PracticeEHR Privacy Policy

Practice EHR LLC (“Practice EHR,” “we,” “us,” or “our”) provides an integrated electronic health record, practice management, claim submission, clearinghouse, revenue-cycle, patient-payment, and related administrative technology platform to healthcare providers and their practices. This Privacy Policy describes how we collect, use, share, retain, and protect information when you access our websites, applications, services, Practice Pay, and related offerings collectively, the “Services.”

Practice Pay is a branded payment feature of the Practice EHR platform. Practice Pay is not a separate legal entity. Payment transactions made through Practice Pay are processed by third-party payment processors, including Payrix.

This Privacy Policy is supplemented by the Practice EHR Trial & Subscription Agreement, any Business Associate Agreement, any applicable order form, and any other written agreement between Practice EHR and our healthcare provider customers collectively, the “Customer Agreements.” With respect to Protected Health Information, the Customer Agreements, HIPAA, and other applicable healthcare privacy laws control to the extent they conflict with this Privacy Policy.

No mobile information, including mobile phone numbers, opt-in data, or text-message consent records, will be sold or shared with third parties or affiliates for promotional or marketing purposes.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

1. Scope of This Policy

This Privacy Policy applies to information we collect through:

Our websites, including practiceehr.com and related subdomains;
Our web-based, desktop, and mobile applications;
Our application programming interfaces, APIs, clearinghouse functions, claim-submission tools, payment-processing tools, and integrations with third-party services;
Communications between you and Practice EHR by email, telephone, text message, online form, support ticket, chat, or other means; and
Any other digital or physical interactions with Practice EHR.

This Privacy Policy does not apply to third-party websites, applications, products, or services that may link to or integrate with our Services, except to the extent we process information through those integrations on behalf of our healthcare provider customers under the Customer Agreements.

2. Our Role: Business Associate, Clearinghouse, Payment Technology Provider, and Service Provider

Practice EHR provides electronic health record, practice management, claim submission, clearinghouse, revenue-cycle, patient-payment, and related administrative technology services to healthcare provider customers. Depending on the specific Service, transaction, and relationship, Practice EHR may act as a HIPAA Business Associate to a healthcare provider customer, a health care clearinghouse, a service provider or processor, a transaction intermediary, a payment technology provider, or another role permitted by applicable law.

When we process Protected Health Information, or PHI, on behalf of a healthcare provider customer, we do so under the applicable Customer Agreement and Business Associate terms. When we perform clearinghouse, claim-submission, payment, or transaction-processing functions, including processing, translating, routing, submitting, correcting, supporting, or facilitating claims, eligibility, payment, remittance, patient-payment, or other healthcare transactions, we may use and disclose PHI as necessary to perform those functions, comply with applicable law, operate and secure the Services, and fulfill our contractual obligations.

Practice EHR may submit claims and other healthcare transactions directly to payers or through third-party clearinghouses, networks, transaction processors, payers, payment processors, payment facilitators, or other healthcare transaction partners, as necessary to provide the Services. These parties may act as covered entities, business associates, subcontractors, service providers, processors, payment processors, transaction partners, or independent third parties, depending on the transaction and applicable law.

Practice EHR may also offer patient-payment and payment-management functionality through Practice Pay, a branded payment feature of the Practice EHR platform. Practice Pay may be used to support patient payments, practice payments, refunds, chargebacks, receipts, reconciliation, and related payment workflows. Payment transactions submitted through Practice Pay are processed by third-party payment processors, including Payrix, which process charges, payment credentials, payment authentication, settlement, chargebacks, refunds, fraud screening, and payment-processing compliance functions in accordance with their applicable agreements and payment-network obligations.

This Privacy Policy is not a HIPAA Notice of Privacy Practices for any healthcare provider customer. Healthcare provider customers are responsible for providing their own HIPAA Notices of Privacy Practices and for responding to patient requests regarding PHI in their designated record sets. Patients whose information is processed through the Services should direct privacy questions, requests for access, and requests for amendment of their PHI to their healthcare provider.

For our own customers, employees, website visitors, business contacts, and non-HIPAA personal information, Practice EHR is directly responsible for the practices described in this Privacy Policy.

For purposes of this Privacy Policy, references to “patient-level PHI,” “patient-specific PHI,” “individually identifiable PHI,” or “patient-specific information” mean Protected Health Information or other health information associated with a specific patient, patient record, claim, encounter, appointment, payment, or account that identifies the patient or for which there is a reasonable basis to believe the information could be used to identify the patient. These terms do not include information that has been de-identified in accordance with HIPAA or other applicable legal standards, or aggregated, contextual, category-level, practice-level, service-line-level, specialty-level, payer-level, claim-category-level, utilization-category-level, workflow-category-level, or similar information that is not reasonably capable of identifying a patient.

3. Information We Collect

3.1 Information You Provide Directly

We may collect information that you provide directly to us, including:

Account and registration information: name, email address, phone number, mailing address, username, password, role, practice name, practice address, professional credentials, NPI number, license type, specialty, and other account setup information.

