PRIVACY POLICY

LAST UPDATED: October 20, 2024

Privacy Policy

This Privacy Policy explains how ApexEHR ("ApexEHR," "we," "us," or "our") collects, uses, and shares information about you in relation to your access and use of our Website, application, and related services (collectively the "Services"). By using our Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not access or use the Services.

I. Roles

  • Where we collect personal information directly from you through the Services, ApexEHR is the "controller" under GDPR and similar laws.
  • Our Business Associate Agreements (BAAs) and Data Processing Addendums (DPAs) govern processing of your data by third parties.
  • For our clients and their employees, the terms of an existing Master Services Agreement (MSA) or Subscription Agreement may also apply.
  • This Privacy Policy applies to all users who interact with the ApexEHR Services, regardless of the method of collection (electronic, paper, or verbal).

II. Categories of Information We Collect

  • Identifiers: Name, email address, phone number, address, IP address.
  • Professional Information: Job title, specialty, license numbers, NPI number.
  • Usage Data: Information about how you use our Services, features used, and timing.
  • Devices and Communication Records: Device type, browser type, operating system, and communication logs.
  • Payment Information (for clients): Credit card information, billing address, bank account information (processed via third-party processors).
  • PHI (for clinicians/patients): All health-related information processed as part of the EHR.

III. Sources of Information

  • Directly from you: Sign-up forms, account settings, communications.
  • Cookies, SDKs, and similar tools.
  • Third-party sources: Social media, marketing partners, etc.

IV. Purposes of Use

  • Provide, maintain, and improve the Services.
  • Process transactions and handle customer support.
  • Comply with legal and regulatory requirements.
  • Product analytics, research, and development (data never sold or used for advertising).
  • Detect, prevent, and respond to fraud or security issues.
  • Communications regarding updates, system alerts, and product information.
  • Aggregate and de-identify data for statistical and research purposes.

V. Data Retention

  • Retain personal information for as long as needed to provide Services and for legal purposes.
  • PHI and client personal data is retained or deleted according to federal and state laws and contract terms.
  • Non-personal information may be retained for longer for analytics and research.

VI. Disclosures of Information

  • For processing purposes with vendors/service providers/processors.
  • Subprocessors (hosting, security, analytics, support) under DPAs or BAAs.
  • Responding to legal requests and preventing harm or liability.
  • In business transfers (mergers, acquisitions, asset sales) with continued protections.
  • With your consent or at your direction (e.g., integrations with partners).
  • PHI and personal data is never sold for advertising purposes.

VII. Cookies and Privacy Choices

  • Customizing your experience (e.g., logging in, retaining session, preference settings).
  • Opting out of marketing communications via "Unsubscribe" link or account settings.
  • Tools available for browser-level cookie management.

VIII. Do Not Track Signals and Browser Extensions

  • ApexEHR currently does not respond to "Do Not Track" browser signals.
  • Third-party browser extensions or scripts may interfere with site functionality and are not recommended.
  • Only use authenticated tools without third-party extensions that could compromise data security and access services.

IX. Children

  • We do not knowingly collect personal information from children under 13 (COPPA).
  • Services are intended for healthcare providers and their authorized adult patients/clients.

X. PHI Safeguards (HIPAA Compliance)

  • Administrative, physical, and technical safeguards.
  • Business Associate Agreements (BAAs) with all PHI-handling subprocessors.
  • Encryption (at rest and in transit).
  • Audit logging and access monitoring.
  • Workforce training and data contingency plans and testing.
  • Incident response and breach notification per HIPAA.
  • Compliance with the NIST Cybersecurity Framework (CSF) and other relevant federal/state data privacy laws.

XI. Intended for U.S. Use Only

  • ApexEHR is designed and hosted in the U.S.
  • If accessing from outside the U.S., you consent to information storage and processing in the U.S.
  • Users are responsible for local law compliance while using international hosting.

XII. Your Privacy Rights

Depending on your jurisdiction (e.g., CA, VA, EU), you may have rights including:

  • Access, portability, correction, deletion.
  • Opting out of certain processing or technologies.
  • Appeals related to requests.

Submit requests by contacting us at privacy@apexehr.com.

XIII. Third-Party Advertising, Links, and Content

  • Services may contain links or incorporate third-party content not controlled by ApexEHR.
  • ApexEHR does not guarantee third-party security or privacy.
  • Users should review third-party policies before interacting.

XIV. Changes to This Privacy Policy

  • Policy may be updated periodically.
  • "Effective Date" is updated when revisions are posted.
  • Continued use of Services constitutes acceptance of the revised Policy.

XV. Contact

Questions may be sent to:

ApexEHR LLC
1401 Lavaca Street, Austin, TX 78701
privacy@apexehr.com