Privacy Policy

Effective Date: April 3, 2026 · Last Updated: April 3, 2026

Alema Health, LLC (hereinafter referred to “Alema Health”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and protect information in connection with your use of the Alema Health platform and website (collectively, the “Platform”).

Alema Health operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and handles protected health information (PHI) strictly in accordance with our Business Associate Agreements (BAAs) with covered entity clients and applicable law. This Privacy Policy addresses both how PHI is handled on behalf of our practice clients and how we handle non-PHI information from Platform users.

1. Information We Collect

1.1 Protected Health Information (PHI)

Alema Health accesses patient PHI solely on behalf of and at the direction of our healthcare practice clients, through authorized FHIR R4 API integrations with their EHR systems. This PHI includes patient demographics, diagnosis codes, encounter data, appointment information, and billing records. We use this data exclusively to provide the services described in our SaaS Service Agreement and BAA with each practice client. We do not own, sell, or independently use patient PHI.

The types of patient data we access include:

Patient demographics (name, date of birth, contact information)
Diagnosis and condition codes (ICD-10)
Encounter and visit history
Insurance and payer information
Appointment and scheduling data
Medication information (for APCM care plans and medication adherence tracking)
Hospital discharge data (for TCM identification)

1.2 Practice and User Account Information

When a practice registers for and uses the Platform, we collect:

Practice name, address, NPI, and tax identification number
Provider and staff names, email addresses, and roles
EHR credentials and API authorization tokens
Subscription and billing information (processed by Stripe; Alema Health does not store full payment card numbers)
Login activity, session data, and audit logs

1.3 Platform Usage Data

We automatically collect certain technical information when you use the Platform:

IP address and browser type
Pages visited and features used within the Platform
Error logs and diagnostic data (via Sentry; PHI is explicitly excluded from error logs)
Authentication events and session activity

1.4 Payer Contract Data (VBC Command Center)

When practices upload payer contracts to the VBC Command Center for AI parsing, the contract text is processed through Amazon Bedrock (Claude 3 Haiku) under our existing AWS Business Associate Addendum.

2. How We Use Information

2.1 Patient PHI

We use patient PHI exclusively to:

Identify missed revenue opportunities (AWV, TCM, CCM, APCM, HCC, undercoding, denial risk) on behalf of the practice client
Match patient panel data against HEDIS quality measures for VBC performance tracking
Generate patient recommendations for practice staff
On Pro plan: send automated appointment scheduling SMS messages to patients via the EHR’s native messaging API
On Pro plan: write appointment and intake form data back to the EHR on behalf of the practice
Generate reports and analytics for the practice’s internal use

We do not use patient PHI for advertising, marketing, research, or any purpose not authorized by the applicable BAA.

2.2 Practice and User Account Information

We use practice and user account information to:

Provide, maintain, and improve the Platform
Process subscription payments and send billing communications
Send service notifications, updates, and support communications
Enforce our Terms of Use and SaaS Service Agreement
Comply with legal obligations

2.3 Usage Data

We use technical usage data to monitor Platform performance, diagnose errors, improve features, and ensure security. This data is not linked to patient PHI.

3. How We Share Information

3.1 Subcontractors and Service Providers

We share information with third-party service providers only as necessary to deliver the Platform’s services, and only under appropriate data processing agreements or BAAs. Our current subcontractors with access to PHI or practice data are:

Amazon Web Services (AWS) — cloud infrastructure, database hosting, and email delivery. BAA executed.

athenahealth — EHR data source and write-back partner. EHR integration for patient data access and, on Pro plan, automated patient messaging through athenahealth’s native messaging API. Message content limited to scheduling links; no clinical PHI included in messages. PHI access is governed by the athenahealth API contract.

Amazon Bedrock (Anthropic Claude 3 Haiku) — AI-powered undercoding detection, APCM care plan generation, and VBC contract parsing. Operated within the AWS infrastructure under the existing AWS Business Associate Addendum. PHI is de-identified before transmission to AI models.

Stripe — payment processing. No PHI transmitted. Stripe handles payment card data under PCI DSS compliance.

Sentry — application error monitoring. PHI explicitly excluded from error logs.

Please be advised that this list of subcontractors may be modified and/or expanded in the future.

3.2 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government investigations. We will notify the affected practice client of any such request to the extent permitted by law.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of Alema Health’s assets, practice and user data may be transferred to the successor entity. We will notify affected clients and require the successor to honor existing BAAs and privacy commitments.

3.4 No Sale of Data

Alema Health does not sell, rent, or trade patient PHI, practice data, or user information to any third party for any purpose. We do not use patient data for advertising or marketing.

4. Data Security

Alema Health implements administrative, physical, and technical safeguards appropriate to the sensitivity of the information we handle.

While we implement strong security measures, no system is completely secure. In the event of a data breach involving PHI, we will notify affected practice clients in accordance with our BAA and applicable law.

5. Data Retention

We retain patient PHI and practice data for the duration of the active service agreement. Upon termination of a BAA:

PHI will be returned to the practice or securely destroyed within thirty (30) days
Practice account data will be retained for 90 days to allow for transition, then deleted
Billing and financial records are retained for seven (7) years as required by law
HIPAA compliance documentation is retained for six (6) years
De-identified aggregate analytics data may be retained indefinitely

6. Your Rights

6.1 Practice Client Rights

Practice clients have the right to:

Access and review the PHI and practice data we hold on their behalf
Request correction of inaccurate data
Revoke API access to their EHR at any time through their EHR settings
Request deletion of their data upon termination of the service agreement
Receive a copy of our BAA and this Privacy Policy

6.2 Patient Rights

Alema Health is a Business Associate and does not have a direct relationship with patients. Patient rights under HIPAA (access, amendment, accounting of disclosures, restrictions, and confidential communications) are administered by the Covered Entity (the practice). If a patient contacts Alema Health directly, we will promptly forward the request to the applicable practice client.

6.3 California Privacy Rights

To the extent the California Consumer Privacy Act (CCPA) applies to any information Alema Health collects, California residents may have additional rights regarding their personal information. PHI subject to HIPAA is exempt from CCPA. For non-PHI personal information of California residents, you may contact us to exercise applicable CCPA rights. We do not sell personal information.

7. Cookies and Tracking

The Platform uses session cookies and local storage to maintain authentication state and user preferences. We do not use third-party advertising cookies or cross-site tracking technologies. Analytics data is collected for internal Platform improvement purposes only and is not shared with advertising networks.

8. Children’s Privacy

The Platform is not directed to individuals under the age of 18, and we do not knowingly collect personal information from minors outside of PHI accessed through our EHR integration on behalf of practice clients (which may include pediatric patients). Such PHI is handled exclusively in accordance with our BAA and HIPAA requirements.

9. Links to Other Websites

The Platform may contain links to external websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party websites you visit.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify practice clients of material changes by email and by posting the updated policy on the Platform. The “Last Updated” date at the top of this policy indicates when it was most recently revised. Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

HIPAA Privacy & Security Officer

Alema Health, LLC

Email: info@alemahealth.com

Website: www.alemahealth.com

For HIPAA-related inquiries from practice clients, please reference your Business Associate Agreement and contact us at the email above. We will respond within five (5) business days.