Last updated: May 21, 2026
CaseMgmt (“we,” “our,” or “us”) is committed to protecting the privacy of our users and the individuals whose information is managed through our platform. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website at casemgmt.io and use our case management platform.
When you create an account, we collect your name, email address, phone number, company name, and billing information. This information is necessary to provide our services.
Our platform is used to manage patient case information, which may include Protected Health Information as defined by HIPAA. We process this information solely on behalf of our customers (covered entities) and in accordance with our Business Associate Agreement (BAA).
We automatically collect certain information about your device and usage of our services, including IP address, browser type, operating system, pages visited, and time spent on our platform.
We use essential cookies required for the platform to function, including session cookies and authentication tokens. We do not use third-party advertising cookies or tracking pixels.
CaseMgmt operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We enter into a Business Associate Agreement (BAA) with each customer who uses our platform to manage Protected Health Information (PHI).
We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule, including encryption of PHI at rest and in transit, access controls, audit logging, and workforce training.
We do not sell, rent, or trade your personal information. We share information only with the following categories of recipients:
We use the following subprocessors to provide the Service. Each is bound by a Business Associate Agreement (where PHI is involved) and a Data Processing Agreement:
| Subprocessor | Purpose | Data Location | BAA |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database (RDS), storage (S3), compute (ECS) | United States (us-east-1) | Yes |
| Amazon Chime SDK | HIPAA-eligible video calling between case managers and patients | United States | Yes (via AWS BAA) |
| Deepgram | HIPAA-eligible call recording transcription | United States | Yes |
| Anthropic | AI summary generation from de-identified call transcripts | United States | Yes (Zero Data Retention enabled) |
| Stripe | Payment processing for subscription billing only (no PHI) | United States | N/A (no PHI) |
| Twilio | SMS delivery for appointment reminders and care coordination | United States | Yes |
| SRFax | Outbound fax delivery of CMS-1500 forms, invoices, and attachments | United States / Canada | Yes |
| Intuit (QuickBooks Online) | Optional, customer-initiated accounting sync (billing data only; no PHI) | United States | N/A (no PHI) |
| SMTP providers (per tenant) | Outbound email delivery (Gmail, Microsoft 365, or your provider of choice) | Per provider | Configured by tenant |
We provide 30 days' notice before engaging any new subprocessor that will process PHI. The current list is also available in our Business Associate Agreement.
In the event of a breach of unsecured Protected Health Information, we will notify the affected customer (covered entity) without unreasonable delay and in no case later than 60 days after discovery, in accordance with HIPAA §164.410. Our notification will include the information required under §164.410(c), including the individuals affected (if known), the nature of the PHI involved, and the steps individuals should take to protect themselves from potential harm.
For non-PHI security incidents affecting customer accounts, we will notify the affected account holder via email within 72 hours of incident confirmation.
We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule (§164.308-312), including:
We retain your account information for as long as your account is active or as needed to provide services. Patient and case data managed through the platform is retained according to your organization's retention policies and applicable regulatory requirements. Upon account termination, we will delete or de-identify your data within 90 days, unless retention is required by law.
Depending on your jurisdiction, you may have the right to:
To exercise any of these rights, please contact us at privacy@casemgmt.io.
Our platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If patient records include information about minors, such data is managed by the covered entity in accordance with applicable laws.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or sending an email to your registered email address. Your continued use of the platform after changes constitutes acceptance of the updated policy.
CaseMgmt may send SMS text messages to patients who have provided consent through a signed Medical Case Management Agreement, verbal consent documented by their case manager, or through our web portal registration process. Messages include appointment reminders, video call links, and care coordination updates. We do not send marketing or promotional messages.
Message frequency varies based on the patient's care plan (typically 1-5 messages per month). Message and data rates may apply. Patients may opt out at any time by replying STOP to any message or contacting their case manager. For help, reply HELP or email admin@casemgmt.io.
Phone numbers are stored securely and shared only with our SMS delivery provider (Twilio) for message delivery. For full details, see our SMS Consent Policy.
If you have questions about this Privacy Policy or our data practices, please contact us:
CaseMgmt
Email: privacy@casemgmt.io
Website: casemgmt.io