Privacy Policy

1. Scope

This Privacy Policy applies to all individuals who:

• Visit our website at hosscare.com or any associated subdomains
• Create an account or use our platform services
• Are patients or members whose Protected Health Information (PHI) is processed by Hoss Care on behalf of healthcare providers and health plans (Covered Entities)
• Contact us for information, support, or sales inquiries
• Attend our events, webinars, or receive marketing communications

For PHI specifically, the terms of the Business Associate Agreement (BAA) between Hoss Care and the applicable Covered Entity govern. Where there is a conflict between this Privacy Policy and a BAA, the BAA controls with respect to PHI.

2. Definitions

• Personal Information — Information that identifies, relates to, describes, or could reasonably be linked to a particular individual, including but not limited to name, email address, IP address, device identifiers, and professional credentials.
• Protected Health Information (PHI) — Individually identifiable health information transmitted or maintained in any form, as defined in 45 CFR § 160.103.
• De-identified Information — Health information that does not identify an individual and for which there is no reasonable basis to believe it can identify an individual, per 45 CFR § 164.514.
• Service Data — Data generated through use of our platform, including usage logs, feature interactions, and system performance metrics.
• Covered Entity — A healthcare provider, health plan, or healthcare clearinghouse subject to HIPAA.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information — Name, email address, phone number, job title, organization name, and professional credentials
• Payment Information — Billing address, payment card details (processed by PCI-DSS compliant payment processors; we do not store full card numbers)
• Communications — Contents of messages, support tickets, feedback forms, and survey responses
• PHI — Patient demographic information, clinical data, diagnoses, treatment plans, vitals, medication lists, and other health information entered into or processed by our platform on behalf of Covered Entities

3.2 Information Collected Automatically

• Device Information — Browser type, operating system, device identifiers, screen resolution, and language preferences
• Usage Data — Pages visited, features used, clickstream data, session duration, and referring URLs
• Log Data — IP address, access times, error logs, and request/response metadata
• Location Data — Approximate geographic location derived from IP address (we do not collect precise GPS location)

3.3 Information from Third Parties

• EHR/EMR systems via authorized integrations (HL7 FHIR, API connections)
• Identity verification services for credentialing purposes
• Business intelligence and analytics providers (aggregated, non-PHI data only)

4. Legal Bases for Processing

We process personal information under the following legal bases:

• Contractual Necessity — To perform our obligations under service agreements, BAAs, and platform terms
• Legal Obligation — To comply with HIPAA, HITECH, state breach notification laws, tax obligations, and other applicable regulations
• Legitimate Interest — To operate, secure, and improve our services; to prevent fraud; to conduct analytics on de-identified data
• Consent — For marketing communications, optional cookies/tracking, and any use beyond what is authorized by law or contract (you may withdraw consent at any time)

5. How We Use Information

• Service Delivery — Provide, operate, and maintain our remote patient monitoring, chronic care management, and clinical workflow platform
• Account Management — Create and manage user accounts, authenticate users, and process transactions
• PHI Processing — Process PHI solely as authorized by the applicable BAA and HIPAA, for treatment, payment, and healthcare operations of the Covered Entity
• Communications — Send transactional notifications, system alerts, security notices, and support responses
• Product Improvement — Analyze usage patterns (using de-identified/aggregated data only) to improve platform features and user experience
• Security and Compliance — Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity; maintain audit trails required by HIPAA
• Legal Compliance — Fulfill legal obligations, respond to lawful requests, and establish/exercise/defend legal claims
• Marketing — With consent, send promotional communications about our services (never using PHI)

6. Protected Health Information (PHI) Handling

PHI is subject to heightened protections under HIPAA and is handled separately from general personal information:

• PHI is used and disclosed only as permitted by HIPAA and the applicable BAA
• We apply the Minimum Necessary Standard (45 CFR § 164.502(b)) to all PHI access
• PHI is never used for marketing, sold to third parties, or shared with advertisers
• Access to PHI is restricted to authorized workforce members with a legitimate need
• All PHI access is logged in immutable audit trails retained for a minimum of six (6) years
• PHI is encrypted at rest (AES-256) and in transit (TLS 1.3)
• De-identification of PHI for analytics follows 45 CFR § 164.514 Safe Harbor or Expert Determination methods
• Upon BAA termination, PHI is returned or destroyed per 45 CFR § 164.504(e)(2)(ii)(J)

For detailed information about our HIPAA compliance program, see our HIPAA Compliance page.

