Privacy Policy

1. Overview and HIPAA Compliance

Sematic Health (operated by ZYXW Labs, LLC) operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We provide software solutions for healthcare providers to streamline healthcare workflows and administrative processes.

We are committed to protecting Protected Health Information (PHI) and maintaining the highest standards of data security and privacy in accordance with HIPAA, state privacy laws, and healthcare industry best practices.

2. Information We Collect and Process

As a healthcare technology platform, we collect and process the following types of information:

Protected Health Information (PHI)

• Patient demographics, medical record numbers, and identifiers
• Medical conditions, diagnoses, and health information
• Treatment histories and clinical data
• Clinical observations and assessment information
• Care plans and treatment documentation
• Insurance and coverage information
• Health assessments and related data
• Provider-patient relationships and care coordination information

Healthcare Provider Information

• Provider credentials and licensing information
• Practice and organization details
• User authentication data and access permissions
• Clinical workflow and platform usage data

Technical and Usage Data

• EHR integration data via secure protocols
• Authentication tokens and session data
• Platform usage analytics and performance metrics
• Audit logs and security monitoring data

3. How We Use Your Information

We use the collected information solely for legitimate healthcare operations and as authorized by our Business Associate Agreements:

Healthcare Program Administration

• Support healthcare program eligibility and management
• Facilitate care plan creation and management
• Track completion of required healthcare services
• Generate administrative documentation
• Monitor quality metrics and compliance requirements

Clinical Workflow Support

• Facilitate care coordination and team communication
• Provide clinical decision support and patient information
• Enable secure messaging and information sharing
• Support preventive care and health management

Platform Operations

• Maintain EHR integrations and data synchronization
• Ensure platform security and performance
• Provide technical support and troubleshooting
• Conduct security audits and compliance monitoring

4. EHR Integration and Data Sources

Our platform integrates with Electronic Health Record (EHR) systems using industry-standard protocols:

• Secure Integration: Standards-based integration with EHR systems
• Healthcare System Integration: Direct secure connections to healthcare platforms
• Clinical Data Access: Patient and clinical information as authorized
• Real-time Synchronization: Automated data updates and communication
• Secure Authentication: Industry-standard authentication and security

5. Data Security and Protection

We implement comprehensive security measures to protect PHI and ensure HIPAA compliance:

Technical Safeguards

• End-to-end encryption for data in transit and at rest
• Multi-factor authentication and role-based access controls
• Secure cloud infrastructure with compliance certifications
• Regular security audits and penetration testing
• Automated backup and disaster recovery systems

Administrative Safeguards

• HIPAA training for all personnel with PHI access
• Incident response and breach notification procedures
• Regular risk assessments and security policy updates
• Vendor management and Business Associate Agreements

Physical Safeguards

• Secure data centers with restricted physical access
• Workstation security and device management policies
• Secure disposal of hardware and media containing PHI

6. Data Sharing and Disclosure

We only share PHI as permitted by HIPAA and our Business Associate Agreements:

Authorized Disclosures

• Healthcare Providers: Authorized clinicians and care team members
• Covered Entities: Healthcare organizations under signed BAAs
• Business Associates: Third-party service providers with appropriate agreements
• Patients: Upon valid patient requests for their own information

Required Disclosures

• Legal authorities when required by law or court order
• Public health agencies for disease surveillance or reporting
• Healthcare oversight agencies for compliance monitoring
• Law enforcement in specific circumstances permitted by HIPAA

7. Individual Rights Under HIPAA

As a Business Associate, we support the following individual rights. Requests should be directed to your healthcare provider:

• Right of Access: Request copies of your PHI in our systems
• Right to Amend: Request corrections to inaccurate PHI
• Right to Restrict: Request limitations on PHI use or disclosure
• Right to Accounting: Receive a list of PHI disclosures
• Right to Notification: Be notified of any breaches affecting your PHI
• Right to Complain: File complaints about privacy practices

8. Data Retention and Deletion

We retain PHI only as long as necessary for legitimate business purposes and as required by law:

• Active Data: Retained while providing services to healthcare providers
• Audit Logs: Maintained for required periods as mandated by law
• Administrative Records: Retained per applicable requirements
• Secure Deletion: PHI is securely destroyed when retention periods expire
• Contract Termination: PHI returned or destroyed per BAA terms

9. Breach Notification

In the event of a security incident involving PHI, we will:

• Immediately investigate and contain the incident
• Notify affected Covered Entities within required timeframes
• Provide detailed incident reports and remediation plans
• Cooperate with Covered Entity breach notification requirements
• Implement additional safeguards to prevent future incidents

10. International Data Transfers

PHI is processed and stored within the United States. We do not transfer PHI outside the US without appropriate safeguards and authorization. Our cloud infrastructure providers maintain appropriate compliance certifications and Business Associate Agreements.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated to our healthcare provider clients through our platform and via email. The effective date at the top of this policy indicates when the latest version was published.