Privacy Policy

1. Introduction

CareSuite Inc. ("CareSuite," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our healthcare platform, website, mobile applications, and related services (collectively, the "Services").

We are a healthcare technology company that provides electronic medical records (EMR), laboratory integration, pharmacy management, and practice management solutions to healthcare providers and their patients. Our Services are designed to facilitate the secure exchange of health information between patients, healthcare providers, laboratories, pharmacies, and other healthcare entities.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by all terms of this Privacy Policy. If you do not agree to these terms, please do not access or use our Services.

2. Information We Collect

We collect several types of information from and about users of our Services, including:

2.1 Personal Information

Personal information is information that identifies, relates to, describes, or can be associated with an individual. The personal information we collect includes:

• Contact Information: Name, email address, telephone number, and mailing address.
• Demographic Information: Date of birth, age, gender, race, ethnicity, and marital status.
• Identification Information: Government-issued identification numbers (such as driver's license number, passport number, or social security number) when necessary for treatment, payment, or healthcare operations.
• Insurance Information: Health insurance policy numbers, subscriber information, and coverage details.
• Account Credentials: Username, password, and security questions for your account.

2.2 Protected Health Information (PHI)

As a healthcare platform, we collect and process protected health information as defined by HIPAA. This may include:

• Medical Records: Medical history, diagnoses, treatment plans, progress notes, and clinical documentation.
• Laboratory Results: Test orders, results, and interpretations from clinical laboratories.
• Prescription Information: Medication history, prescriptions, dosages, and pharmacy records.
• Appointment Information: Scheduled appointments, visit history, and appointment reminders.
• Billing Information: Medical billing codes, claims data, and payment information related to healthcare services.
• Imaging and Reports: Radiology images, pathology slides, and other diagnostic reports.

2.3 Usage Information

When you access our Services, we automatically collect certain information about your device and how you interact with our Services:

• Device Information: IP address, browser type, operating system, device identifiers, and mobile network information.
• Log Data: Pages visited, time and date of access, time spent on pages, clicks, and other usage statistics.
• Location Information: General location information based on IP address. With your consent, precise location information from your mobile device.
• Cookies and Similar Technologies: Information collected through cookies, web beacons, and other tracking technologies. See Section 8 for more details.

2.4 Information from Third Parties

We may receive information about you from third parties, including:

• Healthcare Providers: Doctors, hospitals, clinics, and other healthcare entities that use our Services.
• Laboratories and Imaging Centers: Test results and diagnostic reports.
• Pharmacies: Prescription fulfillment and medication history.
• Health Information Exchanges (HIEs): Shared health information through authorized exchanges.
• Insurance Companies: Eligibility, coverage, and claims information.
• Business Associates: Third-party service providers who perform services on our behalf.

3. How We Use Your Information

We use the information we collect for various purposes, including:

3.1 Provision of Services

• To provide, maintain, and improve our Services.
• To facilitate communication between patients and healthcare providers.
• To process and manage electronic medical records.
• To transmit laboratory orders and results.
• To process prescriptions and manage pharmacy operations.
• To schedule and manage appointments.
• To process billing and insurance claims.

3.2 Treatment, Payment, and Healthcare Operations

We use protected health information for treatment, payment, and healthcare operations as permitted by HIPAA:

• Treatment: To coordinate and manage healthcare services provided by your healthcare providers.
• Payment: To bill and collect payment for healthcare services, process insurance claims, and manage accounts receivable.
• Healthcare Operations: To support quality assessment, improvement activities, and business management.

3.3 Communication

• To send appointment reminders, test results notifications, and prescription updates.
• To respond to your inquiries and provide customer support.
• To send administrative information, such as changes to our terms or policies.
• To send newsletters, marketing communications, and information about our Services (you may opt-out at any time).

3.4 Improvement and Development

• To analyze usage patterns and trends to improve user experience.
• To develop new features, products, and services.
• To conduct research and analytics (using de-identified data when possible).
• To monitor and evaluate the effectiveness of our Services.

3.5 Security and Compliance

• To protect the security and integrity of our Services.
• To detect, prevent, and respond to fraud, security incidents, and unauthorized access.
• To comply with legal obligations and enforce our terms of service.
• To maintain audit trails and access logs as required by HIPAA and other regulations.

4. Information Sharing and Disclosure

We may share your information in the following circumstances:

4.1 With Your Consent

We will share your information with third parties when you have provided explicit consent. For example, if you choose to share your medical records with another healthcare provider not already on our platform, we will facilitate that transfer with your authorization.

4.2 With Healthcare Providers and Entities

To facilitate healthcare services, we share information with:

• Healthcare Providers: Doctors, nurses, and other healthcare professionals involved in your care.
• Laboratories: To process test orders and receive results.
• Pharmacies: To fulfill prescriptions and provide medication management.
• Insurance Companies: For eligibility verification, claims processing, and payment.
• Health Information Exchanges: To facilitate comprehensive health information sharing with your authorization.

4.3 With Business Associates

We engage third-party service providers who perform functions on our behalf, such as:

• Cloud hosting and data storage providers.
• Analytics and performance monitoring services.
• Customer support and communication platforms.
• Billing and payment processing services.
• Security and fraud prevention services.

All business associates are contractually obligated to protect your information and comply with HIPAA requirements.

4.4 As Required by Law

We may disclose your information when required by law, such as:

• In response to a court order, subpoena, or other legal process.
• To comply with government reporting requirements.
• To law enforcement or regulatory authorities when necessary to protect our rights or the safety of others.
• To report information as required by public health authorities.

4.5 In Case of Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice of any change in ownership or use of your information.

4.6 With De-Identified Information

We may de-identify your information so that it can no longer be reasonably associated with you and use or disclose it for research, analytics, and other purposes.

4.7 We Do Not Sell Your Information

CareSuite does not sell, rent, or trade your personal information or protected health information to third parties for their marketing purposes.

5. Data Security

We implement comprehensive security measures to protect your information:

5.1 Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.3 protocol and at rest using AES-256 encryption.
• Access Controls: Role-based access controls ensure that only authorized personnel can access your information.
• Authentication: Multi-factor authentication (MFA) required for all healthcare provider accounts.
• Audit Logs: Comprehensive logging of all access and activities within the system.
• Firewalls and Intrusion Detection: Advanced network security measures to prevent unauthorized access.

5.2 Administrative Safeguards

• HIPAA Training: All employees complete regular HIPAA and security awareness training.
• Background Checks: We conduct background checks on all employees with access to PHI.
• Business Associate Agreements: We maintain agreements with all vendors who handle PHI.
• Security Policies: We maintain comprehensive security policies and procedures.

5.3 Physical Safeguards

• Data Centers: Our data centers feature 24/7 security, biometric access controls, and video surveillance.
• Redundancy: Geographic redundancy ensures data availability even in case of disaster.
• Backup and Recovery: Regular backups and tested disaster recovery procedures.

5.4 Breach Notification

In the unlikely event of a data breach affecting your information, we will notify you and relevant authorities as required by law. We maintain cyber liability insurance and incident response procedures to respond promptly to any security incidents.

6. HIPAA Compliance

CareSuite is committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

6.1 Our Role

CareSuite acts as a Business Associate to covered entities (healthcare providers, hospitals, clinics) and as a Covered Entity when providing certain services directly. We comply with applicable HIPAA Privacy, Security, and Breach Notification Rules.

6.2 Permitted Uses and Disclosures

We only use and disclose protected health information as permitted by HIPAA for treatment, payment, healthcare operations, and as otherwise authorized by you.

6.3 Minimum Necessary Standard

We adhere to the minimum necessary standard, limiting access to PHI to only what is necessary to accomplish the intended purpose.

