HIPAA-aligned infrastructure. BAA available on request. No PHI sold or shared.
We align with HIPAA's three safeguard categories. Items marked In progress are actively being addressed — not claimed as complete.
Healthcare providers are covered entities under HIPAA. As their messaging vendor, we are a Business Associate and we take that designation seriously.
Contact: security@surgeoncaseflow.com — we respond within one business day.
All SMS from CaseFlow is transactional — appointment reminders, pre-op checklists, post-op check-ins. We do not send marketing or promotional messages under any circumstances.
Opt-in language is displayed at appointment booking — patients explicitly agree to receive case-related SMS. Consent records are stored and timestamped.
Every outbound message supports standard keywords: STOP to unsubscribe, HELP for assistance. Opt-out requests are processed immediately and the contact is flagged to prevent further outreach.
All STOP/HELP replies are logged with timestamp. We maintain a suppression list so opt-outs are never re-messaged, even across practice switches.
We send pre-op reminders, post-op check-ins, appointment notifications, and cancellation updates. No marketing, promotional, or advertising messages are ever sent.
Patient data is scoped to what the product needs to function. We do not collect or store sensitive identifiers that aren't operationally necessary.
Patient records are retained for 3 years after last activity or practice subscription end, whichever comes first. After that window, records are permanently deleted unless a longer retention obligation applies.
Patients or practices can request immediate deletion of all patient data at any time. Requests are processed within 72 hours. Confirmation is sent to the requesting contact.
CaseFlow does not sell, rent, or share patient data with any third party for any purpose — advertising, research, or otherwise. Data is used exclusively to deliver the messaging service you've contracted for.
We use a small, focused set of vendors. Each has a BAA or equivalent data protection agreement in place.
The federal No Surprises Act (effective January 1, 2022) requires practices to provide uninsured and self-pay patients with a written Good Faith Estimate (GFE) at least 3 business days before any scheduled service. Violations carry OIG penalties up to $10,000 per incident. CaseFlow automates compliance so nothing slips through.
When a self-pay or uninsured patient is scheduled, CaseFlow automatically generates a GFE with itemized line items — surgeon fee, facility fee, anesthesia, implants, and post-op visits. No manual entry required.
Three business days before surgery, the patient receives a bilingual (EN/ES) SMS link to their personalized GFE portal. They review itemized costs and acknowledge receipt — creating a timestamped compliance record.
All GFE records are retained for 6 years per CMS guidance, with audit trail covering delivery channel, delivery timestamp, and patient acknowledgment. Export quarterly compliance reports for auditors at any time.
If a final bill exceeds the GFE by more than $400, the case is automatically flagged. Staff manage the dispute workflow through the dashboard — filing, IDR assignment, and resolution are all tracked with status badges.
Buyers respect honesty more than badges. Here's what we're actively working toward.
We're in the early stages of SOC 2 Type II certification. Target audit completion: Q1 2027. We'll publish the report when available.
Higher-order healthcare security certification. Currently in planning phase — not yet in active remediation. Target: 2027–2028.
Annual external penetration testing scheduled — first engagement in progress. Results will be reviewed internally and addressed. Bug bounty program under evaluation for 2027.
Multi-factor authentication rollout is in progress. Target completion: Q3 2026.
Certifications and audit reports will be published to this page as they're completed. If you need formal documentation for your compliance review, contact us.
Opioid prescribing is one of the highest-liability surfaces for surgical practices. CaseFlow enforces evidence-based controls at every step of the post-operative discharge workflow.
Every PDMP query is logged with timestamp, querying provider, patient state, and result severity — exportable for DEA and state board reviews.
50-state compliance config drives required-field enforcement, query frequency requirements, and naloxone mandate thresholds. Multi-state practices get correct rules per patient location automatically.
Auto-flags when CDC thresholds, state mandates (CA, VT, RI, OH), benzo co-prescribing, prior overdose history, or age ≥65 triggers co-prescription. Hard block on discharge checklist until acknowledged.
Every prescription is scored against CDC 2022 thresholds (50 MME/day caution, 90 MME/day high risk) with color-coded alerts for staff and surgeon-level scorecards.
Day 1/3/5/7/10/14 SMS taper cadence in English & Spanish with dose reduction targets, pain coping tips, and a refill request link. Pulls directly from the prescribed taper schedule.
Built with a clean adapter interface so real state PDMP APIs (Bamboo Health, Appriss) can replace the mock stub without code changes throughout the app. Query audit survives adapter swaps.
Patients submit pain level, current dose, and reason via a token-gated bilingual portal (/refill/:token).
Requests auto-route to the nurse queue as a hard escalation when MME increase is requested, refill threshold is reached,
or pain level ≥ 8 — before any approval action is possible.
For compliance questions, BAA requests, or security concerns — reach out directly.
security@surgeoncaseflow.comWe respond within one business day. For urgent matters, include "URGENT" in the subject line.