Practice and professional information: practice ownership, provider information, staff information, billing information, payer enrollment information, credentialing information, tax identification information, banking-related information, and related operational information.

Billing, subscription, and payment information: billing address, subscription information, payment method information, transaction history, invoices, receipts, payment status, and related financial information.

Practice Pay and patient-payment information: information submitted or generated when patients, practices, or users make or manage payments through Practice Pay or related payment functionality, including payer name, patient or account identifiers, invoice information, balance information, payment amount, payment date, payment status, transaction ID, refund information, chargeback information, receipt information, tokenized payment-method information, last four digits of a payment card or account where available, card brand, expiration information where available, billing address, settlement information, reconciliation information, and related payment metadata.

Customer support and communications: messages, support tickets, call notes, chat messages, feedback, survey responses, training communications, implementation communications, and other information you choose to provide.

User-generated content: information you upload, configure, submit, or generate through the Services, including custom templates, forms, notes, configuration data, workflow settings, reports, documents, attachments, and similar materials.

Marketing and event information: subscription preferences, event registrations, webinar participation, demo requests, sales communications, and similar choices.

3.2 Payment Information Processed by Third-Party Payment Processors

Practice EHR offers Practice Pay, a branded payment feature of the Practice EHR platform. Practice Pay is not a separate legal entity or separate payment processor. Payment transactions made through Practice Pay are processed by third-party payment processors, including Payrix.

Payrix and other payment processors may collect and process payment card information, bank account or ACH information, card number, CVV, expiration date, billing address, payment authentication information, fraud-screening information, transaction information, tokenized payment credentials, settlement information, chargeback information, refund information, and related payment data.

In the ordinary course, Practice EHR does not store full payment card numbers or CVV codes in its own systems. Such information is processed by the applicable third-party payment processor.

Practice EHR may receive and retain limited payment-related information from payment processors, including transaction IDs, payment tokens, card brand, last four digits, payment status, payment amount, payment date, payer information, patient or account identifiers, invoice or balance information, receipts, refund information, chargeback information, settlement information, reconciliation information, and related payment metadata.

Third-party payment processors, including Payrix, are responsible for processing charges and performing payment-processing compliance functions under their applicable agreements and payment-network obligations. Practice EHR remains responsible for its own privacy, security, HIPAA, contractual, and platform obligations as described in this Privacy Policy, the Customer Agreements, and applicable law.

Where payment information relates to healthcare services, patient accounts, patient balances, claims, or other patient-specific healthcare workflows, it may also constitute PHI and will be handled in accordance with HIPAA, the Customer Agreements, and applicable law.

3.3 Information Collected Automatically

We may automatically collect information when you access or use the Services, including:

Device and technical information: IP address, browser type and version, operating system, device identifiers, screen resolution, time zone, language settings, device type, and similar technical information.

Usage information: pages, screens, modules, and features accessed; actions taken within the Services; dates and times of access; referring URLs; session duration; clicks; navigation paths; performance data; and similar usage information.

Log, audit, and security information: login events, account activity, administrative activity, configuration changes, user actions, access attempts, security events, error logs, system logs, audit trails, and similar operational records.

Cookies and similar technologies: as described in Section 11.

3.4 Information Processed on Behalf of Healthcare Provider Customers

When healthcare provider customers and their authorized users use the Services to deliver care, manage their practices, submit claims, process payments, or perform administrative functions, the Services may process information that includes PHI. This information may include:

Patient demographic information;
Clinical information;
Scheduling and appointment information;
Insurance and eligibility information;
Billing, claim, coding, remittance, payment, and revenue-cycle information;
Patient balance and patient-payment information;
Documentation, attachments, forms, and records;
Information generated through integrations with laboratories, pharmacies, clearinghouses, e-prescribing networks, health information exchanges, payers, payment processors, and other healthcare entities; and
Information created, received, maintained, or transmitted through the Services on behalf of a healthcare provider customer.

PHI is processed under the direction of our healthcare provider customers and in accordance with the Customer Agreements, HIPAA, and applicable law.

3.5 Sensitive Personal Information

Some information we process may constitute “sensitive personal information,” “sensitive data,” or similar terms under certain state privacy laws. This may include health information, financial account information, government identifiers, precise geolocation if collected, account credentials, or other sensitive categories.

We use sensitive personal information only as necessary to provide, operate, secure, improve, and support the Services; comply with legal and contractual obligations; protect against fraud, abuse, and security threats; and as otherwise permitted or required by law.

3.6 Information from Third Parties

We may receive information from third parties, including:

Integration partners: laboratories, pharmacies, e-prescribing networks, clearinghouses, payers, eligibility vendors, payment networks, health information exchanges, patient-engagement tools, and other integration partners.

Payment processors: Payrix and other payment processors, payment facilitators, banks, card networks, ACH processors, fraud-prevention vendors, and related payment partners.

Public sources: publicly available sources such as professional directories, state licensing boards, the National Plan and Provider Enumeration System, NPPES, and similar sources.

Service providers and vendors: hosting providers, support vendors, analytics providers, communications providers, security vendors, AI vendors, and other service providers.

