Privacy Policy

2. Information We Collect

2.1 Information You Provide Directly

• Account Registration: Full name, email, phone organization name, business address, professional credentials, username, password, billing information, job title
• Service Usage: Data you upload (documents, patient records, claims), correspondence, support communications, feedback
• Healthcare Information: Protected Health Information (PHI) under HIPAA, patient demographics, medical history, insurance information, lab results, health assessments
• SMS and Contact: Phone numbers for SMS opt-in, contact preferences, message delivery confirmations

2.2 Information Collected Automatically

• Technology Data: IP address, device type, browser, pages visited, clickstream data, search queries, geographic location, device identifiers
• Cookies & Technologies: Session/persistent cookies, web beacons, pixels, tracking technologies, local storage

2.3 Information from Third Parties

We may receive information from your employer, healthcare providers, insurance companies, Business Associates, third-party service providers, public records and RingCentral (for integrated services).

3. Legal Basis for Processing

HIPAA and Healthcare Data

If you use our Services to process Protected Health Information (PHI), we process such information as a Business Associate under HIPAA and the HITECH Act. A separate Business Associate Agreement (BAA) is required and will govern the handling of PHI.

California Consumer Privacy Act (CCPA/CPRA)

For California residents, we process personal information based on: explicit consent, contractual necessity, legal compliance obligations, legitimate business interests and consumer's vital interests.

General Data Protection Regulation (GDPR)

For European residents, we process personal data under GDPR based on: consent, contract performance, legal obligation, vital interests, legitimate interests and public task.

SMS and Messaging Services

For SMS services, we process personal information based on your express opt-in consent, contractual necessity and legal compliance .

4. How We Use Your Information

5. How We Share Your Information

• Service Providers: Third-party vendors (cloud storage, payment processors, analytics, IT support, healthcare technology partners, Business Associates). All are contractually obligated to maintain confidentiality.
• Healthcare Providers: With your authorization, we may share with healthcare providers, insurance companies, employer benefits administrators and other covered entities under HIPAA.
• Legal Requirements: Disclosure when required by law, court orders, government requests, breach notifications, public health emergencies.
• Business Transfers: Information may be transferred in connection with mergers, acquisitions, bankruptcy or asset sales.
• Aggregate/De-Identified Data: We may share aggregated or de-identified data that cannot identify you for research, marketing and analytics without restriction.

6. Data Retention

We retain information for as long as necessary to provide Services, maintain accurate records, comply with legal obligations, resolve disputes and enforce agreements.

7. Your Privacy Rights and Choices

California Residents (CCPA/CPRA)

• Right to Know: Request what personal information we collect, use and disclose
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out: Opt out of sale or sharing of personal information
• Right to Limit: Limit use of sensitive personal information
• Right to Portability: Request data in a portable format

To exercise these rights, contact: support@rsbhealthcare.com with subject line "CCPA Request". Response within 45 days (may be extended 45 days for complex requests).

EU Residents (GDPR)

• Right of Access: Obtain confirmation and request a copy of your data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive data in a structured, commonly used format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Appeal: Lodge a complaint with your local data protection authority

To exercise these rights, contact: support@rsbhealthcare.com with subject line "GDPR Data Subject Request".

8. Healthcare-Specific Privacy Provisions

HIPAA Compliance

Business Associate Agreement Required: If you use our Services to process PHI, a separate BAA must be executed specifying permitted uses, safeguarding requirements, breach notification procedures and termination provisions.

Safeguards:

• Encryption of PHI in transit and at rest
• Access controls and authentication
• Audit controls and logging
• Integrity verification
• Regular security risk assessments

HITECH Act Compliance

We comply with the HITECH Act, including minimum necessary standards, breach notification requirements (60-day notification), security rule compliance, accounting of disclosures and individual authorization requirements.

State Privacy Laws

We comply with applicable state healthcare privacy laws, including state medical records laws, mental health parity rules, substance abuse treatment privacy, genetic privacy laws and biometric privacy regulations.

9. RingCentral Services and Account Data Protection

Phone Number and Contact Information Protection

Phone numbers and contact information collected for SMS or messaging purposes are NOT shared, sold, rented or licensed to any third party. These data are used exclusively by RSB Healthcare Consulting LLC to provide our services and by RingCentral solely to deliver these services on our behalf.

We do NOT use purchased contact lists, lead lists or data from third-party brokers for SMS messaging. All phone numbers in our database come exclusively from user opt-in consent.

RingCentral Account Data Handling

• Data Security: Encryption and access controls
• No Third-Party Disclosure: Account data NOT disclosed without explicit written consent
• Limited Use: Used only for providing our specific services
• Data Integrity: We do NOT modify or alter account data content
• Security Standards: Measures at least as protective as RingCentral's
• Regulatory Compliance: Compliance with all privacy laws

SMS Message Types and Frequency

Message Standards: All SMS messages include clear sender identification (RSB Healthcare Consulting LLC), opt-out instructions (reply STOP), contact information and "Message and data rates may apply" notice.

Campaign Registry Compliance: We are registered with The Campaign Registry (TCR) and maintain full compliance with all TCR requirements for SMS messaging.

SMS and Contact Data Retention

• SMS Opt-In Data: Retained for 3 years after last contact or until account deletion, whichever comes first
• SMS Message Records: Retained for legal compliance (7 years) and customer service (1 year)
• User Request: Users can request deletion of phone number and SMS history anytime by contacting support@rsbhealthcare.com or replying STOP. Deletion completed within 30 days.
• After Opt-Out: Number added to do-not-contact list; no further messages from any campaigns

SMS Text Messaging Terms

10. Data Security

Security Measures

Data Breach Notification

In the event of a breach of unsecured PHI or personal information, we will: investigate immediately, notify affected individuals without unreasonable delay (within 60 days for HIPAA), notify relevant regulatory bodies as required and provide credit monitoring services if applicable.