Privacy Policy

1. Introduction

ImagineFlow is operated by Marcum Holding Group LLC("we," "us," or "our"). ImagineFlow is an AI-powered dispatch and workflow management platform for mobile diagnostic imaging companies, available at imagineflowhealth.com. This Privacy Policy describes how we collect, use, disclose, and protect information — including Protected Health Information (PHI) — when you use our platform and services.

By accessing or using ImagineFlow, you agree to this Privacy Policy. If you do not agree, do not use the platform.

2. HIPAA Compliance

ImagineFlow is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. We act as a Business Associate to our customers (Covered Entities). We enter into a Business Associate Agreement (BAA) with each customer prior to processing any PHI.

Key safeguards include:

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Row-Level Security (RLS) ensuring users only access their own organization's data
• Medical images served exclusively via short-lived signed URLs (60-second expiry)
• Comprehensive audit logging of all PHI access events
• Two-factor authentication (TOTP) available for all accounts
• Automatic session timeout after 45 minutes of inactivity
• Role-based access control across 7 distinct user roles

3. Information We Collect

3.1 Account Information

When you create an account, we collect your name, email address, phone number, role, and organization affiliation. This information is used for authentication, authorization, and platform communication.

3.2 Protected Health Information (PHI)

On behalf of our customers, we process PHI including: patient names, dates of birth, sex, room numbers, clinical notes, imaging orders, diagnostic reports, radiology reports, insurance information, and diagnosis codes (ICD-10). We do not store Social Security Numbers, full addresses, or other direct identifiers beyond what is necessary for imaging order management.

3.3 DICOM Images

Medical images received via DICOM C-STORE are stored in encrypted private storage buckets. Images are never publicly accessible. Access requires authenticated signed URLs that expire after 60 seconds.

3.4 Location Data

With user consent, we collect GPS location data from technologist devices (every 30 seconds during active duty) and from CalAmp vehicle tracking devices. Location data is used for dispatch optimization, geofencing, and mileage calculation. Location tracking stops when a technologist goes off duty.

3.5 Usage Data

We collect standard usage data including pages visited, features used, browser type, and device information. This data is used to improve the platform and diagnose technical issues.

4. How We Use Information

• Dispatch technologists to facilities and manage imaging orders
• Serve DICOM Modality Worklist entries to imaging equipment
• Match incoming DICOM images to orders via accession numbers
• Generate billing claims with CPT/ICD codes
• Provide AI-powered features (dispatch suggestions, billing code recommendations, ETA predictions, demand forecasting)
• Send notifications (push, SMS, email) related to order status
• Maintain audit trails for HIPAA compliance
• Integrate with EHR systems (e.g., PointClickCare) for order intake and result delivery

5. Third-Party Services

We use the following third-party services to operate the platform:

• Supabase — database hosting, authentication, and file storage (hosted on AWS infrastructure; BAA available on Pro plan)
• Amazon Web Services (AWS) — underlying cloud infrastructure for Supabase; data encrypted at rest and in transit
• OpenAI — AI-powered text extraction, billing code suggestions, dispatch optimization, and demand forecasting (BAA available; PHI processing governed by OpenAI's HIPAA-eligible API)
• Resend — transactional email delivery for notifications and system alerts (no PHI included in email content)
• Twilio — SMS notifications to technologists (optional, BAA available)
• PointClickCare (PCC) — EHR integration for nursing home order intake and result delivery (per-facility authorization; data exchanged via secure FHIR APIs)
• CalAmp — vehicle GPS tracking and fleet telematics (no PHI transmitted)
• Sentry — error monitoring and performance tracking (PHI is automatically scrubbed from error reports before transmission; no PHI is stored in Sentry)
• Vercel — frontend hosting and anonymous usage analytics (no PHI transmitted)

We maintain BAAs with all third-party services that process PHI. We do not sell, rent, or trade any personal information or PHI to third parties.

6. Data Retention

We retain PHI and medical records for a minimum of 6 years per HIPAA requirements, or longer if required by applicable state regulations. Audit logs are retained for a minimum of 6 years per HIPAA requirements. Upon termination of the customer relationship, data is retained for the remaining regulatory period and then securely destroyed. Customers may request data export at any time, and deletion is available subject to regulatory retention requirements.

7. Data Security

We implement administrative, physical, and technical safeguards to protect information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control (RBAC) across 7 distinct user roles ensuring least-privilege access
• Multi-factor authentication (TOTP) available for all accounts
• Comprehensive audit logging of all PHI access events
• Row-Level Security (RLS) at the database layer
• Rate limiting on all API endpoints
• Input validation and sanitization on all user inputs
• Regular security audits and code reviews
• Service role key isolation (never exposed to browser)
• Signed URL access for medical images (60-second expiry)
• Automatic session timeout after 45 minutes of inactivity

8. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HITECH Act. We will cooperate with Covered Entities in fulfilling their breach notification obligations to affected individuals and the Department of Health and Human Services.

9. Your Rights

Depending on your role and applicable law, you may have the right to:

• Access your account information
• Request correction of inaccurate data
• Request an accounting of PHI disclosures
• Request data export in a portable format
• Request account deletion (subject to regulatory retention requirements)

Patient rights regarding their PHI are managed through the Covered Entity (our customer). Patients should contact their healthcare provider for PHI access requests.

10. Cookies

We use essential cookies for authentication session management and theme preferences. We do not use third-party advertising or tracking cookies. Our service worker caches application shells for offline functionality — this does not involve tracking.

11. Children's Privacy

ImagineFlow is a business-to-business platform for healthcare professionals. We do not knowingly collect personal information from children under 13. The platform may process pediatric patient PHI as part of imaging orders — this is governed by the BAA with the Covered Entity.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-app notification. The "Last updated" date at the top of this page indicates the most recent revision.

13. No Sale of Data

We do not sell, rent, trade, or otherwise disclose personal information or PHI to third parties for marketing, advertising, or any commercial purpose unrelated to the services described in this Privacy Policy.

14. Contact

For privacy-related questions, HIPAA inquiries, or data requests, contact:

Marcum Holding Group LLC
ImagineFlow Privacy & Security Officer
Email: nick@imagineflowhealth.com
Website: imagineflowhealth.com

For urgent security concerns or to report a potential data breach, contact the Security Officer directly at nick@imagineflowhealth.com.