Privacy Policy

INTAKEACCESS.AI LLC (DBA: Intake Access Health Solutions) is an AI-powered healthcare platform headquartered at 181 W Valley Ave STE 245-1742, Birmingham, AL 35209. We provide a comprehensive suite of services including AI patient intake, prior authorization processing, insurance verification, telepsychiatry, telemedicine, secure messaging, e-prescribing, wound imaging AI, post-acute care (PAC) management, Medicaid claims processing, and a patient portal with multi-factor authentication.

As a healthcare technology platform, we function as a Business Associate under HIPAA with respect to the covered entity healthcare providers and facilities using our platform, and as a Covered Entity in certain direct-service contexts. All Protected Health Information (PHI) is governed by the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164) and the HITECH Act.

This Privacy Policy applies to all users of IntakeAccess.ai, including patients, healthcare providers, licensed clinicians, facility administrators, and any other individuals or entities interacting with our platform or Website at https://intakeaccess.ai.

We collect information from multiple sources across several user categories. All PHI is collected solely for lawful healthcare purposes.

Patient Data (Protected Health Information — PHI)

Provider & Facility Data

• Full name, professional credentials, National Provider Identifier (NPI) numbers
• Practice and facility information, specialty designations, licensure records
• Login credentials (hashed), multi-factor authentication data, role assignments
• Activity logs, audit trails, session data
• Billing, claims, and contract and onboarding documents

Technical & Platform Data

• IP addresses, device type, browser type and version, operating system
• Cookies, session tokens, usage analytics, and page interaction data
• Complete audit logs of all PHI access (who accessed, when, from where)
• Session data used for 15-minute automatic timeout enforcement and security monitoring

We use collected information for the following lawful purposes. PHI is used only to the minimum extent necessary (the HIPAA "Minimum Necessary Standard") for each stated purpose.

Treatment, Payment & Healthcare Operations (TPO)

• Treatment: Coordinating care between providers, facilitating telemedicine and telepsychiatry consultations, supporting e-prescribing, enabling AI clinical decision support (assistive only).
• Payment: Processing insurance claims to Medicare, Medicaid, and commercial payers; prior authorization; insurance eligibility verification; billing and accounts receivable.
• Healthcare Operations: Quality improvement, HIPAA compliance, staff training, accreditation support, platform security and audit functions.

Additional Uses

• Appointment scheduling, reminders, and follow-up communications
• Prior authorization processing and real-time insurance verification
• Post-acute care coordination (SNFs, rehab centers, home health agencies)
• Medicaid claims processing and EDI submissions
• AI-assisted wound assessment and monitoring (assistive only)
• Mental health screening tool delivery (PHQ-9, GAD-7, MDQ) and result transmission to providers
• Security monitoring, breach prevention, and incident response
• Platform improvement and aggregate analytics (de-identified data only)

For Treatment

• Treating physicians, nurse practitioners, therapists, and their clinical staff
• Facilities where you receive care (hospitals, clinics, SNFs, rehab centers, home health agencies)
• Specialists and consulting providers involved in your care

For Payment

• Medicare and Medicaid programs for claims submission and reimbursement
• Commercial insurance companies for prior authorization and claims
• Managed Care Organizations (MCOs) and Third-Party Administrators (TPAs)
• EDI clearinghouses for electronic claims processing

As Required by Law

• Court orders, subpoenas, or other lawful legal process
• HHS and Office for Civil Rights (OCR) for compliance investigations
• Public health activities (reportable conditions, disease surveillance)
• Government audits of Medicare/Medicaid programs

Disclosures Requiring Your Authorization

For any disclosure not described above — including disclosure to employers, life insurers, or for marketing — we will obtain your written authorization first. You may revoke any authorization in writing at any time.

We engage third-party service providers ("Business Associates") who may receive, create, maintain, or transmit PHI. All Business Associates must sign a Business Associate Agreement (BAA) before accessing PHI.

IntakeAccess.ai uses AI and machine learning to assist healthcare providers. All AI features are assistive tools only — designed to support, not replace, licensed clinical professionals.

