Privacy policy

1.Scope; Status; Acceptance; Definitions.

This Website Privacy Policy (this “Policy”) governs the Company’s information practices for this public-facing Website. The Company may act as a HIPAA Business Associate in limited circumstances when it creates, receives, maintains, or transmits Protected Health Information (“PHI”) on behalf of a covered entity through specific, clearly designated Website features. To the extent information collected through the Website constitutes PHI, this Policy and applicable HIPAA requirements govern notwithstanding any conflicting provisions in the Terms of Service.  By accessing or using the Website you acknowledge that you have read and agree to this Policy.

1. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations, including 45 C.F.R. Parts 160 and 164, and the HITECH Act; (b)
2. “Business Associate” has the meaning set forth under HIPAA and, for clarity, the Company acts as a business associate when it creates, receives, maintains, or transmits Protected Health Information on behalf of a covered entity;
3. “Protected Health Information” or “PHI” has the meaning set forth under HIPAA;
4. “ePHI” means PHI maintained or transmitted in electronic form;
5. “Personal Information” means information collected through the Website that identifies or can reasonably be linked to an individual;

2.Information Collected Through the Website.

The Company may collect:

1. Information you submit through the Website (including contact details and any information you choose to provide);
2. Information collected automatically when you use the Website (including device and browser information, IP address, pages viewed, and approximate location derived from IP address);
3. Information received from service providers supporting the Website. You agree not to submit PHI through general Website contact forms or other free-text fields unless the Website expressly indicates the submission method is intended for PHI and is secured for that purpose. Do not submit health or medical information through general contact forms or free-text fields.
4. Information collected through general Website use, including cookies, analytics, and standard inquiry forms, is treated as Personal Information and not as PHI unless expressly stated otherwise.

3.HIPAA Notice; Relationship to Covered Entity Notices.

Where the Company Processes PHI as a Business Associate, the applicable covered entity’s notice of privacy practices (and not this Policy) describes permitted uses and disclosures of PHI by the covered entity and individuals’ rights with respect to PHI. This Policy describes the Company’s Website privacy practices and, to the extent the Company Processes PHI through the Website on behalf of a covered entity, the Company will handle such PHI in accordance with HIPAA and the Company’s applicable business associate obligations.

4.Permitted Uses and Disclosures; Minimum Necessary.

The Company may Process information collected through the Website to operate, maintain, secure, and improve the Website; respond to inquiries; provide support; communicate about Website functionality and security; prevent fraud and misuse; comply with law; and enforce this Policy. To the extent any information collected through the Website constitutes PHI, the Company will make uses, disclosures, and requests for PHI subject to HIPAA’s minimum necessary standard and will make reasonable efforts to ensure that access to PHI in connection with the Company’s services is limited to the minimum necessary to accomplish the intended purpose of the particular use, disclosure, or request. The Company will support and document its minimum necessary determinations consistent with reasonable recordkeeping practices and taking into account relevant privacy and security risks and the Company’s technical capabilities.

5.Cookies, Analytics, and Similar Technologies.

The Website uses cookies, pixels, SDKs, tags, scripts, and similar technologies (collectively, Tracking Technologies) to operate the Website, maintain session state, remember preferences, measure performance, detect and prevent fraud and misuse, and understand how users interact with the Website. The Company may collect, through Tracking Technologies, information such as IP address, device identifiers, browser type, operating system, referring/exit pages, pages viewed, links clicked, timestamps, approximate location derived from IP address, and other usage and diagnostic data (collectively, Usage Data). The Company will not intentionally deploy Tracking Technologies on the Website for the purpose of collecting Protected Health Information (PHI) unless the Website feature expressly indicates it is intended for PHI and is secured for that purpose. Users may control cookies through browser settings and, where available on the Website, through cookie preference tools; however, disabling certain cookies may cause portions of the Website to function improperly. Where required by applicable law, the Company will provide notice and obtain consent for non-essential cookies before placing them. The Company may use Analytics providers and other vendors to support Website operations; to the extent any such vendor creates, receives, maintains, or transmits PHI on behalf of the Company in connection with the Website, the Company will require such vendor to be bound by written obligations consistent with the Company’s HIPAA business associate responsibilities. To the extent any information collected through Tracking Technologies constitutes PHI, the Company will make uses, disclosures, and requests for such PHI subject to HIPAA’s minimum necessary standard and will make reasonable efforts to ensure access to PHI in connection with Website-related services is limited to the minimum necessary to accomplish the intended purpose of the particular use, disclosure, or request; the Company will support its minimum necessary determinations with a rational justification reflecting (i) the Company’s technical capabilities and (ii) relevant privacy and security risks, and will record and maintain documentation of such determinations consistent with reasonable recordkeeping practices and HIPAA rules.

6.Safeguards; HIPAA Compliance; Direct Liability.

Where applicable the Company will implement and maintain administrative, technical, and physical safeguards designed to protect the privacy and security of PHI and ePHI and to prevent uses or disclosures not permitted by HIPAA. The Company acknowledges that, as a Business Associate, it may be directly liable under HIPAA and the HITECH Act and subject to civil (and, in certain cases, criminal) penalties for making uses or disclosures of PHI not authorized by HIPAA or required by law and for failing to safeguard ePHI in accordance with the HIPAA Security Rule.

7.Service Providers; Subcontractors; Flow-Down Obligations.

The Company may disclose information to vendors and service providers that support the Website (including hosting, analytics, security, and communications providers) solely to perform services for the Company. To the extent any such vendor or service provider creates, receives, maintains, or transmits PHI on behalf of the Company, the Company will ensure such subcontractor or agent agrees in writing to the same restrictions, conditions, and obligations that apply to the Company with respect to such PHI, including compliance with applicable HIPAA requirements. The Company remains responsible for such subcontractors to the extent required by law.

8.Legal Disclosures; Protection of Rights; Transfers.

The Company may disclose information (including, where applicable, PHI) as required by law or legal process, or as reasonably necessary to protect the rights, safety, and security of the Company, Website users, and others. The Company may transfer information in connection with a merger, acquisition, reorganization, financing, or sale of assets, provided that any recipient is bound to protect such information consistent with this Policy and, for PHI, consistent with HIPAA and applicable business associate obligations.

9.Retention; Return/Destruction of PHI.

The Company will retain Personal Information only as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law. To the extent the Company receives or creates PHI through the Website on behalf of a covered entity, upon termination of the applicable relationship or as otherwise required, the Company will

1. retain PHI only as necessary for the Company’s proper management and administration or to carry out its legal responsibilities,
2. return to the covered entity or, if agreed by the covered entity, destroy remaining PHI that the Company maintains in any form, and
3. if PHI is retained, continue to use appropriate safeguards and comply with the HIPAA Security Rule with respect to ePHI to prevent use or disclosure of PHI other than as permitted, and limit any further use or disclosure of retained PHI to the purposes for which it is retained and subject to the same conditions that applied prior to termination, until such PHI is returned or destroyed when no longer needed for such purposes.

10.Changes to This Policy.

The Company may update this Policy from time to time. Changes are effective when posted on the Website unless a later effective date is stated. Continued use of the Website after posting constitutes acceptance of the updated Policy.