Healthcare provider customers and authorized users: information submitted by practices, providers, administrators, staff, patients, or other authorized users.

4. How We Use Information

We use information for the following purposes, subject to applicable law, HIPAA, and our Customer Agreements:

Provide and operate the Services: authenticate users, create and manage accounts, deliver features, process transactions, submit claims, route messages, process eligibility checks, manage remittances, support patient payments, process Practice Pay transactions, generate receipts, post payments, support refunds and chargebacks, reconcile accounts, and otherwise make the Services available.

Clearinghouse and transaction processing: process, translate, route, submit, correct, support, and facilitate claims, eligibility, remittance, payment, patient-payment, and other healthcare transactions.

Practice Pay and payment processing: provide Practice Pay, a branded payment feature of the Practice EHR platform; support patient payments, practice payments, subscription payments, refunds, chargebacks, receipts, settlements, reconciliation, fraud detection, payment posting, accounting, and related payment workflows; and transmit payment transactions to third-party payment processors, including Payrix.

Payment processor coordination: receive transaction confirmations, payment tokens, payment status, refund information, chargeback information, settlement information, reconciliation information, and related payment metadata from Payrix or other payment processors to support payment posting, accounting, reporting, customer support, fraud prevention, dispute handling, and platform operations.

Maintain, improve, and develop the Services: analyze usage patterns, troubleshoot issues, debug errors, develop new features, improve performance, evaluate workflows, test functionality, train and improve models, and enhance user experience.

Artificial intelligence, machine learning, and automation: provide, operate, secure, monitor, test, evaluate, validate, audit, improve, support, and develop artificial intelligence, machine learning, automation, analytics, rules engines, and related capabilities, as described in Section 6.

Security and fraud prevention: detect, investigate, and prevent fraud, abuse, unauthorized access, account compromise, payment fraud, security incidents, and other harmful or illegal activity.

Customer support and implementation: respond to inquiries, provide technical assistance, configure accounts, support onboarding, deliver training, troubleshoot issues, and communicate about your account.

Communications: send administrative messages, service updates, security alerts, implementation communications, payment-related notices, support communications, and, where permitted, marketing communications.

Advertising and promotions within the Services: display advertising, promotional content, sponsored content, merchandising, banners, links, and related materials within or through the Services as described in Section 7. We do not use PHI for advertising purposes.

Legal and compliance: comply with applicable laws, regulations, legal process, and enforceable governmental requests; respond to subpoenas and court orders; enforce our agreements; conduct audits; and exercise or defend legal claims.

Business operations: accounting, billing, tax, audit, corporate governance, reporting, analytics, forecasting, vendor management, payment reconciliation, and similar internal business functions.

Aggregated and de-identified analysis: create, use, disclose, license, sell, commercialize, and otherwise exploit aggregated, anonymized, and de-identified data as described in Section 5.

We do not use PHI for advertising. We do not sell PHI.

5. De-Identified and Aggregated Data

Practice EHR may de-identify information processed through the Services in accordance with HIPAA’s de-identification standards, using the Safe Harbor method, the Expert Determination method, or both. Once de-identified in accordance with applicable legal standards, the resulting information is no longer PHI under HIPAA and does not identify any individual.

As authorized by our Customer Agreements, our customers transfer and assign to Practice EHR all right, title, and interest in de-identified and aggregated information derived from data processed through the Services. We may use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, disclose, market, license, sell, commercialize, exploit, and otherwise use such de-identified and aggregated information for any lawful purpose, including without limitation:

Improving and developing the Services and related products;
Industry research, benchmarking, analytics, reporting, and forecasting;
Training, evaluating, testing, and improving artificial intelligence, machine learning, automation, and analytics capabilities;
Producing reports, dashboards, and insights for customers, partners, payers, public health authorities, life-sciences organizations, medical groups, independent practice associations, health plans, and other third parties;
Providing data and analytics services to medical groups, independent practice associations, health plans, payers, partners, and similar organizations; and
Other commercial, research, operational, product-development, or business purposes.

We may exercise these rights even if we have not previously commercialized a particular type of de-identified or aggregated information.

Before commercial use or external sharing, data is de-identified in accordance with applicable standards. We do not commercialize identifiable patient-level PHI. We do not attempt to re-identify de-identified data, and we require recipients of de-identified data, where appropriate, to agree not to re-identify the data or use it to identify any patient.

Information shared with medical groups, independent practice associations, health plans, payers, partners, public health authorities, advertisers, sponsors, agencies, analytics partners, or similar organizations may identify a practice or its owners, members, users, providers, or employees, but will not identify any patient or other individual to whom the practice provides healthcare services.

Aggregated, anonymized, and de-identified information may include, without limitation, CPT, HCPCS, ICD, diagnosis, procedure, medication, specialty, service-line, payer, claim, utilization, order, workflow, revenue-cycle, denial, billing, or payment categories, provided such information does not identify any patient and is not patient-level PHI.

Aggregated, anonymized, and de-identified information may be retained indefinitely and used as described in this Privacy Policy and the Customer Agreements.