7. Sharing and Disclosure

We do not sell personal information or PHI. We may share information in the following limited circumstances:

• With Covered Entities — PHI is disclosed to and at the direction of the Covered Entity that controls it, as specified in the BAA
• Service Providers (Subprocessors) — We engage subcontractors who process data on our behalf under written agreements that impose equivalent privacy and security obligations. All subprocessors with PHI access have executed BAAs with us.
• Legal Requirements — When required by applicable law, regulation, legal process, or governmental request (e.g., court orders, subpoenas, regulatory audits)
• Safety and Rights Protection — To protect the rights, property, or safety of Hoss Care, our users, or the public, including to detect or prevent fraud or security threats
• Business Transfers — In connection with a merger, acquisition, reorganization, or sale of assets, with appropriate notice and protections (any successor will be bound by the same PHI obligations)
• With Consent — When you explicitly authorize a disclosure

We do not: Sell personal information or PHI. Share PHI with advertisers or marketing partners. Use PHI for purposes unrelated to treatment, payment, or healthcare operations without authorization. Disclose PHI in response to subpoenas without ensuring HIPAA-compliant procedures are followed (45 CFR § 164.512(e)).

8. International Data Transfers

Hoss Care processes and stores data in the United States. All PHI is stored exclusively within the continental United States in SOC 2 Type II certified data centers. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States where data protection laws may differ from those in your jurisdiction. By using our services, you consent to such transfer. We implement appropriate safeguards (including encryption, access controls, and contractual protections) to ensure your data receives adequate protection regardless of where it is processed.

9. Data Retention

We retain information only as long as necessary for the purposes described in this policy or as required by law:

• PHI — Retained per the BAA terms or, absent specific terms, for six (6) years from creation or last effective date per 45 CFR § 164.530(j). Upon termination, PHI is returned or destroyed with written certification.
• Account Information — Retained for the duration of the account relationship plus three (3) years following termination for legal and audit purposes
• Transaction Records — Seven (7) years per tax and financial regulations
• Audit Logs (PHI Access) — Minimum six (6) years per HIPAA requirements
• Marketing Data — Until you unsubscribe or withdraw consent, plus thirty (30) days for processing
• Website Analytics — Twenty-six (26) months in aggregated/anonymized form
• Security Logs — One (1) year minimum for forensic purposes

When retention periods expire, data is securely deleted using NIST SP 800-88 compliant methods (cryptographic erasure, overwriting, or physical destruction as appropriate).

10. Security Measures

We implement comprehensive technical, administrative, and physical safeguards to protect your information:

• AES-256 encryption at rest for all stored data; TLS 1.3 encryption for all data in transit
• Multi-factor authentication (MFA) required for all platform access
• Role-based access control (RBAC) with least-privilege enforcement
• Automatic session timeout after 15 minutes of inactivity
• 24/7 security operations monitoring with automated threat detection
• Annual SOC 2 Type II audit and third-party penetration testing
• Continuous vulnerability scanning with defined remediation SLAs
• Intrusion detection/prevention systems (IDS/IPS)
• Web application firewall (WAF) protection
• DDoS mitigation
• Secure software development lifecycle (SSDLC) with code review and static analysis
• Workforce security awareness training at hire and annually
• Background checks for all employees with system access

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you become aware of a potential security issue, please contact us immediately at security@hosscare.com.

