Privacy Policy
1. Introduction
This Privacy Policy describes how Aurelianware and its Cloud Health Office platform ("we," "us," or "our") collect, use, disclose, and protect information when you use our HIPAA-compliant EDI integration services ("Services").
Cloud Health Office is designed specifically for healthcare organizations and processes Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.
2. Information We Collect
2.1 Customer Account Information
When you create an account or purchase our Services, we collect:
- Organization name and contact information
- Administrator names and email addresses
- Billing information and payment details
- Azure subscription and tenant information
- Technical configuration preferences
2.2 Protected Health Information (PHI)
As a Business Associate under HIPAA, we process PHI on behalf of our Covered Entity customers, including:
- Patient/Member identifiers (name, date of birth, member ID)
- Provider information (NPI, names, addresses)
- Clinical information (diagnosis codes, procedure codes, dates of service)
- Claim and prior authorization data
- Attachment contents (medical records, supporting documentation)
2.3 Usage Data
We automatically collect certain information about how you interact with our Services:
- API call logs (without PHI content)
- Feature usage patterns
- Performance and error metrics
- Session duration and frequency
2.4 Technical Data
- IP addresses (for security and access control)
- Browser type and version
- Device information
- Azure resource identifiers
3. How We Use Information
3.1 Service Delivery
- Provision and operate the Cloud Health Office platform
- Process EDI transactions (X12 275, 277, 278, 837)
- Provide FHIR R4 API services
- Maintain and improve service performance
- Provide customer support
3.2 HIPAA-Regulated Uses
PHI is processed solely for:
- Treatment, Payment, and Healthcare Operations (TPO) activities as directed by Covered Entities
- Compliance with legal and regulatory requirements
- Purposes authorized by the applicable Business Associate Agreement (BAA)
3.3 Analytics and Improvement
We use aggregated, de-identified data to analyze usage patterns, develop new features, benchmark performance, and conduct research and development.
3.4 Communications
We may use your contact information to send service notifications, product updates, respond to support requests, and send marketing communications (with consent).
4. Information Sharing and Disclosure
We do not sell, rent, or trade Protected Health Information under any circumstances.
4.2 Service Providers and Subcontractors
We may share information with trusted service providers who assist in operating our Services. All subcontractors processing PHI are bound by Business Associate Agreements.
4.3 Legal Requirements
We may disclose information when required by law, including HIPAA-permitted disclosures, government audit requests, or court orders.
4.4 Business Transfers
In the event of a merger, acquisition, or asset sale, customer information may be transferred to the acquiring entity, subject to continued compliance with this Privacy Policy and applicable BAAs.
5. HIPAA Compliance
5.1 Business Associate Agreement
Before processing any PHI, we execute a Business Associate Agreement (BAA) with each Covered Entity customer that specifies permitted uses and disclosures of PHI, safeguards for PHI protection, breach notification requirements, subcontractor requirements, and termination and data return/destruction procedures.
5.2 Administrative Safeguards
- Designated HIPAA Privacy and Security Officers
- Workforce training on HIPAA requirements
- Policies and procedures for PHI handling
- Sanctions for policy violations
5.3 Physical Safeguards
- Azure datacenter security (SOC 2 Type II certified)
- Facility access controls
- Workstation security policies
- Device and media controls
5.4 Technical Safeguards
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Access controls and authentication
- Audit logging and monitoring
- Automatic session termination
- Emergency access procedures
5.5 Breach Notification
- We notify affected Covered Entities within 24 hours of discovery
- We cooperate in breach investigation and mitigation
- We maintain breach documentation for 6 years
- We report to HHS as required by the Breach Notification Rule
6. Data Retention
6.1 PHI Retention
PHI is retained in accordance with customer data retention policies, applicable BAA requirements, and HIPAA minimum 6-year retention for compliance documentation. 7-year retention for claims data and EDI transaction archives (configurable from 1 to 10 years).
6.2 Account Information
Customer account information is retained during active subscription and for 7 years after termination for compliance and audit records.
6.3 Application and Audit Logs
- Application logs: 365 days (performance metrics, error logs, operational data)
- Audit logs: 7 years (access logs, PHI disclosure tracking, security events)
- Log sanitization: Control characters are stripped to mitigate log forging; PHI redaction applied within PHI-aware logging components
6.4 Data Deletion
Upon termination of services, PHI is securely deleted within 90 days (or returned per BAA within 60 days if requested). Backups are purged according to retention schedules (maximum 90 days). Audit logs are retained 7 years for compliance. De-identified, aggregated data may be retained indefinitely.
7. Data Security
7.1 Security Measures
- Microsoft Azure SOC 2 Type II certified infrastructure
- Premium Key Vault with HSM-backed encryption keys
- Private endpoints for network isolation
- Role-Based Access Control (RBAC)
- Multi-factor authentication
- Regular security assessments and penetration testing
7.2 Security Certifications
- HIPAA compliance attestation
- SOC 2 Type II certification (via Azure)
- ISO 27001 certification (via Azure)
7.3 Incident Response
We maintain a 24/7 incident response program including incident classification and escalation, forensic investigation capabilities, communication protocols for customers, and post-incident analysis and remediation.