6. Artificial Intelligence, Machine Learning, and Automation

Certain features of the Services use artificial intelligence, machine learning, automated processing, rules engines, analytics, and related technologies to support administrative, operational, coding, claims, denial-management, scheduling, documentation, revenue-cycle, payment, workflow, analytics, security, and similar functions.

These features may be developed by Practice EHR, by our affiliates, or by third-party service providers, including AI service providers operating under Business Associate Agreements or other appropriate contractual terms where PHI is involved.

Practice EHR may use information processed through the Services, including PHI where permitted by HIPAA, our Customer Agreements, and applicable law, to provide, operate, secure, monitor, test, evaluate, validate, audit, improve, and support artificial intelligence, machine learning, automation, analytics, rules engines, and related capabilities used in or through the Services.

We use PHI for AI model training, model development, model improvement, evaluation, validation, and related purposes only to the extent permitted by HIPAA, the applicable Customer Agreements, Business Associate terms, and applicable law. Where required by law or contract, or where we determine appropriate, we use aggregated or de-identified information for these purposes.

AI and automation features are intended to support administrative and operational workflows and are not intended to provide medical advice, diagnose patients, determine treatment, or replace the professional judgment of healthcare providers. Practice EHR is not a clinical decision-maker.

Some AI or automation features may generate recommendations for human review. Other features may be configured by a healthcare provider customer or its authorized users to initiate, perform, or complete administrative or operational actions automatically, including claim-related, coding-related, denial-management, scheduling, documentation, payment-related, revenue-cycle, or workflow actions.

Certain automation features may be optional and may require enablement, configuration, or activation by the healthcare provider customer or its authorized users before use. Customers are responsible for determining whether and how to enable such features, configuring applicable settings, supervising outputs and actions, and maintaining appropriate policies and procedures for their use.

Healthcare provider customers and their authorized users are responsible for configuring, reviewing, supervising, validating, and using AI and automation features appropriately and in accordance with applicable law, professional obligations, payer requirements, payment-network requirements, and their own policies.

We do not use PHI to target advertising. AI service providers that receive PHI are subject to Business Associate Agreements or other appropriate contractual terms and are contractually prohibited from using Practice EHR PHI to train their own unrelated or general-purpose models or for their own unrelated purposes, except as expressly permitted by the applicable Business Associate Agreement, Customer Agreement, or applicable law.

We may retain prompts, inputs, outputs, model responses, user feedback, corrections, audit logs, evaluation data, embeddings, performance data, and related AI usage and performance information for the purposes described in this Privacy Policy, including providing, securing, auditing, improving, and developing the Services, subject to HIPAA, our Customer Agreements, and applicable law.

To the extent any automated processing produces legal or similarly significant effects under applicable privacy law, eligible individuals may have the right to request human review, contest the decision, or exercise other rights as provided by applicable law.

7. Advertising and Promotional Content

As permitted by our Customer Agreements, Practice EHR may display advertising, promotional content, sponsored content, merchandising, banners, links, product information, service information, or other promotional materials within or through the Services. Advertising may be shown to authorized users of the Services, including providers, administrators, staff, and other users.

Advertising may be based on contextual, account-level, practice-level, geographic, specialty, product, campaign, workflow, service-line, procedure-category, diagnosis-category, medication-category, payer-category, claim-category, utilization-category, revenue-cycle-category, denial-category, billing-category, or other non-patient-specific information.

Advertising may also be based on aggregated or de-identified information, including aggregated or de-identified CPT, HCPCS, ICD, diagnosis, procedure, medication, specialty, service-line, payer, claim, utilization, order, workflow, revenue-cycle, denial, billing, or payment categories, where such information is not patient-level PHI and is not reasonably capable of identifying any patient.

We do not use patient-level PHI, patient identity, patient-specific diagnosis, patient-specific treatment, patient-specific medication, patient-specific claim, patient-specific CPT, HCPCS, or ICD code, patient-specific encounter, patient-specific appointment, patient chart content, patient-payment information, patient-balance information, or other patient-specific information to target or personalize advertising.

We may provide advertisers, sponsors, agencies, and advertising partners with ad delivery and performance information, which may include campaign information, impressions, clicks, whether an ad was clicked, user or account identifiers, user role or type, practice identity, practice specialty, geographic region, contextual placement information, workflow category, service-line category, and aggregated or de-identified clinical, coding, claim, payer, medication, diagnosis, procedure, utilization, revenue-cycle, denial, billing, or payment categories, provided that such information does not identify any patient and is not patient-level PHI.

We do not provide advertisers with patient identity, patient-level PHI, clinical chart content, patient-specific diagnosis, patient-specific treatment, patient-specific medication, patient-specific claim details, patient-specific CPT, HCPCS, or ICD codes, patient-specific encounter information, patient-specific appointment information, payment-card information, patient-payment information, patient-balance information, or patient-specific context.

Aggregated or de-identified clinical, coding, claim, diagnosis, medication, procedure, payer, specialty, service-line, utilization, revenue-cycle, denial, billing, payment, or workflow information may be used or disclosed as described in this Privacy Policy and the Customer Agreements.