AI Features That Process PHI

• AI Patient Intake: Voice-enabled forms and 50+ specialty templates process patient data to populate clinical records, reviewed and confirmed by the treating provider.
• Wound Imaging AI: Photographs and measurements are processed to assist with wound staging, sizing, and progression tracking. AI outputs are preliminary assessments only.
• Prior Authorization AI: Clinical data is analyzed to predict prior auth outcomes and generate supporting documentation. Predictions are not guarantees of approval.
• Mental Health Assessments: PHQ-9, GAD-7, and MDQ responses are scored and flagged. Clinical interpretation is the sole responsibility of the treating clinician.
• AI Clinical Decision Support: All suggestions are advisory only and require provider review before any clinical action.

SMS Program Details

• Program Name: IntakeAccess.ai Healthcare Communications
• Message Frequency: Up to 4 messages per month (appointment reminders, intake links, confirmations, care notifications)
• Message & Data Rates: May apply depending on your carrier plan
• Supported Carriers: AT&T, T-Mobile, Verizon, Sprint, Boost, Cricket, MetroPCS, U.S. Cellular, and most major U.S. carriers
• Support Line: Text HELP or call 205-855-4545

Opt-In / Opt-Out

Opt in during patient intake, by texting START, or via portal registration. Text STOP at any time to unsubscribe immediately. Opt-out requests are logged in our HIPAA-compliant audit system.

IntakeAccess.ai implements a multi-layered security framework in accordance with the HIPAA Security Rule (45 C.F.R. §§ 164.302–164.318).

Technical Safeguards

• Encryption at Rest: AES-256 encryption for all PHI stored in Firestore/Firebase
• Encryption in Transit: TLS 1.3 for all data transmitted between clients and servers
• Multi-Factor Authentication (MFA): Required for all provider, facility, and administrator accounts
• Role-Based Access Controls (RBAC): Least-privilege access enforcement
• Automatic Session Timeouts: All sessions terminate after 15 minutes of inactivity
• Patient Portal 2FA: Two-factor authentication required for all patient portal access
• Audit Logging: Every PHI access event logged with user identity, timestamp, IP address, and action type

Administrative & Physical Safeguards

• Designated HIPAA Security Officer for oversight and compliance
• Annual workforce HIPAA training and security awareness programs
• Regular risk assessments and risk management procedures
• BAAs with all subcontractors prior to PHI access
• HIPAA-compliant cloud infrastructure (Google Cloud/Firebase, AWS)
• 24/7 security monitoring and incident response capabilities
• Annual penetration testing and third-party risk assessments

Upon expiration, PHI is permanently deleted or de-identified per the HIPAA Safe Harbor or Expert Determination standard. Data export requests are fulfilled within 30 days of request.

As a patient whose PHI is processed through IntakeAccess.ai, you have the following rights under the HIPAA Privacy Rule. Contact your healthcare provider or use Section 20 to exercise these rights.

Right of Access (45 C.F.R. § 164.524)

Inspect and obtain a copy of your PHI within 30 days of request. Electronic copies provided at no or reasonable cost-based fee.

Right to Amend (45 C.F.R. § 164.526)

Request amendment to PHI you believe is inaccurate or incomplete. We will act within 60 days.

Right to Accounting of Disclosures (45 C.F.R. § 164.528)

Request a list of disclosures of your PHI made in the prior six years, excluding TPO disclosures and those you authorized.

Right to Request Restrictions (45 C.F.R. § 164.522)

Request restrictions on certain uses and disclosures. We must restrict disclosure to a health plan for services you paid out-of-pocket in full.

Right to Confidential Communications

Request communication by alternative means or at an alternative location. We will accommodate reasonable requests.

Right to File a Complaint

File a complaint with IntakeAccess.ai (Section 20) or with HHS OCR at www.hhs.gov/ocr or 1-800-368-1019. We will not retaliate against you.

IntakeAccess.ai maintains a documented Breach Notification Policy in compliance with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414) and the HITECH Act.