8. Your Rights
8.1 HIPAA Individual Rights
As a Business Associate, we support Covered Entities in fulfilling individual rights including the right to access PHI, request amendment, accounting of disclosures, request restrictions, and confidential communications. Individuals should contact their Covered Entity (health plan/provider) to exercise these rights.
8.2 Customer Rights
- Access your account information
- Update or correct your information
- Request data export in standard formats
- Close your account (subject to retention requirements)
- Opt out of marketing communications
8.3 California Privacy Rights (CCPA/CPRA)
California residents have additional rights:
- Right to Know — what personal information is collected, used, shared, and sold
- Right to Delete — delete personal information (subject to legal exceptions)
- Right to Opt-Out — opt out of sale or sharing (we do not sell or share personal information)
- Right to Correct — correct inaccurate personal information
- Right to Limit Use — limit use and disclosure of sensitive personal information
- Right to Non-Discrimination — no discriminatory treatment for exercising rights
To exercise rights, email privacy@cloudhealthoffice.com with subject "CCPA/CPRA Request". We respond to verified requests within 45 days.
9. Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. PHI of minors is processed solely as directed by Covered Entities in accordance with applicable law.
10. International Data Transfers and GDPR
10.1 Data Location
By default, customer data is processed and stored in the Azure region selected during deployment (United States regions). Data does not leave the selected geographic region unless explicitly configured by the customer.
10.2 European Union and GDPR
Legal Basis for Processing:
- Contractual necessity — processing to perform contractual obligations
- Legitimate interests — fraud prevention, security
- Legal compliance — HIPAA, tax laws
- Consent — marketing communications
EU Resident Rights: right of access, rectification, erasure, restriction of processing, data portability, right to object, and right not to be subject to automated decision-making.
Data Protection Officer: dpo@cloudhealthoffice.com
10.3 Cross-Border Transfers
If data transfer outside the United States is necessary, we utilize Standard Contractual Clauses (SCCs) approved by the European Commission, implement additional safeguards per the Schrems II decision, and comply with applicable data localization requirements.
10.4 UK GDPR
For UK-based customers, we comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. The same rights and protections apply as described above.
11. Cookies and Tracking Technologies
11.1 Use of Cookies
Essential Cookies (always active): authentication and session management, security and fraud prevention, load balancing.
Analytics Cookies (opt-in): website usage analytics, feature usage tracking, performance monitoring. We use Plausible Analytics, a privacy-focused, GDPR-compliant analytics tool that does not use cookies and does not track individuals.
Marketing Cookies (opt-in): campaign attribution.
11.2 Cookie Management
You can control cookie preferences through your browser settings or our cookie consent banner on first visit.
11.3 Do Not Track (DNT)
We honor Do Not Track (DNT) browser signals for analytics and marketing cookies. Essential cookies remain active to ensure service functionality.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on our website at cloudhealthoffice.com/legal/privacy-policy with the updated effective date. Material changes will be communicated to customers via email at least 30 days before the effective date.
Your continued use of the Services after changes become effective constitutes acceptance of the updated Policy.
13. Contact Information
| Role | Contact |
|---|---|
| Privacy Office | privacy@cloudhealthoffice.com |
| HIPAA Privacy Officer | hipaa-privacy@cloudhealthoffice.com |
| HIPAA Security Officer | hipaa-security@cloudhealthoffice.com |
| Data Protection Officer (GDPR) | dpo@cloudhealthoffice.com |
| General Support | support@cloudhealthoffice.com |
Appendix A: Summary of PHI Handling
| Category | Data Elements | Use | Retention |
|---|---|---|---|
| Member Data | Name, DOB, Member ID | EDI processing | Per BAA |
| Provider Data | NPI, Name, Address | EDI processing | Per BAA |
| Clinical Data | Dx/CPT codes, DOS | EDI processing | Per BAA |
| Claim Data | Claim #, Status | EDI processing | 7 years |
| Attachments | Medical records | 275 processing | 7 years |
Appendix B: Third-Party Service Providers (Subprocessors)
| Provider | Service | BAA | Certification | Data Location |
|---|---|---|---|---|
| Microsoft Azure | Cloud Infrastructure | Yes | SOC 2, ISO 27001, HIPAA | United States |
| Application Insights | Monitoring | Yes | SOC 2 (via Azure) | United States |
| Service Bus | Messaging | Yes | SOC 2 (via Azure) | United States |
| Stripe, Inc. | Payment Processing | No | PCI DSS Level 1 | United States |
| SendGrid (Twilio) | Transactional Email | Yes | SOC 2 Type II | United States |
We will notify customers of any additions or changes to subprocessors with at least 30 days' advance notice. Customers may object to new subprocessors within 15 days by contacting privacy@cloudhealthoffice.com.