Advertising or sponsored content may be labeled or otherwise presented as promotional content. Practice EHR does not endorse, and the display of advertising does not constitute an endorsement of, any advertised product, service, manufacturer, vendor, advertiser, or third party. Use of any advertised product or service is at the user’s or customer’s sole risk and is governed by the applicable third party’s terms.

You may have choices regarding marketing communications and certain types of advertising, as described in Section 16.

8. How We Share Information

We share information only as described below and subject to applicable law, HIPAA, and our Customer Agreements.

8.1 With Healthcare Provider Customers

Information processed on behalf of a healthcare provider customer is accessible to that customer and its authorized users, subject to customer configuration, user permissions, and applicable law.

8.2 With Service Providers and Subcontractors

We engage vendors, contractors, hosting providers, payment processors, analytics providers, communications providers, security providers, AI providers, support providers, and other service providers who perform services on our behalf.

We require these parties by contract to protect information consistent with applicable law. With respect to PHI, we require Business Associate Agreements where required.

8.3 With Payers, Clearinghouses, Transaction Networks, and Claims Partners

We may disclose information, including PHI, to health plans, payers, third-party clearinghouses, electronic data interchange vendors, eligibility vendors, payment networks, remittance vendors, claims-processing partners, revenue-cycle partners, and other transaction partners as necessary to submit, route, process, correct, adjudicate, reconcile, audit, or support claims, eligibility, payment, remittance, and related healthcare transactions and Services.

Where required, these parties are subject to Business Associate Agreements or other appropriate contractual protections.

8.4 With Payment Processors and Practice Pay Partners

Practice EHR provides Practice Pay, a branded payment feature of the Practice EHR platform. Payment transactions made through Practice Pay are processed by third-party payment processors, including Payrix.

We may disclose information to Payrix and other payment processors, payment facilitators, banks, card networks, ACH processors, fraud-prevention vendors, payment-security vendors, and related partners as necessary to provide Practice Pay and related payment functionality.

Information disclosed for payment processing may include payer information, patient or account identifiers, invoice information, balance information, payment amount, payment status, transaction data, payment tokens, billing address, refund information, chargeback information, settlement information, fraud-prevention information, reconciliation information, and related payment metadata.

Payrix and other payment processors process charges and perform payment-processing compliance functions under their applicable agreements and payment-network obligations. Practice EHR does not store full payment card numbers or CVV codes in its own systems in the ordinary course.

We do not sell identifiable patient-payment information, payment-card information, bank account information, or mobile information. We do not disclose individually identifiable PHI or identifiable patient-payment details to advertisers for advertising purposes. Nothing in this Section limits our rights to use, disclose, license, sell, commercialize, or otherwise exploit aggregated, anonymized, or de-identified information as described in Section 5, including de-identified or aggregated payment, billing, revenue-cycle, denial, payer, utilization, or workflow categories.

8.5 With Integration Partners

When you or your practice uses an integration, including e-prescribing networks, laboratories, pharmacies, clearinghouses, payment networks, patient-engagement platforms, health information exchanges, or other third-party integrations, we share information with those partners as necessary to deliver the requested functionality.

8.6 With Advertising Partners

We may provide advertisers, sponsors, agencies, and advertising partners with ad delivery and performance information as described in Section 7. This may include campaign information, impressions, clicks, click status, user or account identifiers, user role or type, practice identity, practice specialty, geographic region, contextual placement information, workflow category, service-line category, and aggregated or de-identified clinical, coding, claim, payer, medication, diagnosis, procedure, utilization, revenue-cycle, denial, billing, payment, or workflow categories.

We do not provide advertisers with patient identity, patient-level PHI, patient-payment details, clinical chart content, patient-specific diagnosis, patient-specific treatment, patient-specific medication, patient-specific claim details, patient-specific CPT, HCPCS, or ICD codes, patient-specific encounter information, patient-specific appointment information, patient-balance details, payment-card data, or patient-specific context.

8.7 For Legal, Compliance, and Safety Reasons

We may disclose information when we believe in good faith that disclosure is required or permitted by law, including in response to subpoenas, court orders, civil investigative demands, government requests, law-enforcement requests, regulatory inquiries, audits, or other legal process.

We may also disclose information to enforce our agreements, protect our rights, protect the rights or safety of our customers or users, prevent fraud or abuse, investigate security incidents, or protect the integrity of the Services.

8.8 In Connection with a Business Transaction

We may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, due diligence process, corporate transaction, or similar event.

8.9 With Your Direction or Consent

We may share information when you, your practice, or another authorized party directs us to do so or consents to the disclosure.

8.10 Aggregated and De-Identified Information

We may use, disclose, license, sell, commercialize, and otherwise exploit aggregated, anonymized, and de-identified information as described in Section 5.

We do not sell PHI. We do not use or disclose PHI for cross-context behavioral advertising. Certain advertising-related information about business users, accounts, practices, ad impressions, ad clicks, ad performance, contextual placement, workflow categories, service-line categories, and aggregated or de-identified clinical, coding, claim, payer, medication, diagnosis, procedure, utilization, revenue-cycle, denial, billing, payment, or workflow categories may be disclosed to advertising partners as described in Section 7.