Notification Timelines

• Individual Notification: Affected individuals notified within 60 days of discovery via first-class mail (or email if authorized). Notice includes: description of breach, types of PHI involved, protective steps, and our response measures.
• HHS Notification: Breaches affecting 500+ individuals reported to HHS simultaneously with individual notification. Smaller breaches logged and reported to HHS annually.
• Media Notification: Breaches affecting 500+ residents of a state reported to prominent media in that state within 60 days.
• Covered Entity Notification: Where acting as Business Associate, the relevant Covered Entity is notified within 60 days of discovery.

Information qualifying as PHI under HIPAA is exempt from CCPA/CPRA to the extent maintained as PHI. The rights below apply to non-PHI personal information collected by IntakeAccess.ai.

• Right to Know: Categories and specific pieces of personal information collected, sources, purposes, and third-party disclosures.
• Right to Delete: Request deletion of personal information, subject to legal retention requirements.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right.

Submit verifiable requests to privacy@intakeaccess.ai with subject line "California Privacy Rights Request." Responses within 45 days (extendable to 90 with notice).

IntakeAccess.ai does not knowingly collect personal information from children under 13 except as part of a healthcare relationship where a parent or legal guardian has provided verifiable consent. All applicable HIPAA, COPPA, and state minor patient privacy laws apply.

Certain state laws allow providers to maintain confidentiality of sensitive health information (reproductive health, mental health, substance use) even from parents or guardians. Our platform supports these legal frameworks.

Our Website uses cookies and similar technologies. See our separate Cookie Policy for full details. In summary:

• Strictly Necessary Cookies: Required for platform authentication, session management, and security including 2FA and MFA.
• Analytics Cookies: Used on public pages only to understand Website usage. Never linked to PHI.
• No Advertising Cookies: No advertising or behavioral tracking cookies within authenticated provider or patient sessions.

PHI is never stored in cookies. Session tokens are encrypted, time-limited, and invalidated upon logout or 15-minute timeout.

Beyond Business Associates (Section 5), our platform may link to third-party services. We are not responsible for the privacy practices of third-party websites not operating under a BAA with us. All third-party integrations involving PHI require an executed BAA before any PHI access is permitted.

IntakeAccess.ai is operated in the United States. All PHI is stored and processed in HIPAA-compliant U.S.-based data centers and is not transferred outside the United States. For GDPR rights for EEA residents, see our GDPR/CCPA Addendum.

Mental health information — including PHQ-9, GAD-7, and MDQ results, telepsychiatry session notes, crisis assessments, and substance use disorder treatment records (42 C.F.R. Part 2 where applicable) — receives heightened protection. Mental health PHI will not be disclosed without explicit authorization except as required for emergency treatment, imminent safety threats, or applicable law.

IntakeAccess.ai processes Medicare and Medicaid beneficiary data in accordance with CMS data use requirements and applicable CMS program integrity requirements. Medicare and Medicaid identifiers are treated as PHI and receive all applicable HIPAA protections. Providers are responsible for ensuring all claims are accurate, medically necessary, and compliant with CMS billing guidelines.

IntakeAccess.ai reserves the right to amend this Privacy Policy at any time. Material changes will be communicated by posting a prominent notice on the Website, updating the "Last Updated" date, and where feasible, notifying registered users by email. A paper copy of this Notice of Privacy Practices is available upon request.

INTAKEACCESS.AI LLC

• Legal Name: INTAKEACCESS.AI LLC
• DBA: Intake Access Health Solutions
• Address: 181 W Valley Ave STE 245-1742, Birmingham, AL 35209
• Platform: https://intakeaccess.ai
• Privacy Email: privacy@intakeaccess.ai
• Compliance Email: compliance@intakeaccess.ai
• Legal Email: legal@intakeaccess.ai
• Support Line: 205-855-4545

Filing a Complaint with HHS

• Website: www.hhs.gov/ocr
• Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
• Mail: Centralized Case Management Operations, 200 Independence Ave., S.W., Room 509F HHH Bldg., Washington, D.C. 20201