Guidelines for Compliant use of Subflow

Subflow provides secure infrastructure, configurable safeguards, and compliance-supporting functionality, but how the platform is configured and used day to day is your organization's responsibility. This page outlines the seven guidelines you should follow to maintain compliant, secure patient engagement.

Patient consent

You must obtain and document appropriate patient consent before sending SMS messages, emails, automated outreach, or any other electronic communication through Subflow.

Consent requirements include:

• Consent for healthcare communications

• Consent for automated text messaging where applicable

• Clear opt-in and opt-out processes for all communication channels

Patients must always have the ability to revoke communication consent at any time.

Sensitive information in SMS messages

Standard SMS messaging is not fully encrypted. Avoid including highly sensitive protected health information (PHI) within text message content wherever possible.

Best practice includes:

• Directing patients to Secure Chat for detailed clinical information

• Avoiding diagnoses, treatment details, or sensitive clinical information in standard SMS messages

For guidance on using Secure Chat in Subflow, see [When to Use Secure Chat].

User access configuration

Your organization is responsible for ensuring that users only have access to the information necessary for their role. In Subflow, Teams control which staff members can see which patient records.

Access management recommendations include:

• Assigning users to Teams that reflect their role and patient caseload

• Reviewing user access regularly to confirm it remains appropriate

• Removing access for staff members who leave or change roles immediately

Workflow oversight

You are responsible for monitoring and responding to patient communications, tasks, assessments, and escalations generated within Subflow. Automated workflows do not replace human oversight, your team must be assigned to review and act on what the platform surfaces.

Your team should establish:

• Clear ownership for each active workflow

• Escalation procedures for high-priority patient responses

• Response time expectations for patient-submitted Forms and Tasks

• A monitoring schedule for incoming patient information

Staff training

All staff members using Subflow must receive training appropriate to their role before accessing patient records or sending communications.

Training should cover:

• Health Insurance Portability and Accountability Act (HIPAA) and privacy requirements

• Secure handling of PHI

• Appropriate messaging practices within Subflow

• Your organization's internal communication policies

State and organizational requirements

Healthcare privacy and communication requirements vary by state, specialty, payer contract, and organizational policy. Subflow provides the tools to support compliance, but you are responsible for confirming that your specific use of the platform meets all applicable requirements.

This includes reviewing:

• State-specific regulations on patient messaging and consent

• Payer or contract requirements that affect communication practices

• Your organization's internal compliance and privacy policies

Security incident reporting

Any suspected unauthorized access, communication issue, or security incident involving Subflow must be reported promptly. Delayed reporting increases risk for patients and your organization.

When a security concern arises:

• Report internally to your organization's compliance team immediately

• Contact Subflow support as appropriate at support@subflow.com

• Document the incident and any actions taken

Shared responsibility model

Subflow provides the infrastructure, security controls, and compliance-supporting features. Your organization is responsible for how those features are configured and used. Following the guidelines above is the operational side of that responsibility.

For additional carrier-level guidance, Subflow uses Telnyx as its messaging carrier. Telnyx maintains its own compliance and support resources at the Telnyx Help Center.

Related articles

• SMS HIPAA compliance best practices: Review the rules for handling PHI in SMS messages and when Secure Chat is required instead of standard SMS.

• SMS deliverability best practices: Learn how to write messages that reliably reach patients and avoid carrier filtering.

• Consent requirements for messaging referred patients: Understand when written consent is required before messaging a referred patient and what federal guidelines apply.