De-identified information that is no longer PHI or personal information under applicable law may be used, disclosed, licensed, sold, commercialized, or otherwise exploited as described in Section 5.

No mobile information, including mobile phone numbers, opt-in data, or text-message consent records, will be sold or shared with third parties or affiliates for promotional or marketing purposes.

9. Google API Services User Data

If you connect a Google account or use features that rely on Google API Services, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

We use Google user data only to provide or improve user-facing features that are prominent in the Services;
We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising;
We do not allow humans to read Google user data unless we have obtained the user’s affirmative agreement to view specific messages or files, it is necessary for security purposes, it is necessary to comply with applicable law, or it is necessary for internal operations and the data has been aggregated or anonymized; and
We maintain appropriate technical and organizational safeguards to protect Google user data.

10. Data Security and Breach Notification

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption of data in transit and at rest, role-based access controls, multi-factor authentication for privileged access, audit logging, network and application security monitoring, vulnerability management, personnel training, backup and recovery practices, and security incident response processes.

With respect to PHI, we maintain safeguards consistent with the HIPAA Security Rule.

With respect to payment information, Practice EHR offers Practice Pay as a branded payment feature of the Practice EHR platform. Payment transactions made through Practice Pay are processed by third-party payment processors, including Payrix. We rely on Payrix and other applicable payment processors to process charges, payment credentials, payment authentication, settlement, chargebacks, refunds, fraud screening, and payment-processing compliance functions in accordance with their applicable agreements and payment-network obligations. We maintain safeguards designed to protect payment-related information in our possession, such as transaction IDs, payment status, payment tokens, receipts, refund information, chargeback information, settlement information, reconciliation information, and related metadata.

In the event of a breach of unsecured PHI, we will notify the affected healthcare provider customer without unreasonable delay and in no case more than thirty (30) calendar days after discovery, in accordance with HIPAA and our Customer Agreements.

For information not subject to HIPAA, including certain payment information, business-contact information, website information, or other personal information, we will notify affected individuals, customers, regulators, payment partners, card networks, or applicable authorities as required by law, contract, or applicable payment-network rules.

Despite these safeguards, no method of transmission or storage is completely secure.

11. Cookies, Tracking Technologies, Logs, and Security Telemetry

We use cookies, logs, pixels where permitted, local storage, analytics tools, audit logs, device identifiers, and similar technologies to operate the Services, authenticate users, maintain sessions, remember preferences, secure accounts, detect fraud or abuse, monitor performance, troubleshoot issues, improve functionality, support compliance, and protect the integrity of the Services.

Information collected through these technologies may include IP address, device identifiers, browser type, operating system, user or account identifiers, practice identifiers, role or permission level, session information, feature usage, pages or screens accessed, actions taken, dates and times of access, event metadata, performance data, security events, and similar technical or operational information.

We do not knowingly use third-party advertising or tracking technologies in a manner that discloses PHI to advertising or tracking vendors unless permitted by HIPAA, the applicable Customer Agreements, a valid Business Associate Agreement where required, or another legally valid permission.

We do not use patient-level PHI collected through authenticated Service pages, patient workflows, claims workflows, clinical workflows, patient-payment workflows, Practice Pay workflows, or mobile application features for advertising or cross-context behavioral advertising.

We may use internal or service-provider analytics, logging, monitoring, and security tools to monitor, secure, debug, improve, and operate the Services, provided that PHI is handled in accordance with HIPAA, our Customer Agreements, and applicable law.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Services.

12. SMS and Mobile Communications

If you provide a mobile phone number, we may use it to send service-related messages, security alerts, payment-related messages, account notices, operational messages, and, where you have consented, other communications. Message and data rates may apply.

You may opt out of non-essential or marketing text messages by replying STOP, QUIT, END, CANCEL, UNSUBSCRIBE, REVOKE, or OPT OUT. You may reply HELP for assistance. We will honor opt-out requests as required by law.

Consent to marketing text messages is not a condition of purchasing or using the Services.

No mobile information, including phone numbers, opt-in data, and consent records, will be shared with or sold to third parties or affiliates for promotional or marketing purposes. Mobile information may be shared with service providers solely for the purpose of delivering messages, maintaining messaging systems, supporting compliance, preventing fraud or abuse, and providing related services on our behalf.

13. Payment Processing and Practice Pay

Practice EHR may provide patient-payment and payment-management functionality through Practice Pay, a branded payment feature of the Practice EHR platform. Practice Pay is not a separate legal entity or independent payment processor.

Practice Pay may allow healthcare provider customers, patients, authorized users, and other payers to make or manage payments, including patient balances, copayments, deductibles, invoices, subscriptions, service fees, refunds, chargebacks, and other transactions.

Payment transactions made through Practice Pay are processed by third-party payment processors, including Payrix. Payrix and other payment processors may process payment card information, bank account or ACH information, card number, CVV, expiration date, billing address, payment authentication information, tokenized payment credentials, transaction information, fraud-screening information, device information, settlement information, refund information, chargeback information, and related payment data.

