Privacy Policy
Atlen Relay LLC ("Atlen," "we," "us," or "our") operates Atlen Relay, a healthcare referral coordination platform available at atlenrelay.com. This Privacy Policy explains how we collect, use, share, and protect information when you use our platform, including information about you and information about patients you submit through the platform.
We take privacy seriously. We comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the HITECH Act; the 21st Century Cures Act's information-blocking rule; and applicable U.S. state privacy laws.
1. Who we are and how to contact us
Atlen Relay LLC is a Mississippi limited liability company. For privacy questions, requests for access or deletion, or to file a complaint, contact us at:
- Email: [email protected]
- Subject line: "Privacy Request"
2. Who this policy applies to
This policy applies to two types of people:
- Providers — licensed healthcare professionals and their staff who use Atlen Relay to send and receive patient referrals.
- Patients — individuals whose health information is transmitted through the platform by their treating providers, and patients who use our platform to look up the status of a referral.
3. Information we collect
From providers
- Name, professional credentials (MD, DO, NPI, etc.), specialty, and license information
- Email address, phone number, fax number, and practice address
- Account credentials (password is hashed; we never store it in plaintext)
- Stripe payment method information (handled directly by Stripe; we store only a token reference and the last four digits)
- Usage data — referrals sent, received, accepted, declined, and completed
About patients (Protected Health Information)
- Name, date of birth, contact information
- Insurance plan, member ID, plan type
- Diagnosis codes (ICD-10), CPT codes, and reason for referral
- Letters of medical necessity and clinical notes submitted by the referring provider
- Consult notes returned by the receiving specialist
- Appointment scheduling information
Patients do not create accounts on Atlen Relay. Patient information is submitted by their treating provider and is treated as Protected Health Information ("PHI") under HIPAA.
Automatically collected
- IP address, browser type, device type, and access timestamps
- Pages viewed and actions taken on the platform
- Cookies necessary for authentication and session management
4. How we use information
- To operate the referral platform — routing referrals between providers, sending notification emails, faxes, and SMS, and tracking referral status.
- To verify provider identity — checking NPI numbers against the federal NPPES registry.
- To bill providers — charging the per-accepted-referral fee using Stripe.
- To improve the platform — analyzing usage trends in aggregated, de-identified form.
- To comply with legal obligations — responding to subpoenas, government requests, and other lawful demands.
We do not sell or rent personal information or PHI to anyone, ever. We do not use PHI for advertising or marketing.
5. How we share information
With other providers (the core service)
When a referring provider sends a referral, we transmit the relevant patient information to the receiving provider designated by the referring provider. This is the core function of the platform and is performed under the authority of the treating providers and HIPAA's "treatment, payment, and operations" permitted disclosures.
With service providers ("subprocessors")
We use the following third-party services to operate the platform. Where they handle PHI on our behalf, we have entered into HIPAA Business Associate Agreements ("BAAs") or are in the process of doing so:
| Subprocessor | Purpose | Data category |
|---|---|---|
| Supabase | Database, authentication, file storage | All platform data, including PHI |
| DigitalOcean | Server hosting | All platform data, including PHI |
| Cloudflare | DNS, CDN, DDoS protection, secure tunnel | Network-layer metadata only |
| Resend | Outbound email notifications | Provider email addresses, referral metadata |
| fax.plus (Alohi) | HIPAA-tier outbound fax transmission | Referral PDFs to receiving providers and insurers |
| Stripe Identity | Government-ID + selfie + liveness verification at provider sign-up | Provider photo ID, selfie, and verification result; not patient PHI |
| Twilio | SMS notifications and automated voice calls | Provider and patient phone numbers, brief notification text |
| Stripe | Provider payment processing | Provider billing information; no patient data |
| Google Workspace | Internal company email and document storage | Internal communications |
For legal reasons
We may disclose information when required by law, subpoena, court order, or to protect the safety and rights of patients, providers, or the public.
With your consent
We may share information with your explicit consent for purposes you specifically authorize.
6. HIPAA notice for patients
Treatment-disclosure framework
Most disclosures Atlen Relay routes are provider-to-provider for treatment purposes. Under 45 CFR §164.506, treatment disclosures do not require separate patient authorization, and the "minimum necessary" rule does not apply to such disclosures. We process these referrals at the direction of your treating provider and consistent with HIPAA's treatment exception.
