Privacy Policy
Last Updated: July 3, 2026
Effective Date: July 3, 2026
sycana AI (“sycana AI,” “we,” “our,” or “us”) operates a healthcare referral automation platform (the “Platform”) and the Sycana DeID desktop application (collectively, the “Services”). This Privacy Policy describes how we collect, use, store, disclose, and protect information across three categories of users: Receiving Clinic staff, Referring Clinic staff, and Patients.
Because our Platform processes Protected Health Information (PHI), this Policy must be read alongside your organization's Business Associate Agreement (BAA) with us. In the event of a conflict between this Policy and the BAA regarding PHI, the BAA governs.
1. Our Role Under HIPAA
When your organization (the “Covered Entity”) authorises us to receive, store, or process PHI, sycana AI acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. All PHI processing is governed by the executed BAA between sycana AI and your organization.
Referring Clinics that access the Platform via invitation from a Receiving Clinic are considered downstream Business Associates. Their use of PHI through the Platform is subject to the same HIPAA obligations.
2. Information We Collect
2.1 Account & Organization Information
- Clinic Staff: Name, email address, job title, role, organization name, and National Provider Identifier (NPI) where applicable.
- Billing Contacts: Name, email, and payment method details (processed by Stripe; we store only the last four digits and billing address).
- Referring Physicians: Name, NPI, fax number, clinic name, and email address — provided by the Receiving Clinic when setting up referral relationships.
2.2 Protected Health Information (PHI)
We receive and process PHI solely to provide the Services. This includes:
- Inbound referral faxes (received via our Telnyx fax infrastructure and converted to structured data).
- Patient demographics: name, date of birth, sex, address, phone number, insurance ID.
- Clinical data: diagnosis codes (ICD-10), procedure codes (CPT), medications, clinical notes, lab results, imaging reports, and prior authorisation documentation.
- Appointment data: scheduled dates, provider assignments, visit outcomes.
- Insurance and eligibility data: payer name, member ID, eligibility status, benefits information.
- Documents uploaded by clinic staff or transmitted by fax.
- Patient-provided information submitted through the Patient Portal: appointment confirmations, responses to intake forms, feedback ratings, and caregiver designations.
2.3 Platform Usage Data (Non-PHI)
- Login timestamps, session durations, and feature interaction logs.
- API request logs (endpoint, HTTP status, latency) — with PHI redacted.
- Error and diagnostic logs for debugging and uptime monitoring.
Usage data is separated from PHI at the application layer. Usage logs do not contain patient identifiers.
2.4 Cookies and Analytics
On our marketing website (sycana.com), we use Google Analytics 4 (GA4) to understand aggregate visitor behaviour. GA4 collects:
- Pages visited, referral source, and time on site.
- Browser type, operating system, and approximate geographic region.
- Anonymised session identifiers.
Analytics cookies are never placed on Platform pages that process PHI. You can opt out of GA4 tracking via the Google Analytics Opt-Out Browser Add-on.
2.5 Sycana DeID Desktop Application
The Sycana DeID application runs entirely on your local device. It does not transmit any document content or PHI to sycana AI servers. Telemetry is limited to anonymous crash reports and version check pings, which contain no document content or user data.
3. How We Use Information
3.1 Platform Service Delivery
- Ingesting and parsing inbound referral faxes into structured clinical data.
- Running AI-powered triage, urgency scoring, and clinical summarisation using Google Gemini 2.0 Flash (see Section 4 for sub-processor details).
- Routing referrals to the appropriate clinical staff based on specialty and scheduling rules.
- Enabling two-way messaging between receiving clinic staff, referring physicians, and patients.
- Writing structured appointment and referral data back to connected EHR systems via FHIR R4 APIs (Epic SMART on FHIR) or structured export (other EHR adapters).
- Sending SMS notifications to patients regarding referral status and appointment scheduling via our Telnyx SMS gateway.
- Providing patients with access to their own referral status, appointment details, and clinical messages through the Patient Portal.
- Processing insurance eligibility verification via our Stedi integration.
3.2 Platform Improvement and Security
- Detecting and responding to security incidents, fraud, and unauthorised access.
- Diagnosing and resolving platform bugs and performance issues.
- Aggregate, de-identified analytics to improve feature design.
3.3 What We Do Not Do
- We do NOT sell, rent, or barter PHI or personal data.
- We do NOT use PHI to train shared or public-facing AI models.
- We do NOT use PHI for marketing or advertising purposes.
- We do NOT transfer data outside the United States for processing.