Practice EHR does not store full payment card numbers or CVV codes in its own systems in the ordinary course. Practice EHR may receive limited payment-related information, including transaction ID, payment token, card brand, last four digits, payment status, payment amount, payment date, payer name, patient or account identifier, invoice or balance information, receipt information, refund information, chargeback information, settlement information, reconciliation information, and related metadata.

Payrix and other payment processors process charges and perform payment-processing compliance functions under their applicable agreements and payment-network obligations. Practice EHR remains responsible for its own privacy, security, HIPAA, contractual, and platform obligations as described in this Privacy Policy, the Customer Agreements, and applicable law.

We use payment-related information to support Practice Pay, process payments, post payments, reconcile accounts, issue receipts, manage refunds, respond to chargebacks, detect fraud, comply with legal and payment-network obligations, support customer service, and provide, secure, improve, and audit the Services.

Where payment information relates to healthcare services, patient accounts, patient balances, claims, or other patient-specific healthcare workflows, it may constitute PHI and will be handled in accordance with HIPAA, the Customer Agreements, and applicable law.

We do not sell identifiable patient-payment information, payment-card information, bank account information, or mobile information. We do not use identifiable patient-payment information, payment-card information, bank account information, or patient-specific payment context to target advertising. Aggregated, anonymized, or de-identified payment, billing, revenue-cycle, denial, payer, utilization, or workflow categories may be used or disclosed as described in this Privacy Policy and the Customer Agreements, provided such information does not identify any patient and is not individually identifiable PHI.

14. Mobile Application Privacy

If you access the Services through our mobile application:

Account creation. Accounts cannot be created through our mobile application. To use the mobile application, you must have an existing account established through our web-based Services or by your practice administrator.

Apple App Tracking Transparency. On Apple iOS devices, if our application engages in tracking as defined by Apple, we will request your permission through Apple’s App Tracking Transparency framework before doing so. You may grant or deny this permission at any time in your device settings.

Device permissions. Our mobile application may request access to device features such as camera, microphone, photo library, biometrics, Face ID, Touch ID, files, and notifications. These permissions are used only for the specific features that require them, and you may revoke them at any time in your device settings. Revoking permissions may affect the functionality of those features.

Biometric authentication. If you use device-based biometric authentication, such as Face ID, Touch ID, fingerprint authentication, or similar features, those features are generally provided by your device or operating system. Practice EHR does not receive or store your biometric templates from those device-based authentication features in the ordinary course. If we introduce features that directly collect, create, receive, or store biometric identifiers or biometric information, such as fingerprints, voiceprints, face geometry, or similar biometric data, we will provide notice and obtain consent where required by applicable law.

Apple HealthKit. If our application integrates with Apple HealthKit, we use HealthKit data only as necessary to provide the features you have enabled and only with your explicit consent. We do not use HealthKit data for advertising or marketing purposes. We do not sell HealthKit data. We do not share HealthKit data with third parties except as necessary to provide the features you have enabled, as required by law, or with your additional explicit consent. You may revoke HealthKit access at any time in your device’s Health app settings.

Mobile analytics and diagnostics. Our mobile application may collect crash reports, diagnostic information, performance information, security information, and usage analytics to maintain, secure, troubleshoot, and improve the Services. This information is not used for PHI-based advertising.

15. Data Retention

We retain information for as long as reasonably necessary and permitted to provide, operate, secure, audit, improve, and develop the Services; support healthcare, billing, claims, clearinghouse, Practice Pay, payment-processing, patient-payment, revenue-cycle, reconciliation, refund, chargeback, settlement, and administrative workflows; comply with legal, regulatory, accounting, contractual, payer, audit, payment-network, tax, and reporting obligations; resolve disputes; enforce our agreements; maintain security and fraud-prevention records; support business continuity; and for other legitimate business purposes.

Retention periods vary depending on the type of information, the purpose for which it was collected or created, the nature of our relationship with the customer or user, applicable legal and contractual requirements, and technical, operational, backup, archival, audit, payment, and security considerations.

We may retain logs, audit trails, security records, claims records, billing records, Practice Pay records, limited payment metadata, settlement records, refund records, chargeback records, reconciliation records, remittance records, support records, AI-related records, and similar operational records as necessary for compliance, security, quality assurance, product improvement, legal defense, and business operations.

Upon termination of a Customer Agreement, PHI is returned, made available, retained, or destroyed in accordance with the applicable Customer Agreement, Business Associate terms, HIPAA, and applicable law. Where return or destruction is not feasible, we extend applicable protections to the information and limit further uses and disclosures as required by law and contract.

Aggregated, anonymized, and de-identified information may be retained and used as described in Section 5.

16. Your Rights and Choices

Depending on your jurisdiction and your relationship with Practice EHR, you may have certain rights regarding your personal information, including the right to:

Access the personal information we hold about you;
Request correction of inaccurate personal information;
Request deletion of personal information;
Restrict or object to certain processing;
Receive a portable copy of your personal information;
Withdraw consent where processing is based on consent;
Opt out of certain processing, including sale, sharing, targeted advertising, or profiling where applicable;
Request human review of automated decisions that produce legal or similarly significant effects where applicable;
Opt out of certain marketing communications;
Appeal a denial of a privacy request where applicable; and
Lodge a complaint with a supervisory authority.

