Privacy Policy

1. Introduction and Who We Are

Carelytics Inc. ("Carelytics," "we," "us," or "our") operates the Carelytics platform — a cloud-based software-as-a-service solution designed exclusively for home health agencies (HHAs) and other home-care providers ("Covered Entities" or "Customers").

Carelytics serves as a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). This means we create, receive, maintain, and transmit Protected Health Information (PHI) on behalf of our Customers solely to provide our services, and we are bound by the requirements of those laws together with the terms of each Customer's signed Business Associate Agreement (BAA).

This Privacy Policy explains what information we collect, how we use and protect it, and the rights available to visitors, Customers, and end users of the Carelytics platform. This policy applies to carelytics.health and all associated subdomains.

2. Information We Collect

2.1 Protected Health Information (PHI)

On behalf of our Customers, we process PHI that may include — but is not limited to:

• Patient names, dates of birth, addresses, phone numbers, and Social Security numbers
• Medical record numbers, health plan beneficiary numbers, and insurance identifiers
• Clinical assessments, diagnoses, treatment plans, and OASIS assessments
• Skilled nursing notes, therapy notes, and other clinical documentation
• Electronic Visit Verification (EVV) records including visit times and GPS coordinates
• Billing records, claims data, remittance information, and payment details
• Authorization records and payer information
• Medication records, allergy lists, and care plans

PHI is collected and used exclusively to provide contracted services to the Customer. We do not use PHI for our own marketing, analytics, product development (except where de-identified per 45 CFR §164.514), or any purpose outside the scope of the Customer's BAA.

2.2 Account and Business Information

We collect information provided by Customers and their authorized users when registering for and using the platform, including:

• Organization name, address, NPI, and Medicare/Medicaid provider numbers
• Administrator and staff names, email addresses, and professional credentials
• Billing and payment information for subscription fees
• Platform configuration settings and role/permission assignments

2.3 Technical and Usage Data

When users access the platform we automatically collect:

• IP address, browser type, operating system, and device identifiers
• Pages visited, features used, session duration, and click paths
• Error and performance logs (used exclusively for stability and security monitoring)
• Authentication timestamps and session tokens

3. HIPAA Compliance and Our Role as a Business Associate

Carelytics is fully compliant with the HIPAA Privacy Rule (45 CFR Part 164, Subparts A and E), Security Rule (45 CFR Part 164, Subpart C), and Breach Notification Rule (45 CFR Part 164, Subpart D), as amended by the HITECH Act and the Omnibus Rule (2013).

Business Associate Agreement (BAA): Every Customer must execute a signed BAA with Carelytics before PHI is processed on the platform. The BAA defines the permitted uses and disclosures of PHI, safeguards Carelytics will maintain, and the obligations of both parties. Customers who have not executed a BAA may not store PHI in Carelytics.

Minimum Necessary Standard: Carelytics limits access to PHI to the minimum necessary to carry out the contracted services. Role-based access controls ensure each user sees only the information required for their function.

HITECH Accountability: Carelytics extends the same privacy and security obligations to all sub-contractors and sub-processors who access PHI, ensuring the chain of accountability required by HITECH.

4. How We Use Information

We use the information we collect for the following purposes:

• Delivering, operating, and maintaining the Carelytics platform
• Enabling clinical documentation, scheduling, billing, and payroll workflows
• Processing CMS OASIS submissions, EVV data, and claims on behalf of Customers
• Providing customer support and troubleshooting technical issues
• Detecting, preventing, and responding to security incidents and fraud
• Meeting legal and regulatory compliance obligations
• Sending administrative communications (service updates, security notices, invoices)
• Improving platform performance using aggregated, de-identified data only

We will never sell, rent, or trade PHI or personal information to any third party. We do not use PHI for advertising, marketing profiling, or any commercial purpose unrelated to the services described above.

5. How We Share Information

We share information only in the following circumstances:

• With Customers: PHI and account data are shared with the Customer (the home health agency) whose account it belongs to, as instructed by that Customer.
• With Sub-processors: We use a limited number of vetted, HIPAA-compliant sub-processors to support our infrastructure and operations (see Section 6). Each has a signed Business Associate Agreement or equivalent data protection addendum with us.
• When Required by Law: We may disclose information when required by valid legal process (court order, subpoena, regulatory demand) after providing notice to the Customer where legally permitted.
• In a Business Transfer: In the event of a merger, acquisition, or sale of all or substantially all of our assets, PHI will be transferred only to a successor who has executed a BAA with all affected Customers and meets equivalent HIPAA obligations.
• With Your Consent: Where we have your explicit written consent to a specific disclosure.

6. Infrastructure and Sub-processors

Carelytics is deployed on Microsoft Azure (Microsoft Corporation), a HIPAA-eligible cloud platform operating under Microsoft's Business Associate Agreement. All data — including PHI — is stored and processed within Azure datacenters located in the United States.

