Healthcare & Enterprise

Privacy Policy

Last updated: March 18, 2026

1. Introduction

This Privacy Policy governs the collection and use of Protected Health Information (PHI) through Echoes Clinical, our HIPAA-compliant platform for healthcare organizations. This policy supplements our standard Privacy Policy and applies to all clinical users, organizations, and their patients.

2. HIPAA Compliance

Echoes Clinical is designed to comply with:

  • HIPAA — Health Insurance Portability and Accountability Act
  • HIPAA Security Rule — Administrative, physical, and technical safeguards
  • HIPAA Privacy Rule — Standards for PHI protection
  • HITECH Act — Enforcement of HIPAA privacy and security

We have implemented a Business Associate Agreement (BAA) framework for all healthcare customers.

3. Protected Health Information (PHI)

Through Echoes Clinical, we may process the following PHI:

  • Patient identifiers (name, date of birth, medical record number)
  • Treatment notes and clinical assessments
  • Communication records between providers and patients
  • Care plan documentation
  • Appointment and scheduling data

4. Data Handling & Storage

  • Encryption at Rest: AES-256 encryption for all stored PHI
  • Encryption in Transit: TLS 1.3 for all data transmission
  • Access Controls: Role-based access control (RBAC) with audit logging
  • Data Segregation: Dedicated tenant isolation for each organization
  • U.S. Hosting: All PHI stored in HIPAA-compliant data centers within the United States

5. Use of PHI

We use PHI solely to provide the Echoes Clinical services as directed by our customers. We do not access, use, or disclose PHI except as necessary to:

  • Provide the contracted clinical services
  • Maintain and improve our platform
  • Respond to legal requests as required by law

We do not sell PHI. We do not use PHI for marketing or advertising.

6. Business Associate Agreements

We enter into BAAs with all healthcare organizations using Echoes Clinical. This agreement establishes our obligations as a Business Associate under HIPAA, including:

  • Proper safeguards for PHI
  • Reporting of breaches
  • Subcontractor requirements
  • Data return and destruction policies

7. Patient Rights

Echoes Clinical supports the following patient rights:

  • Access: Patients may request copies of their records
  • Amendment: Patients may request corrections to their PHI
  • Accounting of Disclosures: Track who has accessed their PHI
  • Restriction: Request restrictions on certain uses/disclosures
  • Destruction: Request secure deletion when permitted

8. Security Measures

Our security posture includes:

  • Annual penetration testing by third parties
  • Continuous security monitoring
  • Employee training on HIPAA requirements
  • Incident response and breach notification procedures
  • Multi-factor authentication for administrative access

9. Breach Notification

In the event of a breach of unsecured PHI, we will:

  • Notify the covered entity within 24 hours of discovery
  • Provide detailed incident documentation
  • Cooperate fully with investigation and remediation

10. Data Retention & Destruction

PHI is retained according to the organization's data retention policies. Upon contract termination, we provide a 30-day data export period, after which data is securely destroyed in accordance with NIST guidelines.

11. Subcontractors

All subcontractors who handle PHI are bound by equivalent protection through BAA agreements. We maintain a current list of subcontractors upon request.

12. Audits & Compliance

Healthcare organizations may request audit reports, security documentation, and compliance certifications. We support third-party HIPAA audits with reasonable notice.

13. Contact Us

For HIPAA compliance questions or to request a BAA:

Email: hipaa@heartechoes.io