Privacy Policy

1. Information We Collect

In the course of providing the Platform, we collect and process the following categories of information:

• Participant Health Information. Protected Health Information ("PHI") submitted by Client, including names, Medicaid ID numbers, diagnoses, service records, care plans, and billing data. This information is governed by the Business Associate Agreement between Provider and Client.
• Account Information. Names, email addresses, phone numbers, job titles, and roles of Client's authorized users.
• Usage Data. Log data including IP addresses, browser type, device information, pages accessed, features used, and timestamps, collected for security, troubleshooting, and Platform improvement purposes.
• Cookies and Tracking Technologies. The Platform may use essential cookies necessary for functionality, such as session management and authentication. We do not use advertising cookies or third-party tracking pixels. Analytics cookies, if used, are limited to aggregated usage patterns and do not track individual users across websites.

2. How We Use Information

We use the information collected solely to:

• Deliver, operate, and maintain the Platform and Services contracted for by Client
• Respond to Client support requests and troubleshoot technical issues
• Comply with applicable legal obligations, including HIPAA and state healthcare regulations
• Improve Platform security, performance, and reliability
• Provide AI-assisted features where enabled by Client (subject to the limitations described in Section 3 below)

We do not sell, rent, or trade Client Data or PHI. We do not use Client Data for marketing, advertising, or any purpose unrelated to providing the Services.

3. AI-Enabled Features and Data Processing

The Platform may include AI-assisted features under a signed Business Associate Agreement. These features are designed to minimize PHI exposure.

Free-text inputs submitted by authorized users into AI-enabled fields may be transmitted to OpenAI for processing. OpenAI Enterprise does not use customer data for model training and operates under enterprise-grade data handling and deletion policies.

We maintain reasonable safeguards to limit unnecessary PHI transmission to AI subprocessors. Client is responsible for training its users on appropriate use of AI-enabled features.

4. Data Security

We implement industry-standard safeguards to protect Client Data:

• All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption
• Access to PHI is restricted on a least-privilege basis to authorized technical personnel only
• Data is hosted on HIPAA-compliant infrastructure (Atlantic.net, AWS, Google Cloud) under signed Business Associate Agreements with each hosting provider
• We conduct periodic security risk assessments and maintain audit logs of all PHI access
• We maintain security practices consistent with industry-recognized frameworks, including NIST SP 800-53 standards

5. Data Retention

We retain Client Data for the duration of the Master Services Agreement. Following termination, Client Data is retained for thirty (30) days to allow for data export, after which it is securely deleted or destroyed in accordance with HIPAA standards.

System access logs and audit records are retained for a minimum of six (6) years in accordance with HIPAA requirements. Backup copies may be retained in encrypted form for up to ninety (90) days following termination for disaster recovery purposes, after which they are securely destroyed.

6. Disclosure to Third Parties

We will not disclose Client Data to any third party except:

• To subcontractors and subprocessors necessary to provide the Services, each bound by appropriate confidentiality obligations and Business Associate Agreements
• To AI subprocessors as described in Section 3 above
• As required by applicable law, court order, subpoena, or regulatory requirement
• With Client's prior written consent

7. Individual Rights

HIPAA Rights. Individuals whose PHI is processed through the Platform have rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their PHI. These rights are exercised through the Covered Entity (Client), not directly through Provider. We will cooperate with Client to fulfill such requests in accordance with the Business Associate Agreement.

State Privacy Law Rights. To the extent that applicable state privacy laws grant individuals rights regarding their personal information, we will assist Client in responding to verifiable requests, including:

• Right to Know / Access - The right to know what personal information is collected and to request a copy
• Right to Delete - The right to request deletion of personal information, subject to legal retention requirements
• Right to Correct - The right to request correction of inaccurate personal information
• Right to Opt Out - The right to opt out of the sale or sharing of personal information. We do not sell or share personal information, so this right is satisfied by default

To exercise any rights related to personal information processed through the Platform, individuals should contact their healthcare provider (the Client). Clients may submit requests on behalf of individuals using the contact information below.

8. Data Breach Notification

In the event of a Breach of Unsecured PHI (as defined under HIPAA), we will notify the affected Client without unreasonable delay and in no event later than seventy-two (72) hours following discovery, in accordance with the Business Associate Agreement.

We will cooperate with Client in investigating the Breach, mitigating its effects, and fulfilling notification obligations to affected individuals and regulatory authorities as required by HIPAA and applicable state breach notification laws.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify Client of material changes at least thirty (30) days prior to the effective date by sending notice to the email address associated with Client's account. Continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.