Privacy Policy

Effective Date: February 1, 2026

Last Updated: February 1, 2026

Our Commitment to Privacy and Security

Linear Health, Inc. ("Linear Health," "we," "us," or "our") provides AI-powered referral coordination, scheduling, and patient engagement solutions to healthcare organizations across the United States. We serve federally qualified health centers (FQHCs), community health centers (CHCs), specialty practices, behavioral health organizations, and private equity-backed clinic groups.

We understand that healthcare organizations entrust us with their most sensitive operational and patient data. This Privacy Policy explains how we collect, use, protect, and share information—and reflects the rigorous standards we maintain as a healthcare technology partner.

1. Scope of This Policy

What This Policy Covers

This Privacy Policy applies to:

  • Our websites at linear.health and associated subdomains
  • Our AI-powered platform, including referral coordination, scheduling automation, care gap closure, prior authorization, and revenue cycle management capabilities
  • Communications facilitated through our platform via email, SMS, and voice AI
  • Information we collect from healthcare provider customers and their authorized personnel
  • Information processed on behalf of healthcare providers in connection with patient care coordination

What This Policy Does Not Cover

Protected Health Information (PHI): When we process PHI on behalf of Covered Entities under HIPAA, we act as a Business Associate. Such processing is governed by our Business Associate Agreement (BAA) with each customer, which takes precedence over this Privacy Policy for PHI handling.

Third-Party Services: This policy does not apply to third-party websites, EHR systems, or other services that may integrate with our platform. Each is governed by their respective privacy policies.

2. Our Role in Data Processing

Business Associate (HIPAA)

When healthcare providers use our platform to coordinate patient referrals, send appointment communications, or manage care workflows involving PHI, we operate as a Business Associate under HIPAA. In this capacity:

  • We process PHI only as permitted by our BAA and at the direction of the Covered Entity
  • We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
  • We do not use PHI for our own purposes except as permitted by HIPAA (e.g., de-identification for product improvement)
  • We execute a BAA with every healthcare provider customer before any PHI is processed

Data Controller

When we collect information directly for our own business purposes—such as website analytics, marketing to prospective customers, or managing customer accounts—we act as a data controller and this Privacy Policy governs such processing.

3. Information We Collect

Information from Healthcare Provider Customers

Account and Administrative Information:

  • Organization name, address, and contact information
  • Names, email addresses, phone numbers, and job titles of authorized users
  • Billing and payment information
  • Service configuration preferences and workflow settings
  • EHR system credentials and integration parameters (stored encrypted)

Operational Data:

  • Referral volumes, scheduling metrics, and workflow performance data
  • Platform usage patterns and feature adoption
  • Support tickets and communications with our team

Information Processed on Behalf of Healthcare Providers

Patient Demographics:

  • Names, dates of birth, contact information
  • Insurance information and coverage details
  • Preferred language and communication preferences

Clinical Coordination Data:

  • Referral requests and specialist assignments
  • Appointment scheduling and confirmation status
  • Care gap identification and outreach status
  • Prior authorization requests and status

Communication Records:

  • SMS messages, emails, and voice call recordings/transcripts
  • Patient responses and engagement data
  • Consent and opt-out records

Information from Website Visitors

Contact and Inquiry Information:

  • Name, email address, phone number, and organization
  • Job title and role
  • Information you provide in contact forms, demo requests, or newsletter signups

Automatically Collected Information:

  • IP address and approximate location
  • Browser type, device type, and operating system
  • Pages visited, time spent, and referral source
  • Cookies and similar tracking technologies (see Section 11)

4. How We Use Information

To Provide Our Services

  • Process and coordinate patient referrals across healthcare networks
  • Automate appointment scheduling and patient outreach via email, SMS, and voice AI
  • Identify care gaps and facilitate preventive care coordination
  • Integrate with EHR systems (Athena, Cerner, eClinicalWorks, NextGen, Healthie, and others) for bidirectional data exchange
  • Automate prior authorization submission and tracking
  • Support revenue cycle management workflows
  • Generate reports and analytics for customer operations

To Operate and Improve Our Platform

  • Monitor system performance, uptime, and reliability
  • Identify and resolve technical issues
  • Develop new features and enhance existing capabilities
  • Train and improve our AI models using de-identified or aggregated data

For Business Operations

  • Process payments and manage billing
  • Communicate with customers about their accounts and services
  • Provide customer support and respond to inquiries
  • Send marketing communications (with consent where required)

For Compliance and Legal Purposes

  • Comply with applicable laws, regulations, and legal processes
  • Enforce our agreements and protect our rights
  • Respond to lawful requests from government authorities
  • Maintain audit logs as required for HIPAA compliance

5. AI and Machine Learning Disclosure

Our AI Architecture

Linear Health uses artificial intelligence and machine learning to power our automation capabilities, including referral coordination, scheduling automation, care gap closure, prior authorization, and revenue cycle management.