Key infrastructure components and their roles:

All sub-processors are subject to appropriate BAAs or Data Processing Agreements. PHI is never transmitted to sub-processors beyond what is necessary to deliver the services.

7. Security Safeguards

Carelytics implements comprehensive administrative, physical, and technical safeguards required by the HIPAA Security Rule, including:

• Encryption in transit: All data transmitted between users and Carelytics is encrypted using TLS 1.2 or higher.
• Encryption at rest: PHI stored in databases and file storage is encrypted at rest using AES-256.
• Access controls: Role-based access control (RBAC) ensures each user accesses only the minimum PHI necessary for their role.
• Multi-tenant isolation: Each Customer's data is logically isolated so no Customer can access another's records.
• Audit logging: All access to and changes made to PHI are logged with user identity, timestamp, and IP address.
• Automatic session timeout: Inactive sessions are automatically terminated to prevent unauthorized access.
• Unique user identification: Every user account requires unique credentials. Shared logins are prohibited.
• Password security: Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
• Workforce training: All Carelytics personnel with access to PHI complete HIPAA training annually.

Despite our robust safeguards, no method of electronic transmission or storage is 100% secure. We continuously monitor for threats and update our security practices in response to evolving risks.

8. Breach Notification

In the event of a breach of unsecured PHI, Carelytics will comply with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and HITECH Act requirements:

• Notice to Covered Entities: We will notify the affected Customer without unreasonable delay and no later than 60 days after discovering the breach, providing the information required by 45 CFR §164.410.
• Notice to Patients: The Customer (Covered Entity) is responsible for providing timely breach notification to affected individuals and, where required, to the Secretary of Health and Human Services.
• Media Notice: For breaches affecting 500 or more residents of a state or jurisdiction, the Customer is responsible for notifying prominent media outlets in that state.
• HHS Reporting: The Customer is responsible for reporting breaches to the HHS Office for Civil Rights as required by law.

Carelytics maintains a written breach response plan and conducts regular testing of incident response procedures. To report a suspected security incident, contact hi@carelytic.ai.

9. Data Retention and Deletion

PHI stored in Carelytics is retained in accordance with:

• Applicable federal regulations: Medicare conditions of participation require home health agencies to retain clinical records for 5 years from the date of service (or 3 years after the death of a patient, whichever is longer).
• State law: Where state law requires longer retention periods, those periods govern.
• Customer instructions: Customers may request deletion of their data upon termination of the service agreement, subject to mandatory retention periods described above.

Upon termination of service: Within 30 days of written request after contract termination, Carelytics will provide the Customer with a complete export of their data in a portable format (JSON/CSV). Following confirmed data receipt or after 90 days post-termination (whichever comes first), Carelytics will securely destroy all Customer PHI, unless retention is required by law.

Backups are purged on a rolling basis consistent with the above retention schedules. Audit logs (which contain access metadata but are stripped of PHI content) may be retained longer for security and compliance purposes.

10. Cookies and Tracking Technologies

Carelytics uses only essential, functional cookies required to operate the platform. We do not use advertising cookies, third-party tracking pixels, or behavioral analytics cookies.

11. Patient Rights Under HIPAA

If you are a patient whose PHI is processed through Carelytics, your rights regarding your health information are held and enforced by the home health agency (Covered Entity) that provides your care — not by Carelytics directly. To exercise any of the following rights, please contact your home health agency directly:

• Right to access: Obtain a copy of your health records (45 CFR §164.524)
• Right to amend: Request corrections to your health information (45 CFR §164.526)
• Right to accounting of disclosures: Receive a list of disclosures of your PHI (45 CFR §164.528)
• Right to restrict: Request restrictions on certain uses and disclosures (45 CFR §164.522)
• Right to confidential communications: Request that communications reach you in a specific way
• Right to notice: Receive the agency's Notice of Privacy Practices
• Right to file a complaint: Submit a complaint to the HHS Office for Civil Rights at hhs.gov/ocr

Carelytics will cooperate with verified requests from Covered Entities acting on behalf of patients for access, amendment, or accounting of disclosures.

12. Children's Privacy

The Carelytics platform is a business-to-business service designed for use by healthcare organizations and their licensed, professional staff. We do not knowingly collect personal information from individuals under the age of 13. Clinical records of pediatric patients are processed exclusively under the direction of the treating agency under applicable HIPAA and COPPA requirements.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other business reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify Customer administrators via email or an in-platform notice at least 30 days before the change takes effect
• Where required by HIPAA, obtain Customer consent before implementing changes that would materially alter PHI handling under any existing BAA

14. Contact Us

For questions about this Privacy Policy, to report a suspected breach, or to make a HIPAA-related request, please contact: