Privacy Policy

Effective Date: October 4, 2025

This Privacy Policy describes how ClinicFlowVA (“the Company,” “we,” “us,” or “our”) collects, uses, and discloses information in connection with the healthcare-focused virtual assistant and administrative services we provide. We are committed to protecting the privacy of our clients, their patients (where applicable), and the data entrusted to us. We adhere to HIPAA standards and best practices for securing Protected Health Information (PHI).

1. Information We Collect

In the course of providing our services, we may collect information that falls into the following categories:

• Client Information: This includes business and personal contact details such as name, title, practice/clinic name, mailing address, email address, and phone number, used primarily for contractual and billing purposes.
• Patient-Related Information (Protected Health Information – PHI): When performing Services like scheduling, billing support, prior authorization assistance, or clinical documentation (scribing), we process PHI strictly as a **Business Associate** of the Client and only to the extent necessary to perform the Services defined in our agreements.
• Project-Specific Data: This includes necessary access credentials (e.g., for EHRs/EMRs or practice management systems), API keys, custom system configurations, and workflow documentation required to complete the engagement. This data is handled as highly confidential.
• Usage Data: We collect technical and performance metrics, system logs, and error reports related to the delivery of our services to maintain, troubleshoot, and improve system performance and reliability.
• Website Anonymous Information: We gather non-identifying, aggregated website analytics (such as visit timestamps, pages visited, and traffic sources). This data is used solely for statistical tracking, performance measurement, and website improvement and cannot be used to identify any individual.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To successfully provide, maintain, and continually improve our specialized healthcare administrative and virtual assistant Services, including all functions specified in our Service Agreements.
• Communication: To manage your projects, provide important service updates, respond promptly to inquiries, and facilitate seamless onboarding and training for our Virtual Assistants.
• Billing and Administration: To manage client accounts, process payments, prepare and issue invoices, and maintain legally required accurate business records.
• Security & Compliance: To proactively protect against unauthorized access, investigate and respond to potential security incidents, enforce our agreements (including Business Associate Agreements – BAAs), and maintain strict compliance with all applicable healthcare privacy and security laws, including HIPAA.

3. How We Share Your Information

We do not sell, rent, or trade your personal or business information. We may disclose your information only in the following limited circumstances:

• With Your Consent: We share information with third parties only when we have received your explicit, written consent to do so.
• Service Providers: We may share data with vetted third-party service providers (e.g., secure cloud hosting, encrypted communication platforms, payment processors). These providers are contractually bound (and required to sign **BAAs** where PHI is involved) to protect the information and use it exclusively for the services for which they were engaged.
• Legal Requirements: We will disclose information if required by law, regulation, or mandatory legal process (such as a valid subpoena, court order, or government request).

4. Data Security and HIPAA Compliance

• Compliance Framework: ClinicFlowVA operates as a **Business Associate** under HIPAA, obligating us to safeguard all Protected Health Information (PHI) we process on behalf of our Covered Entity Clients.

We implement robust technical, administrative, and physical security measures to protect all information, especially PHI, from unauthorized access, use, alteration, or disclosure. Our security framework includes:

• Strict access controls and authorization protocols.
• Use of industry-standard encrypted communications.
• Mandatory and ongoing HIPAA training for all Virtual Assistants and personnel.
• Enforcement of confidentiality and Non-Disclosure Agreements (NDAs) with all staff members.

While we use commercially acceptable means to protect your data, no system is entirely risk-free. We cannot guarantee absolute security of data transmitted over the internet or stored electronically; however, we continuously strive to implement and update our security protocols.

5. Data Retention

We retain personal and project-related information only as long as is strictly necessary to fulfill the purposes described in this Privacy Policy, provide the contracted Services, and comply with our mandatory legal, regulatory, and contractual obligations. When retention is no longer necessary, we securely dispose of or anonymize the information in line with established data retention and security policies.

6. Your Privacy Rights

Depending on your jurisdiction and the nature of the information we hold, you may have rights concerning your personal information, including:

• Right to Access: The right to request a copy of the personal information we maintain about you.
• Right to Rectification: The right to request that we correct inaccurate or incomplete information.
• Right to Erasure: The right to request the deletion of your personal information, subject to overriding legal and contractual retention obligations (e.g., records related to financial or regulatory compliance).

To inquire about or exercise these rights, please contact us using the information provided below. We will handle all requests in accordance with applicable laws and regulations.

7. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy as required by changes in our business practices or legal obligations. When we make material changes, we will post the revised policy on our website with a new and clearly indicated Effective Date. We encourage you to review this Privacy Policy periodically to stay informed.

8. Contact Us

If you have any questions, concerns, or comments about this Privacy Policy, our compliance practices, or our handling of your information, please contact us at:

Website: www.clinicflowva.com