Foundation Models:

  • We use commercially available large language models (LLMs) accessed through Amazon Bedrock (including Anthropic Claude and other models) and Amazon SageMaker for inference
  • Models are deployed within AWS in HIPAA-eligible configurations
  • We do not use open-source models deployed on uncontrolled infrastructure

Voice AI:

  • Voice synthesis and processing powered by ElevenLabs
  • All voice AI processing configured for healthcare use cases
  • Voice data processed in accordance with HIPAA requirements

Model Training and Data Usage:

  • We do not train foundation models on customer PHI
  • We may use de-identified, aggregated data to fine-tune workflow-specific models
  • Customer data is never shared with third-party AI providers for their model training
  • All AI processing occurs within our secured AWS environment

Voice AI Specifics

Call Recording and Transcription:

  • Voice calls may be recorded for quality assurance, service delivery, and dispute resolution
  • Recordings are transcribed for documentation in customer EHR systems
  • All recordings and transcripts are encrypted at rest and in transit

Biometric Data:

  • We do not use voice data to create biometric identifiers or voiceprints
  • Voice recordings are not used for identity verification or authentication purposes
  • We comply with Illinois BIPA, Texas CUBI, and other applicable biometric privacy laws

AI Limitations and Human Oversight

  • Our AI capabilities perform administrative and coordination tasks—not clinical decision-making
  • Healthcare providers retain responsibility for clinical judgment and patient care
  • AI outputs are designed to support, not replace, human staff
  • AI may occasionally produce errors; human review is recommended for critical workflows

6. SMS, Email, and Voice Communications

A2P 10DLC Compliance

  • All SMS campaigns are registered through The Campaign Registry (TCR)
  • We maintain compliant 10DLC (10-digit long code) registration for each customer
  • Message content complies with carrier acceptable use policies
  • We support dedicated short codes for high-volume customers upon request

TCPA Compliance

  • Message frequency limits: Maximum 3 contacts per week per patient (within TCPA healthcare exemption)
  • Clear opt-out mechanisms: STOP keyword support on all SMS communications
  • Consent management: Tools to track and honor patient communication preferences
  • Do Not Call list integration available for voice outreach

CAN-SPAM Compliance

All transactional and marketing emails:

  • Include accurate sender identification
  • Contain valid physical postal addresses
  • Provide clear unsubscribe mechanisms
  • Honor opt-out requests within 10 business days

7. Information Sharing and Disclosure

With Service Providers and Subprocessors

Infrastructure and Hosting:

  • Amazon Web Services (AWS) – Cloud infrastructure, compute, storage, database, and AI/ML services
  • All AWS services configured for HIPAA eligibility with executed BAA

AI and Machine Learning:

  • Amazon Bedrock – Foundation model inference (Claude, and other LLMs)
  • Amazon SageMaker – Model inference endpoints
  • ElevenLabs – Voice AI synthesis and processing

Communication Services:

  • Twilio – SMS delivery and telephony services
  • SendGrid – Transactional email delivery
  • AWS Simple Email Service (SES) – Email delivery

All subprocessors that handle PHI have executed BAAs with Linear Health. A current list of subprocessors is available upon request.

With Healthcare Provider Customers

We share information with healthcare providers as necessary to provide our services, including:

  • Patient communication status and engagement metrics
  • Referral coordination updates and specialist responses
  • Scheduling confirmations and appointment data
  • Aggregated analytics and performance reports

Legal and Compliance Disclosures

We may disclose information when required by:

  • Lawful requests from government authorities
  • Court orders, subpoenas, or legal process
  • Law enforcement requests in emergency situations
  • Regulatory investigations or audits

No Sale of Personal Information

We do not sell personal information or PHI. We do not share personal information for cross-context behavioral advertising.

8. Data Security

Technical Safeguards

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • Single-tenant database architecture (customer data never commingled)
  • Network isolation via AWS VPC and security groups
  • Web application firewall (WAF) and DDoS protection
  • Regular vulnerability scanning and penetration testing

Administrative Safeguards

  • Annual HIPAA training for all employees
  • Background checks for employees with access to PHI
  • Role-based access control with principle of least privilege
  • Documented security policies and procedures
  • Regular security awareness training

Physical Safeguards

  • AWS data centers with SOC 2 certification
  • Physical access controls and 24/7 monitoring
  • No customer PHI stored on employee devices

Incident Response

  • Documented incident response plan
  • 24/7 security monitoring and alerting
  • Breach notification within timeframes required by HIPAA and state law
  • Post-incident review and remediation

9. Data Retention

Retention Periods

Customer Data and PHI:

  • Retained for the duration of the customer relationship
  • Deleted within 60 days of contract termination (unless retention required by law or BAA)
  • Customers may request earlier deletion with appropriate notice

Audit Logs:

  • Retained for 6 years as required by HIPAA
  • Longer retention available upon request

Voice Recordings:

  • Default retention of 90 days
  • Configurable retention periods per customer requirements
  • Transcripts retained per customer EHR documentation policies

Data Deletion

  • Secure deletion using industry-standard methods
  • Deletion from primary systems and backups
  • Certification of deletion available upon request

10. Your Rights

For Healthcare Provider Customers

You have the right to:

  • Access your account data and usage reports
  • Export your data in standard formats
  • Request correction of inaccurate information
  • Request deletion of your data (subject to legal retention requirements)
  • Receive notification of material changes to this policy

For Patients

Patient rights regarding PHI are primarily exercised through the healthcare provider. Patients should contact their healthcare provider for:

  • Access to their health records
  • Requests to amend health information
  • Accounting of disclosures
  • Communication preference updates

Patients may also contact us directly at privacy@linear.health for:

  • Questions about our data practices
  • Opting out of SMS or voice communications (STOP keyword also works)
  • Complaints about privacy practices

State-Specific Rights

Residents of certain states (California, Virginia, Colorado, Connecticut, Utah) may have additional rights:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt out of sale/sharing (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

11. Cookies and Tracking

Cookies We Use

Essential Cookies:

  • Session management and authentication
  • Security and fraud prevention
  • Load balancing and performance

Analytics Cookies:

  • Website usage analytics (e.g., Google Analytics)
  • Feature adoption and user experience analysis

Marketing Cookies:

  • Campaign attribution and effectiveness
  • Advertising pixel tracking (with consent where required)

Managing Cookies

  • Browser settings can be used to block or delete cookies
  • Some features may not function properly without essential cookies
  • Do Not Track signals are honored where technically feasible

12. Third-Party Links

Our website and services may contain links to third-party websites or integrate with third-party services (e.g., EHR systems). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you use.

13. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18 except when processing information on behalf of healthcare providers in connection with pediatric patient care, in which case such processing is governed by our BAA and HIPAA requirements.

If you believe we have inadvertently collected personal information from a child under 18 outside of a healthcare context, please contact us immediately at privacy@linear.health.

14. International Users

Linear Health is based in the United States, and our services are designed for US healthcare organizations. All data is processed and stored in the United States.

If you access our website or services from outside the United States:

  • Your information will be transferred to and processed in the United States
  • US data protection laws may differ from those in your jurisdiction
  • By using our services, you consent to such transfer and processing

We do not specifically target users in the European Economic Area, United Kingdom, or other international jurisdictions, and we do not process PHI for non-US healthcare providers.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

  • Material changes will be communicated via email to customer administrators
  • The "Last Updated" date will be revised
  • For significant changes affecting PHI handling, we will provide at least 30 days' notice

Continued Use: Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

16. Contact Information

General Privacy Inquiries

Email: privacy@linear.health
Mail: Linear Health, Inc., 1606 Headway Circle, Austin, TX 78754

Security Concerns

Email: security@linear.health
Responsible Disclosure: We welcome reports of security vulnerabilities. Please contact security@linear.health with details.

HIPAA and Compliance

Email: compliance@linear.health
For BAA requests and compliance documentation

Customer Support

Email: support@linear.health
For operational and technical support

17. Compliance Certifications and Frameworks

Current Certifications

CertificationStatusScope
HIPAACompliantFull platform
SOC 2 Type IICertifiedSecurity, availability, confidentiality
BAA ExecutionStandardAll healthcare customers

Frameworks We Align With

  • NIST Cybersecurity Framework
  • HITRUST CSF (alignment, certification planned)
  • OWASP Top 10 (secure development practices)

Security Documentation Available Upon Request

  • SOC 2 Type II Report
  • Penetration Test Executive Summary
  • HIPAA Risk Assessment Summary
  • Business Associate Agreement template
  • Subprocessor list
  • Data Processing Addendum

© 2026 Linear Health, Inc. All rights reserved.

Related Documents:

Stay updated

Get the latest on AI healthcare coordination.

Privacy Policy | Linear Health