Special-record categories
Certain types of records require additional handling beyond the standard treatment-disclosure framework:
- Substance use disorder treatment records protected under 42 CFR Part 2 — separate written patient consent required, with redisclosure-prohibition language attached to the transmission.
- Psychotherapy notes — separate written patient authorization required even for treatment disclosures.
- Reproductive health care non-treatment disclosures — signed attestation required under 45 CFR §164.509; certain disclosures are flatly prohibited.
- Minor records — state-specific consent rules apply; treating provider attests to authority before transmission.
- Genetic information — additional GINA protections apply when the recipient is a health plan.
Atlen Relay provides controls at referral creation that prompt the referring provider to identify these categories and obtain the required consents before transmission.
6a. Information blocking
The 21st Century Cures Act and 45 CFR Part 171 prohibit health information networks from engaging in practices likely to interfere with the access, exchange, or use of Electronic Health Information (EHI), except as required by law or covered by an applicable exception. Atlen Relay is designed to comply:
- We do not require receiving providers to use Atlen Relay for follow-up communications.
- Our fees are cost-based and disclosed in the Terms of Service.
- We support alternative-manner delivery (email, fax, SMS, in-app dashboard).
- We document any decline-to-deliver decision with the regulatory exception relied upon.
To report a concern under the information-blocking rule, contact the ONC at healthit.gov/feedback or email us at [email protected].
7. How long we keep information
- Provider account data: Retained while the account is active. Deleted within 90 days of account closure unless we are required to retain it for legal reasons.
- Referral records (including PHI): Retained for at least seven (7) years from the date of the referral, consistent with medical record retention standards. Longer if a state law or contractual obligation requires it.
- Payment records: Retained for at least seven (7) years for tax and audit purposes.
- Logs: Authentication and access logs retained for at least one year for security and audit purposes.
8. Security
We implement reasonable administrative, technical, and physical safeguards designed to protect the information we hold, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256, via Supabase)
- Role-based access controls and least-privilege principles for our staff
- Multi-factor authentication on all administrative accounts
- Regular security reviews and dependency updates
- Logged audit trails for access to PHI
No system is perfectly secure. If we discover a data breach affecting your information, we will conduct a four-factor risk assessment as required by 45 CFR §164.402 and notify affected Covered Entities (and, where applicable, individuals and the U.S. Department of Health and Human Services) within the timeframes mandated by HIPAA and applicable state laws.
Under the HIPAA Security Rule, encryption is "addressable" — we have implemented NIST-consistent encryption for PHI in transit (TLS 1.2+) and at rest (AES-256 via Supabase), which creates the "secured PHI" safe harbor under HITECH.
8a. SMS and provider notifications
When you provide your phone number, you consent to receive transactional SMS messages from Atlen Relay regarding your account and active referrals. We do not send marketing SMS. SMS messages do not contain Protected Health Information beyond the minimum required to direct you to log in to view a notification. Standard message and data rates may apply. Reply STOP to unsubscribe; we record opt-out events and stop sending non-essential SMS to your number.
9. Children
The Atlen Relay platform is for use by licensed healthcare providers. Patient referrals routed through our platform may include patients of any age, including minors. We process minors' health information only at the direction of their treating providers and consistent with HIPAA.
10. State-specific rights
Residents of California, Virginia, Colorado, Connecticut, Texas, and other states with comprehensive privacy laws may have additional rights, including the right to access, correct, delete, or port their personal information, and the right to opt out of certain processing. To exercise these rights, email [email protected]. We will respond within the timeframe required by the applicable law.
11. International users
Atlen Relay is operated from the United States and is intended for use by U.S.-based healthcare providers and their patients. If you are accessing the platform from outside the United States, you understand that your information will be transferred to and processed in the United States.
12. Changes to this policy
We may update this Privacy Policy as our practices evolve or as required by law. When we make material changes, we will update the "Last updated" date and, for significant changes, notify providers via email. Continued use of Atlen Relay after a change constitutes acceptance of the updated policy.
13. Contact
Questions, concerns, or requests? Email [email protected] with the subject line "Privacy Request." We aim to respond within seven business days.
You may also file a complaint directly with the U.S. Department of Health and Human Services, Office for Civil Rights: hhs.gov/ocr/complaints.