Last Updated: January 1, 2025
Heim Health, Inc. ("Heim Health," "we," "our," or "us"), headquartered at 500 Boylston Street, Suite 1000, Boston, MA 02116, is committed to protecting the privacy and security of personal information, including protected health information, that we collect, process, and maintain in connection with our digital health platform and related services. This Privacy Policy describes how we collect, use, share, and protect your information when you interact with our website, products, and services.
We operate as both a healthcare technology company and, in many of our service relationships, as a Business Associate to covered healthcare entities as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations. This Privacy Policy applies to the information we collect through our website at heimxhealth.org, our digital health platform applications, and all associated services. It does not supersede the terms of any Business Associate Agreement between Heim Health and a covered entity partner, nor does it limit the privacy rights available to patients under applicable federal and state law.
By using our website or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described in this policy, please do not use our website or services.
We collect different categories of information depending on your relationship with us and how you interact with our services.
When you contact us through our website, request a product demonstration, create an account on our platform, or communicate with our team, we may collect: your name and job title; business or organizational affiliation; professional contact information including email address and telephone number; information about your organization's care delivery operations and technology environment; payment and billing information for services; and any other information you choose to provide in communications with us.
When Heim Health provides services to covered entity customers — health systems, physician practices, accountable care organizations, and other healthcare providers — we process protected health information ("PHI") as a Business Associate. PHI includes individually identifiable health information relating to a patient's past, present, or future physical or mental health conditions, the provision of healthcare, or payment for healthcare services. Our collection, use, and disclosure of PHI is governed by our executed Business Associate Agreements with covered entity customers and by HIPAA. We do not collect PHI directly from individual patients through our public website.
When you visit our website, we automatically collect certain technical information through cookies, web beacons, and similar tracking technologies. This includes: Internet Protocol (IP) address; browser type, version, and language settings; operating system and device type; pages visited on our website, including date and time of access; referring website addresses; and session duration and interaction patterns. We use this information to analyze website performance, improve user experience, and understand how visitors engage with our content. Please see our Cookie Policy for detailed information about the cookies and tracking technologies we use.
We may receive information about you from third-party sources, including business partners, analytics providers, and marketing platforms, consistent with applicable law and their respective privacy policies. We may combine this information with information we collect directly to improve our services and communications.
We use the information we collect for the following purposes:
We use contact and organizational information to respond to inquiries, provide product demonstrations, process service agreements, deliver our digital health platform services to customers, provide technical support and customer success services, process payments and manage billing, and communicate with customers and partners about service updates, maintenance, and changes.
We use aggregated, de-identified operational data to analyze platform performance, identify usability improvements, develop new features and services, conduct research and quality improvement activities, and generate insights about digital health program effectiveness. We do not use individually identifiable PHI for product development purposes without the explicit authorization required under HIPAA and our Business Associate Agreements.
We may use professional contact information to send you information about our products, services, industry insights, events, and company news that we believe may be of interest to you. All marketing communications include an unsubscribe mechanism, and you may opt out of marketing communications at any time by following the unsubscribe instructions in the communication or by contacting us at privacy@heimxhealth.org. Opting out of marketing communications does not affect our ability to send you transactional or service-related communications.
We use and disclose information as necessary to comply with applicable laws and regulations, respond to legal process including subpoenas and court orders, protect our legal rights and the rights of our customers and users, investigate potential violations of our terms of service or policies, and prevent fraud and ensure the security of our systems and data.
We use automatically collected website usage data to analyze traffic patterns, measure the effectiveness of our content and marketing activities, and improve the design and functionality of our website. This analysis helps us understand what information is most useful to our visitors and how to better serve the healthcare organizations that rely on our resources.
We do not sell personal information to third parties. We may share your information in the following limited circumstances:
We engage trusted third-party service providers to help us deliver our services and operate our business. These providers may include cloud infrastructure providers, customer relationship management software vendors, email delivery services, analytics platforms, payment processors, and security and compliance monitoring services. We require all service providers that handle personal data on our behalf to execute appropriate data processing agreements, maintain appropriate security safeguards, and use the data only for the specific purposes for which it was disclosed. Service providers that handle PHI on our behalf execute Business Associate Agreements as required by HIPAA.
