Privacy Policy

1. Introduction

Welcome to AlbaMed, a healthcare management platform operated by Alba Digital Development LLC ("we," "us," or "our"). AlbaMed provides cloud-based software solutions for behavioral health organizations, including billing and operations management, clinical workflow tools, credentialing, human resources, and patient records management.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use our platform at albamed.org and its associated subdomains (collectively, the "Service"). It applies to all users of the Service, including administrators, clinical staff, billing personnel, and any individual whose information is processed through our platform.

By accessing or using AlbaMed, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use the Service.

2. Information We Collect

We collect information in several categories depending on how you interact with our Service:

Account Information

• Full name, email address, phone number, and job title
• Organization name, NPI numbers, and tax identification numbers
• Login credentials (passwords are hashed and never stored in plaintext)
• Role and permission assignments within your organization

Protected Health Information (PHI)

• Patient demographics: name, date of birth, Social Security number, address, and contact information
• Clinical records: diagnoses, treatment plans, progress notes, assessments, and service documentation
• Insurance information: payer details, member IDs, group numbers, eligibility data, and claims history
• Referral sources and related clinical coordination data

Usage Data

• IP address, browser type, operating system, and device information
• Pages visited, features used, timestamps, and session duration
• Audit logs capturing user actions within the platform for compliance and security purposes

Billing and Financial Data

• Service billing records, invoices, payment histories, and contract details
• Employee payroll-related information such as pay rates, hours worked, and compensation records

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve the AlbaMed platform, including clinical documentation, billing and claims processing, credentialing, and human resources management
• Authentication & Access Control: To verify your identity, manage user accounts, enforce role-based access controls, and maintain platform security
• Billing & Claims Processing: To facilitate insurance eligibility verification, claims submission, payment posting, and financial reporting for your organization
• Compliance & Auditing: To maintain audit trails, generate compliance reports, and fulfill legal and regulatory obligations under HIPAA, state healthcare regulations, and other applicable laws
• Analytics & Improvement: To analyze aggregate, de-identified usage patterns to improve platform performance, develop new features, and enhance user experience
• Communications: To send you service-related notices, security alerts, system updates, and support communications
• Clinical Decision Support: To power AI-assisted clinical tools that help clinicians with documentation, risk assessment, and compliance checking, always under clinician review and supervision

4. Data Protection & Security

We implement comprehensive technical, administrative, and physical safeguards to protect your information:

Encryption

• All Protected Health Information (PHI) is encrypted at rest using AES-256-CBC encryption with unique encryption keys
• All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS)
• Database connections are encrypted in transit using SSL certificates

Access Controls

• Role-based access control (RBAC) ensures users can only access information necessary for their job functions
• Granular permission sets for view, create, edit, and delete operations on each module
• Multi-tenant architecture ensures complete data isolation between organizations
• Comprehensive audit logging tracks all user actions, including data access, modifications, and deletions

Infrastructure Security

• Hosted on Google Cloud Platform, which maintains SOC 1, SOC 2, SOC 3, ISO 27001, and HIPAA compliance certifications
• Automated security patching and infrastructure monitoring
• Regular vulnerability assessments and security reviews
• Database backups with point-in-time recovery capabilities

Organizational Safeguards

• Workforce training on HIPAA requirements and data handling procedures
• Incident response procedures for potential data breaches, including notification protocols compliant with HIPAA Breach Notification Rule (45 CFR Parts 164.400-414)
• Regular risk assessments as required under the HIPAA Security Rule

5. Protected Health Information (PHI)

As a Business Associate under HIPAA, we handle PHI with the highest level of care and in accordance with federal regulations:

Business Associate Agreements (BAAs)

• We execute Business Associate Agreements with all Covered Entities (your organization) prior to processing any PHI
• We maintain BAAs with all downstream subcontractors and third-party service providers who may access PHI on our behalf
• Our BAAs comply with the requirements of 45 CFR 164.504(e)

Minimum Necessary Standard

• We apply the HIPAA minimum necessary standard to all uses and disclosures of PHI
• Our platform's role-based access controls enforce the minimum necessary principle by limiting access to only the PHI required for each user's specific job function
• Automated systems are configured to access only the minimum data elements necessary for processing

De-Identification

• When PHI is used for analytics, quality improvement, or product development, we de-identify the data in accordance with the HIPAA Safe Harbor method (45 CFR 164.514(b)(2))
• De-identified data is stripped of all 18 HIPAA identifiers before use in aggregate analyses
• We never re-identify de-identified data without explicit authorization

PHI Disposal

• Upon termination of services or at the Covered Entity's request, PHI is securely destroyed or returned in accordance with our BAA obligations and applicable retention requirements
• Electronic PHI disposal follows NIST SP 800-88 guidelines for media sanitization

6. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your personal information or PHI to any third party. Period.