6.4 Individual Rights

We support your HIPAA rights, including the right to:

• Access, inspect, and obtain copies of your PHI.
• Request amendments to your PHI.
• Receive an accounting of disclosures of your PHI.
• Request restrictions on uses and disclosures of your PHI.
• Request confidential communications.
• Receive notice of privacy practices.

7. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information:

7.1 Access and Portability

You have the right to request access to the personal information we maintain about you and to receive it in a portable format. To request access, please contact us using the information in Section 13.

7.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. Healthcare providers may have additional obligations under HIPAA to maintain accurate medical records.

7.3 Deletion

You have the right to request deletion of your personal information. However, we may retain certain information as required or permitted by law, including for healthcare records retention requirements.

7.4 Opt-Out of Marketing

You may opt out of receiving marketing communications from us by following the unsubscribe instructions in those communications or contacting us directly.

7.5 Cookies and Tracking

You can manage cookie preferences through your browser settings. See Section 8 for more information.

7.6 California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). These include the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information (we do not sell personal information).

7.7 How to Exercise Your Rights

To exercise any of these rights, please submit a request to:

• Email: privacy@caresuite.com
• Phone: 1-800-555-0123
• Mail: CareSuite Privacy Officer, 123 Healthcare Blvd, Suite 100, San Francisco, CA 94105

We will verify your identity before processing your request. We will respond within the timeframe required by applicable law.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and collect usage information.

8.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help us remember your preferences and understand how you use our Services.

8.2 Types of Cookies We Use

• Essential Cookies: Required for the operation of our Services. They enable core functionality such as security, authentication, and network management.
• Functional Cookies: Remember your preferences and choices to provide enhanced, personalized features.
• Analytics Cookies: Help us understand how visitors interact with our Services by collecting and reporting information anonymously.
• Session Cookies: Temporary cookies that expire when you close your browser.
• Persistent Cookies: Remain on your device until they expire or you delete them.

8.3 Third-Party Analytics

We use analytics services such as Google Analytics to help analyze how users use our Services. These providers may use cookies and similar technologies to collect information about your use of our Services.

8.4 Your Cookie Choices

You can manage cookies through your browser settings. Most browsers allow you to refuse or accept cookies. However, please note that disabling essential cookies may affect the functionality of our Services.

9. Children's Privacy

Our Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

For children's health information that is part of a medical record, we comply with applicable laws regarding parental access and consent. Parents or legal guardians may exercise rights on behalf of their minor children as permitted by law.

10. International Data Transfers

CareSuite is based in the United States. Your information may be transferred to, stored, and processed in the United States and other countries where we operate.

If you are accessing our Services from outside the United States, please be aware that your information may be transferred to and maintained on computers located outside of your jurisdiction where privacy laws may differ. By using our Services, you consent to the transfer of your information to the United States.

For transfers from the European Economic Area (EEA) to the United States, we rely on Standard Contractual Clauses approved by the European Commission and other appropriate transfer mechanisms.

11. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

11.1 Medical Records

We retain medical records in accordance with applicable state and federal laws. Typically, medical records must be retained for a minimum of 6-10 years depending on jurisdiction and type of record.

11.2 Account Information

We retain account information until you close your account or request deletion, subject to legal retention requirements.

11.3 Backup and Archival

Even after account closure, some information may remain in backup systems for a limited period and be retained as required by law.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. We will notify you of material changes by posting the updated policy on our website with an updated effective date.

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes indicates your acceptance of the updated policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

HIPAA Privacy Officer

For HIPAA-related concerns, you may contact our HIPAA Privacy Officer directly:

Jane Doe, JD, CIPP/US
HIPAA Privacy Officer
Email: hipaa@caresuite.com
Phone: 1-800-555-0124

Complaints

If you believe we have violated your privacy rights, you have the right to file a complaint with us or with the appropriate supervisory authority. We will not retaliate against you for filing a complaint.

To file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights, visit www.hhs.gov/ocr or call 1-800-368-1019.