Noted

Privacy Policy

Introduction

At Noted ("we," "our," "us"), we are committed to protecting the privacy and security of your information. This Privacy Policy outlines how we collect, use, disclose, and safeguard Protected Health Information (PHI) and other data in compliance with the Health Insurance Portability and Accountability Act (HIPAA). By using our services, you agree to the terms outlined in this Privacy Policy.

Scope

This Privacy Policy applies to all users of our HIPAA-compliant software-as-a-service (SaaS) platform designed for home health care providers in the state of Florida. Our platform is accessible only to authorized personnel, such as healthcare providers, administrators, and nurses.

Data We Collect

We collect and process the following types of information:

  • Protected Health Information (PHI):
    • Patient names (entered by users).
    • Disabilities, goals, progress notes, and other health-related information.
  • User Information:
    • Names and email addresses of authorized users (e.g., Company Admins or Nurses).
  • System Data:
    • Metadata such as IP addresses, timestamps, and audit logs for security purposes.

How We Use Your Data

We use the information collected for the following purposes:

  • To provide and maintain our platform's functionality.
  • To generate billable summaries using AI-powered processing.
  • To ensure compliance with applicable laws and regulations.

De-identification Practices

Before transmitting data to third-party service providers for processing, we take the following steps to de-identify PHI:

  • Patient names are removed from structured fields.
  • Free-form text fields (e.g., nurse notes) are scanned using automated tools to redact identifiable names or other sensitive information where feasible.
  • The remaining data contains only disabilities, goals, progress updates, and other non-identifiable health-related information.

Important Note: While we make every effort to redact identifying information from free-form text fields, we cannot guarantee that all names or identifiers will be fully removed due to human input variability.

Third-Party Service Providers

To deliver our services effectively, we rely on third-party providers who operate under signed Business Associate Agreements (BAAs) as required by HIPAA:

  • Hosting Provider: We use a HIPAA-compliant hosting provider for secure data storage and processing.
  • AI Service Provider: We utilize a third-party AI service to process nurse-generated notes into billable summaries. Data sent for processing is de-identified where possible and handled securely through non-retention routes.

These providers are contractually obligated to comply with HIPAA regulations and implement robust security measures to protect your data.

Data Ownership

All PHI entered into our platform remains the property of the Covered Entity (e.g., healthcare provider or organization). We act solely as a processor of this data on behalf of the Covered Entity.

Security Measures

We implement industry-standard administrative, technical, and physical safeguards to protect your data:

  • Encryption: All PHI is encrypted at rest and in transit using NIST-approved standards.
  • Access Controls: Role-based access controls ensure that users can only access data relevant to their role.
  • Audit Logs: Comprehensive logs track all access to PHI for compliance purposes.
  • Authentication: Multi-factor authentication is required for all user accounts.
  • Monitoring: Regular vulnerability assessments and penetration testing are conducted to identify and mitigate risks.

Breach Notification

In the event of a data breach involving PHI:

  • We will notify affected Covered Entities within 60 calendar days of discovering the breach.
  • Notifications will include details about the breach's nature, affected data, mitigation steps taken, and recommendations for further actions.

Cookies

Our platform uses cookies solely for session management purposes. These cookies do not track users or collect any personal information beyond what is necessary for secure access.

Data Retention

We retain PHI for a minimum of six years in compliance with HIPAA regulations unless otherwise directed by the Covered Entity or required by law.

User Rights

Authorized users have the right to:

  • Access PHI stored in our platform upon request by contacting their organization's administrator.
  • Request amendments or corrections to PHI through their organization's administrator.
  • Obtain an accounting of disclosures of their PHI as required under HIPAA.

Note: Requests related to PHI must be submitted through the Covered Entity responsible for managing patient records on our platform.

Contact Information

If you have questions about this Privacy Policy or concerns about how your information is handled, please contact us at:

Email: support@notedfl.com

We currently provide support exclusively via email.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in laws, regulations, or our practices. Significant changes will be communicated via email or platform notifications before they take effect.