Privacy Policy for Professional Users

(Clinicians, Healthcare Organizations & Licensed Insurance Agents)

Effective Date: April 23, 2025
Last Updated: April 23, 2025

1. Introduction & Purpose

Informed + Choice (“we,” “our,” “us”) provides the HealthLink Secure (TM) software-as-a-service platform (“Platform”) that enables authorized professionals to access and act on Medicare claims and other healthcare data. This Privacy Policy explains how we collect, use, disclose, and protect (a) Protected Health Information (“PHI”) made available through the Platform and (b) the personal information of the Platform’s professional users—licensed insurance agents, clinicians, accountable care organizations (ACOs), federally qualified health centers (FQHCs), and other healthcare entities (collectively, “Users”).

Key point: We act as a Business Associate under HIPAA. We use and disclose PHI only as permitted by our Business Associate Agreements (“BAA”) and applicable law. We do not sell or use PHI or Users’ personal information for advertising.

2. Scope

Covered Data:

PHI uploaded to, generated by, or accessed through the Platform at the direction of a Covered Entity or other authorized data source (e.g., Medicare Blue Button 2.0).

User Personal Information you provide when creating or managing your account (e.g., name, professional credentials, email, phone, organization).

Technical and Usage Data collected when you interact with the Platform (IP address, device type, audit logs, cookies, etc.).

Excluded Data:

This Policy does not cover individual Medicare beneficiaries; they are covered by our separate Beneficiary Privacy Policy.

3. Definitions

PHI: Individually identifiable health information protected under the U.S. Health Insurance Portability and Accountability Act of 1996 and its regulations (“HIPAA”).

Business Associate (BA): An entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.

Personal Information: Data that identifies or can reasonably be linked to a User (e.g., name, email, licensing number, organization).

4. Information We Collect

4.1 Patient Data / PHI

Medicare claims and related records: Coverage, Explanation of Benefits (EOB), prescription history, provider information, and any notes Users add to a beneficiary’s record.

4.2 User Personal Information

Registration and profile data: Name, NPN/license number, specialty, organization, email, phone, mailing address.

Authentication data: Hashed passwords, multi-factor authentication tokens.

Communications: Support requests, feedback, emails.

4.3 Technical & Usage Data

Log files: IP address, browser type, timestamps, clicked features.

Device identifiers: Operating system details and device information.

Cookies and similar technologies: Used for session management, security, and optional analytics (see Section 10).

5. How We Use Information

PHI: Deliver services you request (display claims, run analytics, generate reports); provide customer support; maintain audit trails; comply with law.

User Personal Information: Create and manage your account; authenticate you; respond to inquiries; send service notices; with opt-in, send product updates; fulfill legal obligations.

Technical & Usage Data: Secure and optimize the Platform; monitor system health; detect and prevent fraud or misuse; compile aggregated, de-identified statistics to improve features.

We never use PHI or User Personal Information for targeted advertising or unrelated marketing.

6. How We Share Information

1. Authorized Disclosures of PHI — We share PHI only:

   Role-based access: With you and other Users authorized by your organization.

   Subcontractors with BAA: HIPAA-compliant cloud hosting, secure email delivery, and similar services.

   Required by law: Court order, subpoena; with notice to the Covered Entity when permitted.

2. User Personal Information may be shared with trusted service providers (e.g., email service, authentication provider) solely to operate the Platform. All such providers are bound by confidentiality and may not use data for their own purposes.

3. No Sale of Data — We do not sell or license PHI or User Personal Information.

7. Security Measures

We have implemented administrative, technical, and physical safeguards aligned with HIPAA’s Security Rule and NIST guidelines, including:

Encryption in transit and at rest: TLS 1.2+; AES-256.

Role-based access controls (RBAC): Unique user IDs and scoped permissions.

Multi-factor authentication (MFA): Required for privileged accounts.

Audit logs: Recording access, queries, and data changes.

Network protections: Firewalls, intrusion detection, regular vulnerability scans.

Risk assessments and testing: Annual risk assessments and independent penetration testing.

Staff controls: Employee training and background checks; least-privilege principle.

Incident response and breach notification: Plan compliant with the HIPAA Breach Notification Rule.

8. HIPAA Compliance & Business Associate Agreements

Business Associate Agreements: We enter into a BAA with each Covered Entity or other client providing PHI.

Direct HIPAA/HITECH liability: We and our subcontractors are directly liable for safeguarding PHI and reporting breaches.

Breach notification timeline: We will notify the affected client without unreasonable delay and no later than 60 days after discovery.

9. Data Segregation & Access Controls

Logical segregation: Each client’s data set is logically segregated in our multi-tenant architecture.

Authorized access: Users may access only the beneficiaries and data explicitly authorized by their organization.

Limited production access: Access to production systems is limited to vetted personnel with legitimate need.

10. Cookies & Tracking Technologies

We use strictly necessary cookies for session management and security. We may use optional analytics cookies (e.g., Google Analytics) to improve the Platform, but never to profile individual beneficiaries or sell data. Users can disable non-essential cookies via browser settings. Cookie details are provided in our separate Cookie Policy.

11. Third-Party Services & AI Integrations

Third-party tools: We may integrate tools (e.g., secure chatbots, analytics engines) to enhance functionality.

Vendor safeguards: Any vendor with access to PHI will sign a BAA and implement HIPAA-compliant safeguards.

Material integration notice: We will update this Policy and notify clients before enabling any new integration that materially expands data use or sharing.

12. Data Retention & Disposal

We retain PHI and User Personal Information for the duration of the client agreement and any legally required period.

Upon termination or at the client’s request, we will return or securely destroy PHI and confirm destruction in writing, unless retention is required by law.

Backups containing PHI are encrypted and are purged on a 30-day rolling basis.

13. User Rights & Choices

Profile Management: You may review and update your account information at any time.

Marketing Opt-Out: You may unsubscribe from promotional emails via the link in the message.

Privacy Requests: Contact us (see Section 16) to request access, correction, or deletion of your personal information, subject to legal and contractual limits.

14. Children’s Information

The Platform is not directed to children under 13 and should only be accessed by authorized professionals. We do not knowingly collect personal information from children.

15. Changes to This Policy

We may update this Policy to reflect changes in law or our practices. Material changes will be announced via email or in-app notice at least 30 days before the new terms take effect. The Effective Date at the top will indicate the latest revision.

16. Contact Us

Privacy Officer – Informed + Choice
Email: [email protected]
Mail: 1034 North Madison Avenue, Pasadena, CA 91104 USA

Legal Contact — Lyndsy Rodgers
Email: [email protected]
Address: 1034 N. Madison Ave, Pasadena, CA 91104

If you believe your privacy has been violated, please contact us immediately. You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights.

© 2025 Informed + Choice. All rights reserved.

---

For the Medicare-registered privacy policy for beneficiaries, see Privacy Policy for Health Plan Enrollees.