In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity as part of that transaction. We will notify you of any material change in how your personal information is handled in connection with such a transaction and will provide you with an opportunity to opt out where required by applicable law.
We may disclose your information if we believe disclosure is necessary to comply with applicable law or legal process, respond to lawful requests from government authorities, protect the rights and safety of Heim Health, our customers, or the public, or investigate, prevent, or take action regarding illegal activities, suspected fraud, or threats to physical safety.
We may share aggregated, de-identified data that does not identify you or any individual for industry research, academic research, benchmarking, and publication purposes. We take appropriate technical and administrative measures to ensure that de-identified data cannot reasonably be re-identified.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and contractual obligations, to resolve disputes, and to enforce our agreements. The specific retention period varies depending on the type of information and the context in which it was collected. When information is no longer needed for these purposes, we securely delete or anonymize it in accordance with our data retention policies.
For PHI processed under Business Associate Agreements, retention and destruction obligations are governed by the applicable BAA and HIPAA requirements. Covered entity customers retain control over PHI data retention decisions for their patient populations.
We implement technical, administrative, and physical safeguards designed to protect your information against unauthorized access, loss, alteration, or destruction. Our security program includes AES-256 encryption for data at rest, TLS 1.2 or higher encryption for all data in transit, role-based access controls with principle of minimum necessary access, multi-factor authentication for all systems containing personal data or PHI, comprehensive audit logging of access and modification events, regular third-party penetration testing and vulnerability assessments, and annual SOC 2 Type II audits conducted by independent certified public accountants.
Despite these safeguards, no security measure is infallible, and no transmission of data over the internet can be guaranteed to be completely secure. We will notify you promptly of any breach of your personal information as required by applicable law.
Depending on your location and applicable law, you may have rights regarding your personal information. These may include:
To exercise any of these rights, please contact our Privacy Officer at privacy@heimxhealth.org or by mail at: Heim Health Privacy Officer, 500 Boylston Street, Suite 1000, Boston, MA 02116. We will respond to your request within 30 days, or within the timeframe required by applicable law. We may need to verify your identity before processing your request.
For rights related to PHI in the context of healthcare services delivered by our covered entity customers, you should contact the relevant healthcare provider directly, as they serve as the covered entity responsible for your health information.
Patients whose PHI is processed by Heim Health through our Business Associate relationship with covered entity healthcare providers have specific rights under HIPAA. These include the right to access your PHI, request corrections, receive an accounting of disclosures, request restrictions on certain uses and disclosures, and receive notice of privacy practices. To exercise these rights regarding health information in the context of your healthcare, please contact the healthcare provider that is your primary care relationship. Heim Health will cooperate with covered entity customers to facilitate patients' exercise of their HIPAA rights in connection with PHI we process on their behalf.
Our website and professional services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18 through our website. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as promptly as possible. If you believe we may have collected information from a child under 18, please contact us immediately at privacy@heimxhealth.org.
Our website may contain links to third-party websites, applications, or services that are not operated or controlled by Heim Health. This Privacy Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party websites you visit. The inclusion of a link to a third-party website does not constitute endorsement of that website's privacy practices or data handling.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include the right to know what personal information we have collected, the right to know whether your personal information has been sold or disclosed and to whom, the right to opt out of the sale of your personal information (we do not sell personal information), the right to deletion of your personal information, and the right to non-discrimination for exercising your privacy rights. To submit a California privacy rights request, contact us at privacy@heimxhealth.org or call us at the number provided on our contact page.
Heim Health is based in the United States and our services are primarily designed for organizations operating in the U.S. healthcare market. If you interact with our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where our servers are located and our central operations are managed. By using our services, you consent to the transfer of your information to the United States in accordance with this Privacy Policy.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this policy and, where appropriate, provide additional notice such as an email notification to our registered users or a notice on our website. We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information. Your continued use of our website or services after the posting of changes constitutes your acceptance of those changes.
If you have questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact us:
Heim Health Privacy Officer
Heim Health, Inc.
500 Boylston Street, Suite 1000
Boston, MA 02116
Email: privacy@heimxhealth.org
We take privacy concerns seriously and will respond to your inquiry promptly. If you are not satisfied with our response, you may have the right to lodge a complaint with a data protection authority or appropriate regulatory body in your jurisdiction.
Related policies: Terms of Service | Cookie Policy