Legal

How We Protect Your Health Information

Effective Date: March 26, 2026

Last Updated: March 26, 2026

THIS STATEMENT DESCRIBES HOW CLINICTITAN, AS A BUSINESS ASSOCIATE, HANDLES PROTECTED HEALTH INFORMATION WITHIN ITS PLATFORM. PLEASE REVIEW IT CAREFULLY.

About This Notice

ClinicTitan, Inc. ("ClinicTitan") operates a multi-tenant telehealth infrastructure platform (the "Platform") on behalf of healthcare practices ("Tenant Operators"). ClinicTitan acts as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and processes protected health information ("PHI") on behalf of Tenant Operators pursuant to Business Associate Agreements.

Your Tenant Operator (the healthcare practice providing your care) is the Covered Entity responsible for the privacy of your health information. This Notice is provided to help you understand how ClinicTitan, as a Business Associate, protects your PHI within the Platform. Your Tenant Operator may also provide you with their own Notice of Privacy Practices, which governs their use and disclosure of your health information.

If there is a conflict between this Notice and your Tenant Operator's Notice of Privacy Practices, the Tenant Operator's Notice governs with respect to their clinical use and disclosure of your PHI.

Important: Under HIPAA, a Business Associate is not required to issue a Notice of Privacy Practices. This Notice is provided voluntarily by ClinicTitan as a supplement to --- and not a substitute for --- the Notice of Privacy Practices issued by your Tenant Operator (the Covered Entity). Your Tenant Operator's Notice of Privacy Practices is the governing notice for purposes of 45 CFR § 164.520, and your Tenant Operator is responsible for distributing that notice to you as required by law.

How This Notice Is Distributed

This Notice is made available to you in the following ways:

  • On the ClinicTitan website at clinictitan.com/hipaa, where it is prominently posted and accessible at all times

  • Within the Platform at the time of patient account registration, where you are asked to acknowledge receipt

  • Upon request by contacting ClinicTitan at support@clinictitan.com --- a paper or electronic copy will be provided promptly

  • Through your Tenant Operator, who may incorporate or reference this Notice alongside their own Notice of Privacy Practices

Your Tenant Operator is responsible for providing their own Notice of Privacy Practices at your first service encounter and making it available on their website, as required by 45 CFR § 164.520(c).

1. Information We Collect and Maintain

Through the Platform, the following categories of PHI may be collected and maintained on behalf of your Tenant Operator:

  • Demographic information: Name, date of birth, gender, address, phone number, email address

  • Identification records: Government-issued ID (for identity verification)

  • Medical history: Past and current medical conditions, medications, allergies, surgical history, therapy history

  • Clinical information: Intake questionnaire responses, provider consultation notes, diagnoses, treatment plans, behavioral assessments

  • Prescription information: Medication names, dosages, quantities, directions, refill information

  • Laboratory and diagnostic information: Test orders and results (when applicable)

  • Payment information: Insurance details, payment records (tokenized --- full card numbers are never stored)

  • Communication records: Messages between you and your healthcare provider

  • Consent records: Your signed consents and authorizations

2. How Your Health Information May Be Used and Disclosed

Your Tenant Operator may direct ClinicTitan to use and disclose your PHI for the following purposes. In all cases below, ClinicTitan acts under the direction of the Tenant Operator or as required by law. ClinicTitan does not independently determine when to use or disclose your PHI for these purposes.

2.1 Treatment

Your PHI may be used and disclosed to provide, coordinate, and manage your healthcare. This includes:

  • Sharing information with your treating provider through the Platform

  • Transmitting prescription information to pharmacy partners for fulfillment

  • Sending clinical information to consulting physicians or specialist networks

  • Facilitating telehealth consultations, including video visits

2.2 Payment

Your PHI may be used and disclosed for payment-related activities, including:

  • Processing payments for services rendered

  • Managing subscriptions and recurring billing

  • Issuing refunds

  • Responding to billing inquiries

2.3 Healthcare Operations

Your PHI may be used and disclosed for the Tenant Operator's healthcare operations, including:

  • Quality assessment and improvement activities

  • Reviewing competence and qualifications of healthcare professionals

  • Conducting training programs

  • Business planning, management, and general administration

  • Compliance auditing and monitoring

2.4 As Required by Law

We may use or disclose your PHI when required to do so by federal, state, or local law.

2.5 Public Health Activities

We may disclose your PHI for public health activities, including:

  • Preventing or controlling disease, injury, or disability

  • Reporting births, deaths, and disease as required by law

  • Reporting adverse events and product defects to the FDA

  • Notifying individuals of potential exposure to a communicable disease

2.6 Health Oversight Activities

We may disclose your PHI to a health oversight agency for authorized activities including audits, investigations, inspections, and licensure actions.

