KindlyMoments Health, Inc. (“KindlyMoments,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information and Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and applicable state privacy laws.
1. Information We Collect
1.1 Protected Health Information (PHI)
We may collect the following categories of PHI in connection with the services we provide:
- Patient demographics (name, date of birth, address, contact information)
- Medical history, diagnoses, and conditions
- Vital signs and biometric data from connected monitoring devices
- Medication information, treatment plans, and care instructions
- Lab results and clinical notes shared by healthcare providers
- Insurance and Medicare/Medicaid eligibility information
- Communication records between patients, families, and care teams
1.2 Non-PHI Personal Information
- Account registration details (email, phone, password)
- Device and browser information for security and platform optimization
- Usage analytics (anonymized and aggregated)
- Cookies and similar tracking technologies (see Section 7)
2. How We Use Your PHI
We use your information for the following purposes, consistent with HIPAA's permitted uses and disclosures:
- Treatment: Facilitating care coordination between patients, families, and healthcare providers including vital sign monitoring, medication reminders, and clinical alerts.
- Payment: Processing insurance claims, verifying Medicare/Medicaid eligibility, and managing billing under CCM and RPM codes.
- Healthcare Operations: Quality improvement, clinical outcome analysis, staff training, and platform optimization.
- As Authorized: Any use you explicitly authorize through written consent.
3. Who We Share With
We never sell, rent, or trade your PHI. We may disclose your information only to:
- Your Care Team: Healthcare providers you have authorized to participate in your care.
- Authorized Family Members: Only those individuals you have explicitly granted access to via your privacy settings.
- Business Associates (BAA Partners): Third-party vendors who require access to PHI to provide services on our behalf. All Business Associates have executed HIPAA Business Associate Agreements (BAAs) and are contractually obligated to protect your PHI.
- As Required by Law: When required by federal, state, or local law, including public health authorities and law enforcement with valid legal process.
- De-identified Data: Aggregated, de-identified data that cannot reasonably identify any individual may be used for research and quality improvement.
4. Your HIPAA Rights
As a patient, you have the following rights regarding your PHI:
- Right to Access: Request and receive copies of your PHI within 30 days.
- Right to Amend: Request corrections to inaccurate or incomplete PHI.
- Right to an Accounting of Disclosures: Receive a list of certain disclosures made of your PHI.
- Right to Request Restrictions: Ask us to limit how we use or disclose your PHI.
- Right to Confidential Communications: Request that we communicate with you in a specific way or at a specific location.
- Right to Revoke Authorization: Withdraw any prior authorization for use of your PHI.
- Right to a Copy of This Policy: Obtain a paper or electronic copy at any time.
- Right to File a Complaint: File a complaint with us or the U.S. Department of Health and Human Services.
5. Data Security Measures
We implement comprehensive administrative, technical, and physical safeguards:
- 256-bit AES encryption for data at rest and TLS 1.3 for data in transit
- Role-based access controls (RBAC) with principle of least privilege
- Multi-factor authentication for all user accounts
- SOC 2 Type II certified infrastructure hosted on AWS HIPAA-eligible services
- HITRUST CSF certified security controls
- Continuous monitoring and intrusion detection systems
- Regular penetration testing and vulnerability assessments
- Comprehensive audit logging of all PHI access events
- Automatic session timeouts and device management
- Disaster recovery with encrypted backups across geographically separated regions
6. Data Retention
We retain your PHI for as long as required to provide services and comply with legal obligations. Medical records are retained for a minimum of six (6) years from the date of last service or as required by applicable state law, whichever is longer. Upon account deletion, PHI is securely purged within 90 days, subject to legal retention requirements.
7. Cookies and Tracking
Our platform uses strictly necessary cookies for authentication and security. We do not use advertising cookies or share browsing data with third-party advertisers. Analytics data is collected in aggregate, anonymized form only.
8. Children's Privacy
Our services are not directed to individuals under 18. PHI of minors is managed exclusively through authorized parent or guardian accounts in compliance with HIPAA and applicable state laws regarding minors' health information.
9. State-Specific & International Rights
Depending on your location, you may have additional privacy rights under laws such as the CCPA, Texas Medical Records Privacy Act, or GDPR. We comply with all applicable privacy requirements. Contact us for location-specific information.
10. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email and a prominent notice on our platform at least 30 days before taking effect.
11. Contact Our Privacy Officer
For privacy-related inquiries or to exercise your HIPAA rights:
- Privacy Officer: KindlyMoments Health, Inc.
- Email: privacy@kindlymoments.com
- Phone: 1-800-555-0199 (select option 3)
- Mail: KindlyMoments Health, Inc., Attn: Privacy Officer, 100 Healthcare Way, Suite 400, San Francisco, CA 94105
To file a complaint with the U.S. Department of Health and Human Services, visit www.hhs.gov/ocr/complaints.