We may share information only in the following limited circumstances:

Service Providers (Subcontractors)

• Google Cloud Platform: Cloud infrastructure, hosting, storage, and database services. Google maintains HIPAA compliance and executes a BAA with us.
• Stedi, Inc.: Insurance eligibility verification and EDI transaction processing. Stedi processes limited insurance-related data elements necessary for eligibility checks.
• All subcontractors are bound by Business Associate Agreements and are required to implement appropriate safeguards for any PHI they process.

Legal Obligations

• We may disclose information if required by law, regulation, subpoena, court order, or other governmental request
• We may disclose information to comply with HIPAA's permitted uses and disclosures as outlined in 45 CFR 164.512
• We will notify you of any such disclosure to the extent permitted by law

Business Transfers

• In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy commitments described in this policy and applicable BAA terms

With Your Consent

• We may share information for any purpose with your explicit, informed consent

7. Data Retention

We retain different categories of data for different periods based on legal requirements and business necessity:

• Protected Health Information: Retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, as required by HIPAA (45 CFR 164.530(j)). State laws may require longer retention periods, in which case the longer period applies.
• Account Information: Retained for the duration of your organization's active subscription, plus three (3) years following termination for legal and compliance purposes.
• Audit Logs: Retained for a minimum of six (6) years to comply with HIPAA audit trail requirements.
• Usage Data: Aggregated and de-identified usage data may be retained indefinitely for analytics purposes. Personally identifiable usage data is retained for no more than two (2) years.
• Billing Records: Retained for seven (7) years in accordance with IRS record-keeping requirements and applicable state regulations.

Deletion Process: When data reaches the end of its retention period or upon a valid deletion request, we securely destroy the data using industry-standard methods. For electronic records, this includes cryptographic erasure or overwriting. You will receive confirmation once the deletion process is complete.

8. Your Rights

Depending on your jurisdiction and role, you may have the following rights regarding your information:

For All Users:

• Access: You may request a copy of the personal information we hold about you.
• Correction: You may request that we correct inaccurate or incomplete personal information.
• Deletion: You may request deletion of your personal information, subject to legal retention requirements and our obligations under applicable BAAs.
• Portability: You may request your data in a structured, commonly used, machine-readable format.
• Opt-Out: You may opt out of non-essential communications at any time. Note that you cannot opt out of service-critical communications (such as security alerts and billing notices).

For Patients (via Covered Entity):

• Patients' HIPAA rights, including the right to access, amend, and receive an accounting of disclosures of their PHI, are exercised through the Covered Entity (your healthcare organization), not directly through AlbaMed.
• We will cooperate with Covered Entities to fulfill patient rights requests in accordance with HIPAA requirements and our BAA obligations.

To exercise any of these rights, contact us at support@albadigitaldevelopment.com. We will respond to verified requests within thirty (30) days.

9. Cookies & Tracking Technologies

AlbaMed uses a limited set of cookies and similar technologies to operate the platform:

• Essential Session Cookies: Required for authentication, session management, and CSRF protection. These cookies are strictly necessary for the platform to function and cannot be disabled.
• Security Cookies: Used to detect and prevent fraudulent activity, brute-force attacks, and unauthorized access attempts.
• Preference Cookies: Store your interface preferences such as timezone, language, and display settings to provide a consistent user experience.

We do not use third-party advertising trackers, social media pixels, or cross-site tracking cookies. We do not participate in ad networks or sell browsing data.

If we implement analytics tools in the future, they will use de-identified, aggregate data only and this policy will be updated accordingly.

10. Children's Privacy

AlbaMed is a professional healthcare management platform designed for use by authorized personnel within behavioral health organizations. The platform is not intended for use by individuals under the age of eighteen (18).

We do not knowingly collect personal information directly from minors. If PHI of minor patients is processed through AlbaMed, it is entered and managed by authorized clinical staff within a Covered Entity, subject to the applicable BAA and all HIPAA protections for minors' health information.

If you believe that personal information of a minor has been submitted to AlbaMed without proper authorization, please contact us immediately at support@albadigitaldevelopment.com and we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Effective Date" at the top of this page.
• For material changes that affect how we handle PHI or significantly alter your rights, we will provide prominent notice through the platform (such as a banner notification upon login) at least thirty (30) days before the changes take effect.
• For material changes, we will also notify organization administrators via email.
• Continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal information, or our data practices, please contact us:

• Email: support@albadigitaldevelopment.com
• Company: Alba Digital Development LLC
• Website: albamed.org

For HIPAA-related inquiries, privacy complaints, or to report a potential data breach, please email us at the address above with the subject line "HIPAA Privacy Inquiry" and we will respond within five (5) business days.

If you believe your privacy rights have been violated, you also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint.