HIPAA & BAA

Alfred is operated by CorePlus World Group LLC (“Alfred”, “we”, “us”). When a covered entity uses Alfred to process protected health information (PHI), Alfred acts as a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 and the HITECH Act. This page summarizes our security program, subprocessor list, and BAA process.

1. Scope

This document applies to PHI and electronic PHI (ePHI) that flows through Alfred — including patient names, contact information, appointment data, treatment notes, and message content stored on our infrastructure. It does not cover PHI that lives only inside your EHR or other third-party systems Alfred does not access.

2. Privacy Rule

• We use and disclose PHI only as permitted by our BAA and as required to perform the services you request.
• We do not sell PHI, use it for marketing, or train AI models on it.
• Patient communications generated by Alfred (SMS, email, voice) carry the minimum necessary information to perform the requested workflow.
• Patients can withdraw consent at any time. Once withdrawn, we stop sending automated messages within one business day.

3. Security Rule — administrative safeguards

• Designated Security Officer responsible for the program.
• Annual workforce HIPAA training and signed confidentiality agreements.
• Role-based access control with least-privilege defaults.
• Documented incident response plan with 60-day breach notification commitment.
• Annual risk assessment with remediation tracking.

4. Security Rule — physical safeguards

• All PHI is processed in SOC 2 Type II / ISO 27001 datacenters operated by our subprocessors.
• Workforce devices require full-disk encryption, automatic lock, and MDM enrollment.
• No PHI is stored on local workstations or removable media.

5. Security Rule — technical safeguards

• Encryption in transit using TLS 1.2 or higher.
• Encryption at rest using AES-256.
• Database row-level security enforcing tenant isolation.
• Audit logging of read and write access to PHI, retained for 6 years.
• SSO and MFA available on the Growth and Scale tiers.
• Application logs and error monitoring mask PHI before transmission.

6. Breach notification

In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and in no case later than 60 calendar days after discovery, consistent with 45 CFR § 164.410. Notification will include the nature of the breach, the types of PHI involved, the steps affected individuals should take, and the steps we are taking to investigate and mitigate.

7. Subprocessors

The following subprocessors may process PHI on our behalf, each under a signed BAA:

We notify customers at least 30 days before adding a new PHI-processing subprocessor, giving you the opportunity to object.

8. Patient rights

Patients may request access, amendment, an accounting of disclosures, or restrictions on use of their PHI. Such requests should be directed to the covered entity (your clinic). On request, we will support you in fulfilling these obligations within applicable timelines.

9. Termination & data return

On termination of the BAA, we will return or destroy all PHI in our possession within 30 days. Where return or destruction is infeasible, we will extend the protections of the BAA to that PHI for as long as we retain it.

10. Requesting a BAA

Customers on the Growth and Scale tiers receive a signed BAA before any PHI is processed. To request a BAA, email hello@alfred-intelligence.com with your clinic name and signing-authority contact. Countersigned copies are returned within two business days.

11. Contact

Security Officer: Jonathan Mohhebali. Email hello@alfred-intelligence.com for HIPAA-related inquiries, suspected breaches, or BAA questions.