RecordsFlow (“we,” “our,” “us”) provides Individual Access Services (IAS) that allow Individuals to securely access their Individually Identifiable Information (“III”). This Notice explains how we collect, use, disclose, protect, and retain III, and describes the rights available to Individuals under TEFCA.
This Notice is publicly available at: https://www.recordsflow.com/rf-privacy-and-security-notification
1. Public Availability & Updates
We keep this Notice publicly accessible and current at all times. We will:
• Conspicuously post updated versions on our website and within the RecordsFlow application.
• Notify enrolled Individuals of material changes via in app message.
• Display changes in a way that allows Individuals to easily identify what has changed.
2. How We Provide This Notice
We provide this Notice before an Individual first uses RecordsFlow IAS. It is written in plain language and available electronically.
We translate this Notice into additional languages when required. Based on our service area, we currently provide a Spanish translation.
Individuals may contact us with questions at: privacy@recordsflow.com
3. How We Access, Use, Exchange & Disclose Information
3.1 Prohibited Uses
We do not access, use, exchange, or disclose III to assert any claim against an Individual, except for the collection of fees owed.
3.2 Disclosures to Third Parties
We disclose III only to service providers who support our IAS operations:
• Amazon Web Services (AWS)
• Clear
• QHIN Partner(s)
We do not disclose III to any other vendors. We do not sell III or receive remuneration for III.
3.3 Retention Period
We retain III for 18 months unless a longer period is required by law.
3.4 Purpose of Use
We use III only for:
• Identity verification
• Facilitating access to records for Individuals and their legal counsel
3.5 De Identification
We do not de identify III.
3.6 Sensitive Categories
We may disclose III relating to reproductive health or gender affirming care only when required by a valid subpoena, warrant, or other compulsory legal demand, unless prohibited from notifying the Individual.
3.7 Notice of Law Enforcement Requests
If we receive a compulsory legal demand for III, we will notify affected Individuals within three business days unless prohibited by law.
4. Security Practices
We use commercially reasonable efforts to protect III from unauthorized access, modification, use, or destruction.
Our security practices include:
• Encryption of all III in transit and at rest using AES 256 and modern TLS protocols
• Notification to Individuals whose III is reasonably believed to have been affected by an IAS Incident
• Continuing obligations for as long as we maintain III
• Validation of QHIN partners for HITRUST compliance
• Business Associate Agreements (BAAs) with applicable business partners
5. Contact Information
Individuals may contact us with questions or privacy related complaints:
Email: privacy@recordsflow.com Toll Free Phone: [TBD] Mailing Address: [TBD]
We maintain a process for documenting privacy related complaints and our responses.
6. Consent Requirements
We obtain express written and informed consent before accessing, exchanging, using, or disclosing III, except where required by law.
Our consent process includes:
• In app “I agree” selection
• User typed name as an electronic signature
• New consent before any materially different use of III
• Internal storage of consent logs for seven years
7. Revocation of Consent
Individuals may revoke consent at any time using an in app button.
We will:
• Provide step by step revocation instructions on our website and within the application
• Honor revocation going forward (actions taken before revocation remain valid)
Revocation disables access to RecordsFlow IAS.
Website URL for revocation instructions: [TBD]
8. Individual Rights
Individuals have the right to:
• Request deletion of all III maintained by RecordsFlow, except audit logs
• Access III maintained in connection with IAS
• Export III in a machine readable encrypted PDF
• Receive notice if their III is reasonably believed to have been affected by an IAS Incident
We provide clear instructions for exercising rights and implement choices within seven business days. We are not aware of any Applicable Law that prevents us from honoring deletion requests.
9. Fees
RecordsFlow does not charge Individuals directly for IAS.
Fees are billed to our law firm client partners, who may choose to pass costs to their end users at their sole discretion.
10. Effective Date & Versioning
Effective Date: May 1, 2026 Version Format: Date stamp plus revision number (e.g., 2026 05 01 Rev1)
10 April 2026
RecordsFlow