4. Sub-Processors and Third-Party Disclosures
As a HIPAA Business Associate, we engage the following sub-processors who may access PHI in the course of providing services. Each sub-processor operates under a signed Business Associate Agreement with sycana AI:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Google Cloud (Gemini API) | AI-powered clinical extraction, triage scoring, and summarisation of referral documents | United States |
| Amazon Web Services (AWS) | Cloud infrastructure, document storage (S3), and long-term audit log archival (Glacier) | United States |
| Telnyx | Inbound fax ingestion and patient SMS notifications | United States |
| Stripe | Payment processing for clinic subscriptions (credit card data not seen by sycana AI) | United States |
| Stedi | Insurance eligibility verification via EDI 270/271 transactions | United States |
EHR vendors (Epic, AdvancedMD, eClinicalWorks, Greenway, NextGen, Kareo, ModMed, Veradigm) receive structured referral and appointment data through their own certified APIs. Data shared with EHR vendors is directed by and under the control of the Covered Entity.
5. Data Security
- Encryption at rest: AES-256 encryption for all stored data, including PHI documents and database records.
- Encryption in transit: TLS 1.2 or higher for all API and web traffic. Fax transmissions use SRFAX/Telnyx's encrypted fax delivery.
- Access Control: Role-Based Access Control (RBAC) with 10 defined roles. PHI is redacted from views for non-clinical roles (e.g., billing staff cannot see clinical notes).
- Audit Logging: Every access, modification, or disclosure of PHI is recorded in an immutable audit log with user identity, timestamp, and action taken.
- Network Isolation: Platform services run within an isolated Virtual Private Cloud (VPC). Databases are not publicly accessible.
- Vulnerability Management: Regular penetration testing, dependency scanning, and SOC 2 Type II review cadence.
- Incident Response: A documented incident response plan with a dedicated security team and defined escalation paths.
6. Data Retention
6.1 Active Customer Data
PHI and associated referral data is retained for the duration of the active Service Agreement plus any statutory minimum retention period required under applicable state or federal law (typically 7 years for medical records).
6.2 Audit Logs
Security and access audit logs are retained for a minimum of 6 years in AWS Glacier (cold storage), consistent with HIPAA's documentation retention requirements.
6.3 Termination
Upon termination of the Service Agreement, we will — within 60 days — either securely return all Customer Data in a portable format or destroy it in accordance with the BAA, whichever the Covered Entity elects. Destruction is performed using NIST 800-88 compliant methods and confirmed in writing.
6.4 Patient Portal Data
Patient Portal accounts and associated data are retained until the Receiving Clinic terminates their subscription, after which patient data is treated as Customer Data under Section 6.3.
7. Patient Rights Under HIPAA
Patients whose data is processed through the Platform retain all rights afforded to them under HIPAA's Privacy Rule. Exercise of these rights is managed through the Covered Entity (your clinic), not directly through sycana AI. However, patients may also contact us directly and we will coordinate with your organisation within the required timeframes.
To exercise any of these rights, contact us at privacy@sycana.com or contact your clinic directly.
8. Breach Notification
In the event of a breach of unsecured PHI, sycana AI will:
- Notify the affected Covered Entity without unreasonable delay and within no more than 60 calendar days of discovery, as required by HIPAA.
- Provide sufficient information for the Covered Entity to fulfil its own notification obligations to affected individuals and the HHS Office for Civil Rights.
- Cooperate fully with any investigation and remediation efforts.
Notification of affected patients (where required) is the responsibility of the Covered Entity. sycana AI will provide all information required to complete that notification.
9. SMS Communications
We send SMS messages to patients on behalf of Receiving Clinics for appointment scheduling, reminders, and referral status updates. Message frequency depends on referral and scheduling activity. Standard message and data rates may apply.
- Patients may opt out of SMS at any time by replying STOP to any message.
- Patients may request help by replying HELP.
- SMS is sent only to numbers provided by the Covered Entity and only for clinical coordination purposes.
- SMS message content may include appointment details and referral status — which may constitute PHI. This SMS service is conducted under the BAA.
10. Minors
The Platform may process PHI related to minors when a referring or receiving clinic submits paediatric referrals. Access to a minor's Patient Portal is managed by the Covered Entity and may be linked to a parent or guardian account where appropriate. sycana AI does not knowingly collect personal information from children for any purpose other than the clinical service authorised by the Covered Entity.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to Covered Entities via email at least 30 days before taking effect. The “Last Updated” date at the top of this page reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.
12. Contact Us
For privacy-related questions, requests, or concerns, contact our Privacy Officer:
Email: privacy@sycana.com
Address: Privacy Officer, Sycana Health AI LLC, Little Rock, Arkansas, United States
Response time: We aim to respond to all privacy inquiries within 5 business days.