitted by 45 CFR 164.502(a)(1)(ii) without additional patient authorization. Consistent with the minimum necessary standard at 45 CFR 164.502(b), the 270 carries only: subscriber name, date of birth, member identifier (or Social Security Number where required for MBI lookup), and the rendering provider’s National Provider Identifier. No clinical, diagnostic, medication, or visit data is included in the 270. The 271 response returned by the payer is written back to the patient’s eligibility record on your facility’s account. The clearinghouse processes these transactions under a written subcontractor Business Associate Agreement that satisfies 45 CFR 164.504(e) and is bound by the breach-notification cascade in 45 CFR 164.410.
  • Authorized signers: Remote signing links share limited patient information necessary for the signing process
  • Legal requirements: When required by law, court order, or government investigation
  • Business transfers: In the event of a merger, acquisition, or sale, with appropriate notice and continued privacy protections

06 Data Security

We implement reasonable and appropriate administrative, technical, and physical safeguards to protect information, including:

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • Application-level controls for multi-tenant organization isolation
  • Automatic session timeout after 15 minutes of inactivity
  • Security headers: HSTS, X-Frame-Options, CSP, X-Content-Type-Options
  • HIPAA-compliant audit logging of all data access
  • Signing session expiry (72 hours) for remote signing links
  • Input validation and sanitization on all API endpoints

No system can guarantee 100% security. We will notify affected parties and relevant authorities in the event of a data breach as required by HIPAA and applicable state breach notification laws.

07 Breach Notification Process

In the event of a breach of unsecured PHI, IntakeFlow follows a structured notification process:

  • Discovery and containment: Upon discovery of a potential breach, we immediately initiate containment and investigation procedures
  • Customer notification: We notify affected customers within twenty-four (24) hours of discovering the breach, including a description of the incident, the types of information involved, and steps being taken to investigate and mitigate
  • Investigation: We conduct a thorough investigation to determine the scope, cause, and impact of the breach, and implement measures to prevent recurrence
  • Individual notification assistance: We assist customers in providing notification to affected individuals as required by HIPAA and applicable state laws, including providing the identity of each individual whose PHI was or is reasonably believed to have been affected
  • HHS notification: For breaches affecting 500 or more individuals, we assist customers in notifying the U.S. Department of Health and Human Services (HHS) as required by 45 CFR 164.408

08 Minimum Necessary Principle

IntakeFlow adheres to the HIPAA minimum necessary principle. We limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose of each use, disclosure, or request. Our systems are designed to enforce role-based access controls and facility-level isolation so that users only access the PHI they need to perform their authorized functions.

09 Data Retention

We retain personal information and PHI for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce agreements. Patient records and audit logs are retained in accordance with federal and state healthcare record retention requirements (minimum 6 years for HIPAA, longer where required by state law). Upon termination of a customer account, we will delete or return PHI as directed and in accordance with the BAA.

10 Your Rights and Individual Rights Procedures

Depending on your jurisdiction, you may have the right to:

  • Access requests: Individuals may request access to their PHI. IntakeFlow will assist customers in responding to access requests within thirty (30) days of receipt, with one thirty-day extension if needed with written notice
  • Amendment requests: Individuals may request amendments to their PHI. IntakeFlow will assist customers in responding within sixty (60) days of receipt
  • Accounting of disclosures: Individuals may request an accounting of disclosures of their PHI. IntakeFlow maintains audit logs to support these requests and will assist customers in providing an accounting upon request
  • Request deletion of your data (subject to legal retention requirements)
  • Opt out of marketing communications
  • File a complaint with HHS Office for Civil Rights (see below)

Patient rights regarding PHI are governed by HIPAA and exercised through the covered entity (your facility), not directly through IntakeFlow.

File a HIPAA Complaint

If you believe your health information privacy rights have been violated, you may file a complaint with:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue S.W.
Washington, D.C. 20201

Phone: 1-877-696-6775

Website: https://www.hhs.gov/hipaa/filing-a-complaint/

IntakeFlow and your healthcare provider may not retaliate against you for filing a complaint.

11 Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. Session cookies are encrypted and expire upon logout or session timeout.

12 Children’s Privacy

IntakeFlow is not intended for use by individuals under 13 years of age. We do not knowingly collect information from children under 13.

13 AI-Assisted Document Processing

IntakeFlow uses AI to extract data from uploaded documents (face sheets, referral forms, intake documents). When you upload a document:

  • The document is processed by a HIPAA-compliant AI service covered under our Business Associate Agreement
  • Extracted data is used solely to auto-fill agreement fields within your IntakeFlow account
  • We do not use uploaded documents or extracted data to train AI models
  • Our AI provider does not use data sent through our API to train their models
  • You are responsible for verifying all AI-extracted data before use

14 Virginia Consumer Data Protection Act (VCDPA)

Sigla LLC is a Virginia limited liability company. If you are a Virginia resident, you have the following rights under the VCDPA:

  • Right to confirm whether we are processing your personal data and to access that data
  • Right to correct inaccuracies in your personal data
  • Right to delete personal data you have provided or we have obtained
  • Right to obtain a portable copy of your personal data
  • Right to opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling

We do not sell personal data, process personal data for targeted advertising, or engage in profiling that produces legal or similarly significant effects. To exercise your rights, contact us at contact@intakeflow.cc. We will respond within 45 days as required by law.

15 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy on our website and updating the "Last updated" date. Continued use of IntakeFlow after changes constitutes acceptance of the revised policy.

16 Contact Us

For questions about this Privacy Policy or our data practices:

Sigla LLC

8401 Mayland Dr, Ste A

Richmond, VA 23294

United States

Email: contact@intakeflow.cc

Website: siglallc.com