2.7 Judicial and Administrative Proceedings

We may disclose your PHI in response to a court order. We may also disclose PHI in response to a subpoena, discovery request, or other lawful process, with appropriate protections.

2.8 Abuse, Neglect, or Domestic Violence

We may disclose your PHI to a government authority authorized by law to receive reports of abuse, neglect, or domestic violence, as permitted or required by 45 CFR § 164.512(c). If you are a minor, we may be required to report suspected child abuse or neglect to the appropriate state child protective services agency.

2.9 Law Enforcement

We may disclose your PHI to law enforcement officials under limited circumstances as permitted by 45 CFR § 164.512(f), including pursuant to a court order, warrant, or grand jury subpoena; to identify or locate a suspect, fugitive, material witness, or missing person; in response to a law enforcement request about a victim of a crime (with the victim's agreement or under limited exceptions); to report certain types of wounds, injuries, or crimes occurring on the premises; or to alert law enforcement to a death that may have resulted from criminal conduct.

2.10 To Avert a Serious Threat to Health or Safety

We may use and disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public or another person, as permitted by 45 CFR § 164.512(j). Any disclosure will be made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

2.11 Research

We may use or disclose your PHI for research purposes, subject to approval by an institutional review board (IRB) or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information, or when the researcher provides adequate written assurance that the PHI is necessary for the research and will be used only for the research purpose described, as permitted by 45 CFR § 164.512(i).

2.12 Organ and Tissue Donation

We may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation, as permitted by 45 CFR § 164.512(h).

2.13 Workers' Compensation

We may disclose your PHI as authorized by and to the extent necessary to comply with workers' compensation laws or other similar programs established by law, as permitted by 45 CFR § 164.512(l).

2.14 Specialized Government Functions

We may disclose your PHI for specialized government functions as permitted by 45 CFR § 164.512(k), including military and veterans' activities, national security and intelligence activities, protective services for the President and others, medical suitability determinations for the Department of State, and correctional institution functions related to the provision of healthcare.

2.15 Decedents

We may disclose PHI of a deceased individual to a coroner, medical examiner, or funeral director as authorized by law and as permitted by 45 CFR § 164.512(g). We may also disclose PHI to a family member or other person who was involved in the decedent's care or payment prior to death, unless doing so is inconsistent with any prior expressed preference of the decedent that is known to us.

3. Uses and Disclosures Requiring Your Written Authorization

Certain uses and disclosures of your PHI require your written authorization, including:

  • Marketing: Use of your PHI for marketing purposes (except for face-to-face communications and promotional gifts of nominal value)

  • Sale of PHI: Any disclosure of PHI where ClinicTitan or the Tenant Operator receives remuneration in exchange for the PHI

  • Psychotherapy notes: Use or disclosure of psychotherapy notes (if maintained)

  • Other uses: Any use or disclosure not described in this Notice

You may revoke your authorization in writing at any time, except to the extent that action has already been taken in reliance on the authorization.

4. Your Rights Regarding Your Health Information

You have the following rights with respect to your PHI. To exercise these rights, contact your Tenant Operator directly. ClinicTitan will assist your Tenant Operator in fulfilling these requests as required under our Business Associate Agreement.

4.1 Right to Access

You have the right to inspect and obtain a copy of your PHI that is maintained in a designated record set. Your request must be in writing. Your Tenant Operator may charge a reasonable, cost-based fee for providing copies.

The Tenant Operator may deny your request in limited circumstances. If your request is denied, you will be informed of the reason and your right to request a review of the denial.

4.2 Right to Request Amendment

You have the right to request that your PHI be amended if you believe it is incorrect or incomplete. Your request must be in writing and must provide a reason for the requested amendment. The Tenant Operator may deny your request if the PHI:

  • Was not created by the Tenant Operator or ClinicTitan

  • Is not part of the designated record set

  • Is not available for inspection (e.g., under an applicable exception)

  • Is accurate and complete

4.3 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made in the six (6) years prior to your request (or a shorter period if you specify). This accounting does not include disclosures:

  • Made for treatment, payment, or healthcare operations

  • Made to you or authorized by you

  • Made for national security or intelligence purposes

  • Made to correctional institutions or law enforcement officials in certain circumstances

  • Made prior to the effective date of HIPAA (April 14, 2003)

The first accounting in any 12-month period is free. Subsequent requests may be subject to a reasonable, cost-based fee.

4.4 Right to Request Restrictions

You have the right to request that we restrict the use or disclosure of your PHI for treatment, payment, or healthcare operations. You may also request restrictions on disclosures to individuals involved in your care or the payment for your care.

