Privacy Policy

1. Introduction

Caretable ("we," "us," or "our") is committed to protecting the privacy and security of your personal information and any Protected Health Information (PHI) processed through our platform. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our referral exchange platform.

2. Information We Collect

2.1 Account Information

• Full name and email address
• Role (Provider or Referrer)
• Business name and license number (Providers)
• Service area and services offered (Providers)

2.2 Referral Information (May Contain PHI)

• Client first name and last initial
• Service needed and urgency level
• Client location (city and state)
• Referral descriptions and notes
• Chat messages between Providers and Referrers

2.3 Usage Information

• Login timestamps and session duration
• Actions performed on the platform (audit logs)
• Browser type and device information

3. How We Use Your Information

• Facilitate referrals: Connect Referrers with appropriate Providers based on service needs and location.
• Platform communication: Enable secure messaging between Referrers and Providers regarding active referrals.
• Account management: Maintain your profile, preferences, and service listings.
• Security and compliance: Maintain audit logs, detect unauthorized access, and ensure HIPAA compliance.
• Platform improvement: Analyze anonymized, aggregate usage data to improve the platform experience.
• Notifications: Send referral status updates, new message alerts, and important platform announcements.

4. HIPAA-Specific Data Handling

4.1 Technical Safeguards

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Database contents, including PHI, are encrypted at rest using AES-256 encryption.
• Access controls: Role-based access control (RBAC) ensures users only access data relevant to their role. Row-level security policies enforce data isolation.
• Automatic session timeout: Sessions automatically expire after 15 minutes of inactivity to prevent unauthorized access.
• Audit logging: All access to PHI is automatically logged, including the user, action, timestamp, and affected record.

4.2 AI Processing Safeguards

• PHI redaction: Before any data is sent to AI services for features like reply suggestions or analytics insights, all personally identifiable information is automatically stripped, including client names, phone numbers, email addresses, Social Security numbers, and dates of birth.
• No PHI storage by AI: AI service providers do not store or retain any data sent for processing.
• AI instructions: AI models are explicitly instructed never to include, repeat, or request PHI in their responses.

4.3 Administrative Safeguards

• Business Associate Agreements: Caretable maintains BAAs with all third-party service providers that may access PHI.
• Workforce training: All Caretable personnel with access to PHI receive HIPAA compliance training.
• Incident response: We maintain a documented incident response plan for potential data breaches.
• Risk assessments: Regular security risk assessments are conducted to identify and mitigate potential vulnerabilities.

5. Data Sharing and Disclosure

We do not sell your personal information or PHI. We may share information only in the following circumstances:

• Referral facilitation: Referral details are shared with Providers who accept a referral, and acceptance details are shared with the originating Referrer.
• Service providers: We use third-party infrastructure providers (hosting, database, email) under BAAs that prohibit them from using PHI for any purpose other than providing the contracted service.
• Legal compliance: We may disclose information if required by law, subpoena, or regulatory investigation.
• Breach notification: In the event of a data breach involving PHI, we will notify affected individuals and the U.S. Department of Health and Human Services as required by the HIPAA Breach Notification Rule.

6. Data Retention

• PHI and audit logs: Retained for a minimum of six (6) years from the date of creation, as required by HIPAA.
• Account information: Retained for the duration of your account plus six (6) years after account closure.
• Usage data: Anonymized usage data may be retained indefinitely for analytics purposes.

7. Your Rights

• Access: You may request a copy of the personal information and PHI we hold about you.
• Correction: You may request correction of inaccurate personal information.
• Accounting of disclosures: You may request an accounting of disclosures of your PHI as required by HIPAA.
• Restriction requests: You may request restrictions on certain uses and disclosures of your PHI.
• Communication preferences: You may unsubscribe from non-essential email communications at any time.

To exercise any of these rights, contact us at info@caretable.com.

8. Cookies and Tracking

Caretable uses essential cookies for authentication and session management only. We do not use third-party advertising cookies or cross-site tracking technologies. Session cookies are automatically cleared when your session expires or you log out.

9. Children's Privacy

Caretable is intended for use by social service professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the platform at least 30 days before the changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related inquiries or to exercise your rights under HIPAA, contact our Privacy Officer at info@caretable.com.