Legal

Privacy Policy

Last updated: May 2026

This policy summarizes how AgenciesForge handles agency, clinician, and patient information. HIPAA-regulated handling of patient PHI is additionally governed by the Business Associate Agreement (BAA) — see section 4. Customers should consult counsel before relying on this document for any specific obligation.

1. Information We Collect

Agency & clinician account data: name, email, phone, role, credential, NPI, license details, billing identifiers from Stripe, agency configuration you enter (state, services, payers, NPI/EIN, etc.), and usage telemetry.

Patient data (PHI): when you enter or import patient information you act as a HIPAA Covered Entity and AgenciesForge acts as your Business Associate. PHI includes patient demographics, diagnosis codes (ICD-10), medication lists, session notes, claims, eligibility checks, outcome assessment scores, secure messages, and voice-dictation audio. PHI is encrypted at rest with AES-256-GCM (see section 6).

Voice-dictation audio: when a clinician taps the AI Forge mic, audio is captured in the browser via MediaRecorder, streamed in 3-second chunks to our server, and transcribed via Google Cloud Speech-to-Text under the Google Cloud BAA. Audio is not retained beyond the transcription latency window.

2. How We Use Information

To deliver and improve the platform, generate certification documents, run AI-assisted clinical/billing workflows, process payments, communicate operational updates, and maintain HIPAA security & audit trails. PHI is used only for the Treatment, Payment, and Health Care Operations purposes specified in your BAA — never for marketing, model training, or analytics.

3. Subprocessors

AgenciesForge relies on the following subprocessors. Each one with PHI access has either a signed BAA, a HIPAA-eligible service offering under their master agreement, or is exempt from BAA requirements (payment processors).

Amazon Web Services, Inc. (Bedrock) — Anthropic Claude model inference for all clinical AI features. AWS BAA covers Bedrock as a HIPAA-eligible service. All Claude calls in our production code route through AWS Bedrock; we make no direct API calls to Anthropic at runtime.
Google LLC (Firebase, Google Cloud, Speech-to-Text) — authentication, Firestore database, Cloud Run application hosting, voice transcription. Google Cloud BAA covers all four under one agreement.
Stedi, Inc. — clearinghouse for eligibility (270/271), claims (837P/I/D), 277CA acknowledgements, and 835 ERA. Stedi BAA effective 2025-04-14.
Resend, Inc.— transactional email delivery (appointment reminders, patient-portal magic links, system notifications). Covered by Resend's Data Processing Addendum at resend.com/legal; minimal PHI exposure (patient first name + appointment time).
Stripe, Inc. — subscription billing and payment-method storage. No PHI; payment processors are exempt from BAA requirements per 45 C.F.R. § 164.502(e)(1)(i).

We provide HIPAA-Covered customers at least 30 days' written notice before engaging a new subprocessor that will have access to their PHI. The current subprocessor list is maintained in docs/VENDOR_RISK_REGISTER.md in our repository and reflected in the Business Associate Agreement template at docs/BAA_TEMPLATE_v1.md.

4. Protected Health Information & the BAA

Customers operating in HIPAA-regulated workflows must execute a Business Associate Agreement before transmitting Protected Health Information. The current BAA template is available on request and lives at docs/BAA_TEMPLATE_v1.mdin our repository. The BAA governs PHI use, subcontractor flow-down, security controls, breach notification (within 10 business days of discovery), and the customer's rights to access, amendment, and accounting of disclosures (45 C.F.R. §§ 164.524, 164.526, 164.528).

If you submit PHI to AgenciesForge without a signed BAA in place, you may be in breach of HIPAA. We will treat any PHI received outside the BAA framework as if a BAA were in place — but we cannot retroactively grant the legal coverage required for your compliance posture.

5. Audit Logging & Data Retention

Every PHI read, write, export, and disclosure is recorded in an append-only audit log (per HIPAA § 164.312(b)). Audit entries include actor, action, IP, timestamp, and structural metadata only — never PHI body content. Audit logs are retained for at least six years per HIPAA § 164.530(j).

PHI is retained for the duration of your subscription plus six years thereafter, then deleted. You may request earlier deletion at any time by contacting privacy@agenciesforge.com — we'll honor the request within 30 days subject to legal retention obligations (e.g., active claims or audit holds).

6. Security Safeguards

Encryption at rest: AES-256-GCM field-level encryption for sensitive PHI fields (DOB, email, phone, member ID, diagnosis codes, session-note narrative, secure-message bodies, full eligibility-271 payloads). Encryption key managed via Google Secret Manager; rotation playbook in our repository.
Encryption in transit: TLS 1.2+ end-to-end; HSTS enabled on all customer-facing surfaces.
Access controls: Firebase Auth with mandatory password policy, optional TOTP and/or passphrase second factor, per-agency role + capability matrix for team members.
Audit logging: append-only audit log on every PHI access and mutation; retained for ≥6 years.
Breach response: incident response runbook atdocs/IR_RUNBOOK.md; customer notification within 10 business days of breach discovery per BAA § 5.

7. Your Rights

You may request access, correction, export (FHIR R4 Bundle), or deletion of your data at any time by contacting privacy@agenciesforge.com. PHI rights flow through the Covered Entity (the agency) as specified in your BAA.

8. Contact

Privacy questions and HIPAA inquiries: privacy@agenciesforge.com
Security incidents: security@agenciesforge.com