To exercise these rights, contact us as described in Section 21. We may need to verify your identity before responding. We may also need to determine whether the information at issue is controlled by Practice EHR or by one of our healthcare provider customers.

We will respond within the timeframes required by applicable law and will not discriminate against you for exercising your rights.

Patients: if your information was provided to Practice EHR by a healthcare provider or processed through the Services on behalf of a healthcare provider, please direct requests regarding that information to your healthcare provider, who is responsible for it under HIPAA.

17. State-Specific Privacy Disclosures

Residents of California, Colorado, Connecticut, Texas, Virginia, Utah, Washington, and other states with comprehensive privacy laws may have additional rights under those laws.

Information processed as PHI under HIPAA is generally exempt from many state consumer privacy laws. Information that has been de-identified in accordance with applicable legal standards is generally not personal information under state privacy laws, provided applicable de-identification requirements are met.

Information entered into or processed through the EHR, practice-management, clearinghouse, claims, patient, provider, revenue-cycle, Practice Pay, or payment-processing workflows is generally processed under HIPAA, the Customer Agreements, payment-network requirements, processor agreements, or other applicable legal and contractual frameworks. Information we collect outside those workflows, such as website visitor data, business contact data, sales and marketing data, security logs, device data, and certain advertising or analytics data, may be personal information subject to state privacy laws.

For information that is not subject to a HIPAA, de-identification, or other exemption, we will honor applicable state law rights.

California Residents

The categories of personal information we collect, the purposes for which we use them, and the categories of recipients with whom we share them are described in Sections 3, 4, 7, 8, 11, 13, and 15 of this Privacy Policy.

De-identified information that is no longer personal information under applicable law may be used, disclosed, licensed, sold, commercialized, or otherwise exploited as described in Section 5.

We retain personal information for the periods described in Section 15. To exercise your rights, contact us as described in Section 21.

Washington Residents

We do not intentionally collect consumer health data directly from consumers outside HIPAA-regulated, Customer-directed, or otherwise exempt workflows for the purpose of providing consumer health products or services directly to consumers. Information entered into or processed through the EHR, practice-management, clearinghouse, claims, patient, provider, revenue-cycle, Practice Pay, or payment-processing workflows is generally processed under HIPAA, the Customer Agreements, payment-network requirements, processor agreements, or other applicable legal and contractual frameworks.

Website visitors, prospects, business contacts, and users may provide business-contact information, device information, usage information, sales or marketing information, support information, or other non-HIPAA personal information. We do not intentionally use general website browsing activity to infer an individual consumer’s health status, diagnosis, treatment, or need for healthcare services.

To the extent we collect or process “consumer health data” subject to the Washington My Health My Data Act and not exempt from that Act, we will process such information in accordance with applicable law, including any applicable notice, consent, consumer-rights, security, and processor requirements.

Appeals and Authorized Agents

Where required by applicable law, you may appeal our decision regarding a privacy request. You may also use an authorized agent where permitted by law. We may require information sufficient to verify your identity, confirm the agent’s authority, and protect the security of the information at issue.

18. International Data Transfers

Practice EHR is based in the United States. We may process information in the United States and in other countries where we or our service providers operate.

By using the Services, you understand that information may be transferred to, stored in, and processed in jurisdictions outside your country of residence, which may have different data protection laws.

Where required by applicable law, we use appropriate safeguards, such as Standard Contractual Clauses or other legally recognized mechanisms, for cross-border transfers.

19. Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information directly from children under 13 through our public websites, marketing pages, or other direct-to-consumer interactions.

The Services may process information about pediatric patients on behalf of healthcare provider customers. Such information is processed under HIPAA, the Customer Agreements, and applicable law. Parents, guardians, and personal representatives seeking access to, correction of, or other rights regarding pediatric patient information should contact the applicable healthcare provider customer directly.

If you believe a child has provided personal information directly to us outside of a healthcare provider customer relationship, please contact us so we can take appropriate action.

20. Accessibility

Practice EHR is committed to making this Privacy Policy reasonably accessible. If you need this Privacy Policy in an alternative format or need assistance accessing or understanding this Privacy Policy, please contact us using the contact information below.

21. Changes and Contact

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this Privacy Policy. You are responsible for periodically reviewing this Privacy Policy. Your continued use of the Services after the updated Privacy Policy takes effect constitutes your acceptance of the updated Privacy Policy.

This Privacy Policy is governed by the laws of the State of Texas, without regard to its conflict of laws principles. Any dispute relating to this Privacy Policy is subject to the dispute resolution and venue provisions of the applicable Customer Agreement.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Practice EHR LLC
Attn: Privacy Officer
5345 Towne Square Drive, Suite 125
Plano, TX 75024
Email: privacy@practiceehr.com
Phone: 469-305-7171

For HIPAA-related concerns regarding PHI processed on behalf of a healthcare provider, please contact your healthcare provider directly.