11. Your Rights

11.1 HIPAA Rights (for PHI)

If your PHI is processed by Hoss Care on behalf of a Covered Entity, you have the following rights under HIPAA (exercised through your healthcare provider):

• Right to access your PHI (45 CFR § 164.524)
• Right to request amendment of PHI (45 CFR § 164.526)
• Right to an accounting of disclosures (45 CFR § 164.528)
• Right to request restrictions on uses and disclosures (45 CFR § 164.522(a))
• Right to request confidential communications (45 CFR § 164.522(b))
• Right to receive a copy of the Notice of Privacy Practices from your Covered Entity
• Right to be notified of a breach of your unsecured PHI (45 CFR § 164.404)

To exercise HIPAA rights, contact your healthcare provider directly. We will cooperate with Covered Entities to fulfill these requests within required timeframes.

11.2 General Privacy Rights

For personal information not subject to HIPAA, you may:

• Access — Request a copy of the personal information we hold about you
• Correction — Request correction of inaccurate or incomplete information
• Deletion — Request deletion of your personal information (subject to legal retention requirements)
• Portability — Request your data in a structured, machine-readable format
• Opt-Out — Unsubscribe from marketing communications at any time via the link in our emails or by contacting us
• Withdrawal of Consent — Withdraw previously given consent for specific processing activities

To exercise these rights, email privacy@hosscare.com. We will respond within thirty (30) days. We will not discriminate against you for exercising your privacy rights.

12. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. No cookies or tracking technologies are used within the authenticated platform in connection with PHI.

Types of Cookies We Use:

• Strictly Necessary — Required for site functionality, security, and authentication. Cannot be disabled.
• Performance/Analytics — Help us understand how visitors interact with our public website (pages visited, time on site). Collected in aggregate form.
• Functional — Remember your preferences (language, region) to enhance your experience.
• Marketing — Used with your consent to deliver relevant advertisements on third-party platforms. You can opt out at any time.

Managing Cookies:

• You can configure your browser to refuse all or some cookies
• You can delete cookies that have already been stored
• Disabling necessary cookies may affect site functionality
• Opt out of Google Analytics: tools.google.com/dlpage/gaoptout

13. Children's Privacy (COPPA)

Our website and public-facing services are not directed at children under the age of thirteen (13). We do not knowingly collect personal information from children under 13 through our website or marketing channels. If we learn that we have inadvertently collected such information, we will promptly delete it. Note: Our platform may process PHI of minors on behalf of Covered Entities as part of healthcare operations; such processing is governed by HIPAA and the applicable BAA, not COPPA.

14. Do Not Track Signals

We honor Do Not Track (DNT) signals transmitted by your browser. When we detect a DNT signal, we disable non-essential tracking cookies and analytics for that session. Additionally, we respond to the Global Privacy Control (GPC) signal as a valid opt-out of the sale/sharing of personal information under applicable state laws.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know — You may request the categories and specific pieces of personal information collected, the sources of collection, the business purpose, and the categories of third parties with whom information is shared.
• Right to Delete — You may request deletion of your personal information, subject to permitted exceptions (legal obligation, security, completing transactions).
• Right to Correct — You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information — You may limit our use of sensitive personal information to purposes necessary to provide our services.
• Non-Discrimination — We will not discriminate against you for exercising your CCPA/CPRA rights.

HIPAA Exemption: PHI collected and processed pursuant to HIPAA is exempt from CCPA/CPRA (Cal. Civ. Code § 1798.145(c)(1)(A)). This section applies only to personal information not governed by HIPAA.

To submit a request, email privacy@hosscare.com or call +1 (917) 748-3246. We will verify your identity before processing requests. You may designate an authorized agent to make requests on your behalf with proper verification.

16. Other State Privacy Laws

We comply with applicable state privacy laws including, but not limited to, the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other state laws as they become effective. Residents of these states may have similar rights to access, correct, delete, and opt out of certain processing. Please contact us at the information below to exercise your state-specific rights. As with CCPA, PHI governed by HIPAA is generally exempt from these state privacy laws.

17. Third-Party Links and Services

Our website and platform may contain links to third-party websites, plugins, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policy of every site you visit. Links to third-party sites do not constitute endorsement of their content or practices.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: (a) update the “Last Updated” date at the top of this page, (b) provide at least thirty (30) days' advance notice via email to registered users or a prominent notice on our website, and (c) where required by law, obtain your consent. Your continued use of our services after the effective date of changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.