Privacy Policy

Protecting your privacy and healthcare data is our top priority

Last updated: December 2024

1. Introduction

This Privacy Policy describes how Supanote Inc. ("we," "our," or "us") collects, uses, and protects your information when you use our RCM Billing Automation platform for behavioral health providers. We are committed to maintaining the highest standards of privacy and security, particularly when handling protected health information (PHI) as required under HIPAA and other applicable healthcare regulations.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide to us when you:

  • Register for an account
  • Use our billing automation services
  • Contact us for support
  • Subscribe to our newsletter
  • Participate in surveys or feedback forms

2.2 Protected Health Information (PHI)

As a Business Associate under HIPAA, we may process PHI on behalf of covered entities. This includes:

  • Patient demographic information
  • Insurance information
  • Treatment codes and billing information
  • Medical record numbers
  • Claims and payment data

2.3 Technical Information

We automatically collect certain technical information when you use our platform:

  • IP addresses and device identifiers
  • Browser type and version
  • Operating system information
  • Usage patterns and activity logs
  • Performance and diagnostic data

3. How We Use Your Information

3.1 Service Provision

We use your information to:

  • Provide and maintain our billing automation services
  • Process insurance claims and billing transactions
  • Generate reports and analytics
  • Provide customer support and technical assistance
  • Ensure platform security and prevent fraud

3.2 Communication

We may use your contact information to:

  • Send service-related notifications
  • Provide important updates about our platform
  • Respond to your inquiries and support requests
  • Send marketing communications (with your consent)

3.3 Legal and Compliance

We may use your information to:

  • Comply with legal obligations and regulatory requirements
  • Protect our rights and prevent fraud
  • Respond to law enforcement requests
  • Maintain audit trails as required by healthcare regulations

4. HIPAA Compliance

4.1 Business Associate Agreement

When processing PHI on behalf of covered entities, we enter into Business Associate Agreements (BAAs) that establish our responsibilities under HIPAA. We commit to:

  • Use and disclose PHI only as permitted by the BAA
  • Implement appropriate safeguards to protect PHI
  • Report any unauthorized access or disclosure of PHI
  • Return or destroy PHI upon termination of services

4.2 Minimum Necessary Standard

We adhere to the HIPAA minimum necessary standard, limiting access to and use of PHI to the minimum amount necessary to accomplish the intended purpose.

4.3 Individual Rights

We support covered entities in fulfilling individual rights under HIPAA, including:

  • Right to access PHI
  • Right to request amendments
  • Right to request restrictions
  • Right to an accounting of disclosures

5. Data Security

5.1 Security Measures

We implement comprehensive security measures to protect your information:

  • End-to-end encryption for data in transit and at rest
  • Multi-factor authentication and access controls
  • Regular security audits and penetration testing
  • Employee training on privacy and security practices
  • Incident response and breach notification procedures

5.2 Data Centers

Our data is hosted in SOC 2 Type II certified data centers with:

  • 24/7 physical security monitoring
  • Redundant power and network infrastructure
  • Environmental controls and fire suppression
  • Regular backup and disaster recovery testing

6. Information Sharing

6.1 Authorized Disclosures

We may share your information only in the following circumstances:

  • With your explicit consent
  • As directed by covered entities for treatment, payment, or healthcare operations
  • To comply with legal obligations
  • With trusted service providers bound by confidentiality agreements
  • In case of merger, acquisition, or sale of assets (with appropriate protections)

6.2 Third-Party Service Providers

We work with carefully vetted third-party service providers who:

  • Sign Business Associate Agreements when handling PHI
  • Undergo regular security assessments
  • Adhere to our privacy and security standards
  • Process data only as directed by us

7. Data Retention

We retain your information for as long as necessary to:

  • Provide our services and support your account
  • Comply with legal and regulatory requirements
  • Resolve disputes and enforce our agreements
  • Meet healthcare record retention requirements (typically 6-7 years)

Upon termination of services, we will return or securely destroy PHI as specified in our Business Associate Agreement, unless retention is required by law.

8. Your Rights and Choices

8.1 Access and Control

You have the right to:

  • Access and review your personal information
  • Request corrections to inaccurate information
  • Request deletion of your personal information (subject to legal requirements)
  • Opt-out of marketing communications
  • Request a copy of your data in a portable format

8.2 Communication Preferences

You can manage your communication preferences by:

  • Updating your account settings
  • Using unsubscribe links in our emails
  • Contacting our support team

9. International Transfers

Your information may be transferred to and processed in countries other than your own. When we transfer personal information internationally, we ensure adequate protection through:

  • Standard contractual clauses approved by relevant authorities
  • Adequacy decisions by competent authorities
  • Binding corporate rules or other approved mechanisms
  • Your explicit consent where required

10. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:

  • Notify you via email or through our platform
  • Post the updated policy on our website
  • Update the "Last updated" date
  • Obtain your consent where required by law

12. Contact Information

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Privacy Officer

Supanote Inc.
Email: privacy@supanote.com
Phone: 1-800-SUPANOTE
Address: [Company Address]

HIPAA Compliance Officer

Email: hipaa@supanote.com
Phone: 1-800-SUPANOTE ext. 2
For breach notifications and HIPAA-related inquiries

13. Breach Notification

In the event of a security incident involving PHI, we will:

  • Notify affected covered entities within 60 days of discovery
  • Provide detailed information about the incident
  • Describe the steps taken to investigate and mitigate the breach
  • Implement additional safeguards to prevent future incidents
  • Cooperate with covered entities in their notification obligations to individuals and HHS