Privacy Policy

1. Scope

THIS PRIVACY POLICY APPLIES TO THE PHI THAT WE PROCESS ON BEHALF OF HEALTHCARE FACILITIES (COVERED ENTITIES) THROUGH OUR WEB-BASED SOFTWARE, WHICH INCLUDES SCANNING, PROCESSING AND TRANSCRIBING OF MEDICAL RECORDS AND OTHER MEDICAL DATA UPLOADED BY THESE FACILITIES. OUR SERVICES ARE PROVIDED AS A BUSINESS ASSOCIATE TO COVERED ENTITIES, AND WE HANDLE PHI SOLELY TO PROVIDE SCANNING, PROCESSING AND TRANSCRIBING SERVICES, WITHOUT STORING, RETAINING, OR DISCLOSING IT BEYOND THE SCOPE OF OUR AGREEMENT.

2. Information We Collect

Conduit collects and processes PHI as necessary to provide our services. PHI is provided solely from health care providers using Conduit services. Conduit does not collect any PHI for any purposes other than providing our services, and Conduit does not store this information once processing is complete. The PHI we may process includes, but is not limited to:

• •Patient Names
• •Dates of Birth
• •Medical History
• •Diagnosis and treatment information
• •Other related health information

3. Protected Health Information (PHI)

Conduit processes PHI on behalf of post-acute and other healthcare providers solely to provide the services described in our Business Associate Agreements (BAAs). PHI is processed under strict confidentiality and security protocols, as required by HIPAA.

4. How Conduit Uses Your Information

Conduit uses the collected data for various purposes, including but not limited to:

• •Providing the services requested by health care providers.
• •Ensuring that medical records and other PHI are returned to the health care provider in a secure manner.
• •Compliance with legal obligations.

5. Legal Basis for Processing Personal Data

Conduit may process PHI based on:

• •Consent: You have given your consent for processing PHI for one or more specific purposes.
• •Performance of a Contract: Processing is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
• •Legal Obligations: Processing is necessary for compliance with a legal obligation to which Conduit is subject.
• •Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by Conduit or a third party, except where such interests are overridden by your fundamental rights and freedoms.

6. Retention of PHI

Conduit may retain PHI only as necessary to perform the services agreed upon under the Subscription Agreement. We implement appropriate safeguards to ensure that PHI is protected both at rest and in transit. Additionally, PHI provided to third parties will only be shared with those adhering to zero-data retention policies, strictly for the purpose of fulfilling services for the Covered Entity.

7. HIPAA Compliance

As a Business Associate, we have entered into BAAs with all healthcare providers that use our services. These agreements govern the use, protection, and disclosure of PHI in accordance with HIPAA. Our obligations include:

• •Implementing appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.
• •Reporting any breaches or unauthorized disclosures of PHI to the healthcare provider in accordance with the HIPAA Breach Notification Rule.
• •Ensuring that any subcontractors or third parties who may access PHI agree to the same restrictions and conditions that apply to us.

8. Security of Your Information

We take the security of PHI seriously. To protect PHI, we use:

• •Encryption: All PHI is encrypted both in transit and during processing to prevent unauthorized access.
• •Access Controls: Only authorized personnel with a legitimate need for access are allowed to handle PHI.
• •Audit Controls: We maintain logs and audit trails of system access to monitor for unauthorized use of PHI.

9. Breach Notification

In the unlikely event of a breach involving PHI, we will notify the healthcare provider (Covered Entity) without unreasonable delay, but no later than 60 days after the discovery of the breach, in accordance with the HIPAA Breach Notification Rule. The healthcare provider is then responsible for notifying affected individuals.

10. Your HIPAA Rights

Because we act solely as a Business Associate, we do not manage patient rights under HIPAA. If you are a patient and wish to exercise your HIPAA rights, such as accessing your medical records or requesting amendments, you should contact your healthcare provider directly.

11. Cookies and Tracking Technology

The Conduit website may use cookies and similar tracking technologies to enhance the user experience such as remembering preferences or analyzing website traffic. However, this does not involve the processing of PHI or other sensitive information related to healthcare services. The cookies we use may collect information such as IP addresses or device information, but this data is anonymized and does not identify any specific individual or patient.

12. Third-Party Disclosure

We do not share PHI with any third parties except as necessary to perform our services or as required by law. Any third parties with whom we may share PHI for service purposes are required to protect the information with the same level of security and confidentiality.

13. De-identification of Data

Conduit does not de-identify PHI as part of our standard services. If requested by a Covered Entity, we will comply with HIPAA's de-identification standards and ensure that all personally identifiable information is removed from the records before use or disclosure.

14. Children's Privacy

Our service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we will be able to take the necessary actions.

15. Compliance with Data Privacy Laws

Conduit is committed to complying with applicable data privacy laws, including state-level regulations such as the California Consumer Privacy Act (CCPA), in addition to federal laws such as HIPAA and HITECH. If you are a resident of California or another jurisdiction with specific data protection laws, you may have additional rights regarding your personal information.

16. SMS / Text Messaging Notifications

Conduit offers an optional SMS (text message) notification program that alerts facility staff when a new patient referral arrives. Participation is voluntary and limited to authenticated Conduit users who choose to enable it. When you opt in by providing your mobile phone number and enabling text notifications, Conduit uses your number solely to deliver these transactional alerts. Conduit does not share, sell, rent, or disclose your mobile phone number, SMS opt-in, or consent data to any third party, and this information is never used or shared for promotional purposes. Messages are transactional only and contain no patient health information. You may opt out at any time by replying STOP to any message or by disabling text notifications in your Conduit settings. Message and data rates may apply. For full details, see our SMS Terms.

• •View the Conduit SMS Terms

17. Changes to This Privacy Policy

Conduit may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. You are advised to review this Privacy Policy periodically for any changes.

18. Contact Us

If you have any questions about this Privacy Policy, please contact us:

• •By email: support@conduithealth.io
• •By visiting: www.conduithealth.io/contact