Privacy Policy
Effective Date: January 23, 2025
Last Updated: January 23, 2025
HIPAA Notice: This Privacy Policy describes how Nuveflow Assessment Platform protects and uses health information in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws.
1. Introduction
Nuveflow Assessment Platform ("Nuveflow," "we," "us," or "our") is committed to protecting the privacy and security of your information, especially Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our mental health assessment platform.
2. Information We Collect
2.1 Protected Health Information (PHI)
As a HIPAA-covered Business Associate, we may collect and process PHI including:
- Patient demographic information (name, date of birth, contact information)
- Mental health assessment responses and scores
- Clinical notes and observations
- Treatment plans and progress notes
- Healthcare provider communications
2.2 Healthcare Provider Information
We collect information about healthcare providers using our platform:
- Name, credentials, and license information
- Practice or institution affiliation
- Contact information (email, phone number)
- Billing and payment information
- Platform usage and activity data
2.3 Technical Information
We automatically collect certain technical information:
- IP addresses and device information
- Browser type and version
- Operating system information
- Log files and usage analytics
- Cookies and similar tracking technologies
3. How We Use Information
3.1 PHI Usage
We use PHI only as permitted by HIPAA and your authorization:
- Treatment: To provide assessment tools and clinical decision support
- Payment: To process billing for our services
- Healthcare Operations: To improve our platform and ensure quality care
- Required by Law: When disclosure is mandated by applicable regulations
3.2 Provider Information Usage
We use healthcare provider information to:
- Provide and maintain our assessment platform
- Process payments and manage subscriptions
- Provide customer support and technical assistance
- Send important service updates and notifications
- Improve our services through usage analytics
3.3 Research and Development
We may use de-identified, aggregated data for research and development purposes to improve mental health assessment tools. All data used for research is stripped of identifying information in accordance with HIPAA Safe Harbor standards.
4. Information Sharing and Disclosure
4.1 PHI Disclosure
We do not sell, rent, or trade PHI. We may disclose PHI only in the following circumstances:
- To the healthcare provider who entered the information
- To authorized personnel within the healthcare provider's organization
- When required by law or court order
- To prevent serious harm to health or safety
- To our Business Associates who assist in providing services (under written agreements)
4.2 Service Providers
We may share information with third-party service providers who help us operate our platform:
- Cloud hosting and data storage providers
- Payment processing companies
- Customer support and communication tools
- Security and monitoring services
All service providers are required to maintain HIPAA compliance and sign Business Associate Agreements.
4.3 Legal Requirements
We may disclose information when required by law, including:
- Response to subpoenas or court orders
- Compliance with regulatory investigations
- Reporting of suspected abuse or neglect
- Public health emergencies
5. Data Security
5.1 Security Measures
We implement comprehensive security measures to protect your information:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication
- Network Security: Firewalls, intrusion detection, and monitoring
- Regular Audits: Annual security assessments and penetration testing
- Employee Training: Regular HIPAA and security awareness training
- Physical Security: Secure data centers with 24/7 monitoring
5.2 Data Breach Response
In the unlikely event of a data breach involving PHI, we will:
- Notify affected healthcare providers within 24 hours
- Provide detailed information about the breach
- Assist with required patient notifications
- Cooperate with regulatory authorities
- Take immediate steps to mitigate harm and prevent future breaches
6. Data Retention
6.1 PHI Retention
We retain PHI only as long as necessary to provide services and comply with legal requirements:
- Active accounts: Data retained while account is active
- Inactive accounts: PHI deleted after 30 days of account termination
- Legal requirements: May retain longer if required by applicable laws
- Provider request: May extend retention upon written request for clinical continuity
6.2 Secure Deletion
When PHI is deleted, we use secure deletion methods that make data unrecoverable, including cryptographic erasure and secure wiping procedures.
7. Your Rights
7.1 Patient Rights (via Healthcare Provider)
Patients have rights regarding their PHI, which must be exercised through their healthcare provider:
- Right to access their PHI
- Right to request amendments to their PHI
- Right to an accounting of disclosures
- Right to request restrictions on use and disclosure
- Right to file complaints about privacy practices
7.2 Healthcare Provider Rights
As a healthcare provider using our platform, you have the right to:
- Access your account information
- Update your profile and contact information
- Export your patient data
- Delete your account and associated data
- Receive copies of Business Associate Agreements
8. International Data Transfers
Your data is primarily stored and processed in the United States. If we transfer data internationally, we ensure appropriate safeguards are in place, including:
- Adequacy decisions by relevant authorities
- Standard contractual clauses
- Certification schemes
- Binding corporate rules
9. Cookies and Tracking Technologies
9.1 Types of Cookies
We use the following types of cookies:
- Essential Cookies: Required for platform functionality
- Performance Cookies: Help us understand how the platform is used
- Security Cookies: Help protect against fraud and maintain security
9.2 Cookie Management
You can control cookies through your browser settings. However, disabling essential cookies may affect platform functionality.
10. Children's Privacy
Our platform is designed for use by healthcare providers, not directly by children. When treating pediatric patients, healthcare providers are responsible for obtaining appropriate consent and maintaining compliance with applicable laws, including COPPA and state minor consent laws.
11. State-Specific Privacy Rights
11.1 California Privacy Rights (CCPA/CPRA)
California residents have additional rights regarding their personal information:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information
- Right to non-discrimination for exercising privacy rights
11.2 Other State Laws
We comply with applicable state privacy laws, including those in Virginia, Colorado, and other states with comprehensive privacy legislation.
12. Business Associate Agreements
We maintain Business Associate Agreements (BAAs) with all healthcare providers using our platform. These agreements outline our obligations regarding PHI and ensure HIPAA compliance throughout our relationship.
13. Privacy Policy Updates
We may update this Privacy Policy to reflect changes in our practices or applicable laws. Material changes will be communicated at least 30 days in advance via:
- Email notification to registered users
- Prominent notice on our platform
- Updated effective date on this page
14. Contact Information
14.1 Privacy Officer
For privacy-related questions or concerns, contact our Privacy Officer:
Nuveflow Privacy Officer
Email: [email protected]
14.2 Data Protection Officer (if applicable)
For international privacy matters:
Data Protection Officer
Email: [email protected]
14.3 Patient Rights Requests
Patients should contact their healthcare provider directly for requests regarding their PHI. Healthcare providers may contact us at [email protected] to facilitate these requests.
15. Compliance and Certifications
Nuveflow maintains the following compliance standards:
- HIPAA Business Associate compliance
- HITECH Act compliance
- State healthcare privacy law compliance
Our Commitment: Nuveflow is committed to maintaining the highest standards of privacy and security for healthcare information. We continuously review and improve our practices to ensure compliance with evolving healthcare privacy requirements.