We are not required to agree to your request, except that we are required to agree to a restriction on disclosure to a health plan if: (a) the disclosure is for payment or healthcare operations and is not otherwise required by law, and (b) the PHI pertains solely to a healthcare item or service for which you have paid out of pocket in full.

4.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you may request that we contact you only at a particular email address or phone number. We will accommodate reasonable requests.

4.6 Right to a Copy of This Notice

You may request a paper or electronic copy of this statement at any time by contacting us at support@clinictitan.com.

4.7 Right to Be Notified of a Breach

You have the right to be notified if there is a breach of your unsecured PHI. Notification will be provided in accordance with HIPAA breach notification requirements (45 CFR §§ 164.400--164.414), including:

  • A description of the breach and the types of information involved

  • Steps you should take to protect yourself

  • What we are doing to investigate, mitigate harm, and prevent future breaches

  • Contact information for further questions

5. Our Duties

5.1 Legal Duty

ClinicTitan is required by law to:

  • Maintain the privacy and security of your PHI

  • Provide transparency about our privacy practices (this statement is provided voluntarily as a Business Associate)

  • Follow the terms of the Notice currently in effect

  • Notify you (through your Tenant Operator) if there is a breach of your unsecured PHI

5.2 Minimum Necessary Standard

When using or disclosing PHI, or when requesting PHI from another entity, ClinicTitan makes reasonable efforts to limit the PHI used, disclosed, or requested to the minimum necessary to accomplish the intended purpose, except for disclosures for treatment purposes.

5.3 De-identification

When PHI is no longer needed in an identifiable form, ClinicTitan employs appropriate de-identification methods in accordance with HIPAA standards (45 CFR § 164.514).

6. Data Security Measures

ClinicTitan implements comprehensive security measures to protect your PHI, including:

  • Encryption at rest and in transit for all PHI

  • Per-tenant database isolation --- your Tenant Operator's data is stored in a completely separate database from other Tenant Operators

  • Per-tenant file storage isolation --- clinical documents and files are stored in separate encrypted storage

  • Role-based access controls --- only authorized users can access PHI, based on their role

  • Multi-factor authentication --- required for all staff and administrative accounts

  • Comprehensive audit logging --- every access to PHI is logged with user identity, action taken, timestamp, and other details

  • Audit log retention --- maintained for a minimum of six (6) years

  • Automated PHI redaction --- PHI is automatically excluded from application error logs and analytics

  • Payment tokenization --- credit card data is tokenized client-side and never stored on ClinicTitan servers

  • Regular risk assessments --- conducted in accordance with the HIPAA Security Rule

  • Incident response procedures --- documented procedures for responding to security incidents

  • Workforce training --- all personnel with access to PHI receive privacy and security training

7. Changes to This Notice

ClinicTitan reserves the right to change this Notice at any time. Changes will apply to PHI we already have about you as well as any information we receive in the future. The revised Notice will be posted on our website with a new effective date and will be available upon request on or after the effective date. Material changes will be communicated through your Tenant Operator. We will not materially change our privacy practices to make them less protective of PHI created or received prior to a revision without providing you with advance notice and an opportunity to object, to the extent required by applicable law.

8. Complaints

If you believe your privacy rights have been violated, you may file a complaint:

With Your Tenant Operator

Contact the Tenant Operator (healthcare practice) that provides your care directly. They are the primary entity responsible for the privacy of your health information.

With ClinicTitan

ClinicTitan, Inc.

HIPAA Privacy Officer

Email: support@clinictitan.com

Website: clinictitan.com/contact

With the U.S. Department of Health and Human Services

Office for Civil Rights

U.S. Department of Health and Human Services

200 Independence Avenue, S.W.

Washington, D.C. 20201

Phone: 1-877-696-6775

Website: hhs.gov/ocr/complaints

You will not be retaliated against for filing a complaint. Neither ClinicTitan nor your Tenant Operator may intimidate, threaten, coerce, discriminate against, or take any retaliatory action against you for filing a complaint with any of the above entities, for exercising your rights under HIPAA, or for participating in any process under HIPAA, in accordance with 45 CFR § 160.316.

Time limit for complaints to HHS: Complaints to the Office for Civil Rights generally must be filed within 180 days of when you knew or should have known that the act or omission giving rise to the complaint occurred, unless the Secretary of HHS waives this time limit for good cause shown (45 CFR § 160.306(b)).

9. Contact Information

ClinicTitan, Inc.

HIPAA Privacy Officer

12900 Metcalf Avenue, Suite 140

Overland Park, KS 66213

Email: support@clinictitan.com

Website: clinictitan.com/contact

For questions about how your specific Tenant Operator uses your health information, please contact your Tenant Operator directly. Your Tenant Operator's contact information is available through the Platform or from the materials provided to you when you enrolled in their practice.