Privacy Policy

This Privacy Policy describes how [LEGAL ENTITY NAME] (“TriageAI,” “we,” “us”) handles information processed through the TriageAI referral-triage platform (the “Service”). TriageAI is an administrative workflow tool used by specialty clinics to organize and prioritize incoming patient referrals.

1. Our role under HIPAA

TriageAI acts as a Business Associate to the healthcare providers and clinics that use the Service (each a Covered Entity). We process Protected Health Information (“PHI”) only on a clinic’s behalf and only as permitted by a signed Business Associate Agreement (“BAA”) between TriageAI and that clinic. If you are a patient, your rights regarding your PHI — including access, amendment, and an accounting of disclosures — are exercised through your clinic and its Notice of Privacy Practices, not directly through TriageAI.

2. Information we process

• Referral documents. The faxed or uploaded referral PDFs themselves.
• Extracted referral data. Information our pipeline extracts from those documents, which may include patient name, date of birth, contact details, insurance information, referring-provider details, and clinical information (diagnoses, symptoms, reason for referral).
• Account data. Clinic-staff names, email addresses, and role assignments used for authentication and access control.
• Operational metadata. Audit logs, timestamps, and system identifiers used for security, troubleshooting, and HIPAA accountability.

3. How we use information

We use PHI solely to provide the Service to the clinic — ingesting, classifying, prioritizing, and displaying referrals — and as otherwise permitted by the BAA. We do not sell PHI, use it for advertising, or use it to train general-purpose AI models. AI classification is performed within AWS infrastructure covered by our AWS Business Associate Addendum.

4. How we protect information

• Encryption in transit: TLS 1.2+ on all connections.
• Encryption at rest: AES-256 server-side encryption on stored documents; encrypted database storage.
• Access controls: authenticated, role-based access; clinic-level data isolation enforced on every request.
• Auditing: append-only audit logging of access to and changes in referral records.
• Least privilege: staff and system components receive only the access required for their function.

5. Subprocessors

We use Amazon Web Services (AWS) to host and operate the Service, including compute, storage, database, authentication, and AI inference. PHI processed through these services is covered by the AWS Business Associate Addendum. A current list of subprocessors is available to clinics on request at privacy@usetriageai.com.

6. Data retention

We retain PHI for the period required to provide the Service and to meet legal and regulatory obligations — including the six-year retention period applicable to HIPAA records — after which it is securely disposed of, unless the BAA or applicable law requires otherwise. Audit records are append-only and retained for the same period.

7. Breach notification

In the event of a breach of unsecured PHI, we will notify the affected clinic without unreasonable delay and in accordance with the HIPAA Breach Notification Rule and the terms of the applicable BAA, so the clinic can fulfill its notification obligations.

8. De-identified and aggregate data

We may create and use de-identified or aggregate data (which does not identify any individual) to operate, secure, and improve the Service, consistent with HIPAA de-identification standards and the BAA.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to clinics, and the “effective date” above will be updated.

10. Contact

Questions about this policy or our privacy practices may be directed to privacy@usetriageai.com. Patients should contact their clinic directly regarding their own health information.