Privacy Policy

Effective Date: April 3, 2026 · Last Updated: April 30, 2026

Alema Health, LLC (hereinafter referred to “Alema Health”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and protect information in connection with your use of the Alema Health platform and website (collectively, the “Platform”).

Alema Health operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and handles protected health information (PHI) strictly in accordance with our Business Associate Agreements (BAAs) with covered entity clients and applicable law. This Privacy Policy addresses both how PHI is handled on behalf of our practice clients and how we handle non-PHI information from Platform users.

1. Information We Collect

1.1 Protected Health Information (PHI)

Alema Health accesses patient PHI solely on behalf of and at the direction of our healthcare practice clients, through authorized FHIR R4 API integrations with their EHR systems and through Health Information Network feeds (such as Qualified Health Information Organizations) where applicable. The categories of PHI we access include patient demographics, diagnosis and condition codes, encounter and visit history, appointment data, hospital admission/discharge/transfer (ADT) data for transitions of care, and billing records reflecting clinical services delivered. We use this data exclusively to provide the services described in our SaaS Service Agreement and Business Associate Agreement with each practice client. We do not own, sell, or independently use patient PHI.

The types of patient data we access include:

Patient demographics (name, date of birth, contact information)
Diagnosis and condition codes (ICD-10)
Encounter and visit history
Insurance and payer information
Appointment and scheduling data
Medication information (for medication reconciliation and care coordination)
Hospital discharge data (for TCM identification)

1.2 Practice and User Account Information

When a practice registers for and uses the Platform, we collect:

Practice name, address, NPI, and tax identification number
Provider and staff names, email addresses, and roles
EHR credentials and API authorization tokens
Subscription and billing information (processed by Stripe; Alema Health does not store full payment card numbers)
Login activity, session data, and audit logs

1.3 Platform Usage Data

We automatically collect certain technical information when you use the Platform:

IP address and browser type
Pages visited and features used within the Platform
Error logs and diagnostic data (via Sentry; PHI is explicitly excluded from error logs)
Authentication events and session activity

2. How We Use Information

2.1 Patient PHI

We use patient PHI exclusively to:

Support care coordination workflows on behalf of the practice client, including Annual Wellness Visits (AWV), Transitional Care Management (TCM), no-show recovery, inactive patient reactivation, and pre-visit care preparation
Generate patient recommendations for practice staff
On Pro plan: send automated appointment scheduling SMS messages to patients with secure booking page links
On Pro plan: write appointment and intake form data back to the EHR on behalf of the practice
Generate reports and analytics for the practice’s internal use

We do not use patient PHI for advertising, marketing, research, or any purpose not authorized by the applicable BAA.

2.2 Practice and User Account Information

We use practice and user account information to:

Provide, maintain, and improve the Platform
Process subscription payments and send billing communications
Send service notifications, updates, and support communications
Enforce our Terms of Use and SaaS Service Agreement
Comply with legal obligations

2.3 Usage Data

We use technical usage data to monitor Platform performance, diagnose errors, improve features, and ensure security. This data is not linked to patient PHI.

3. How We Share Information

3.1 Subcontractors and Service Providers

We share information with third-party service providers only as necessary to deliver the Platform’s services, and only under appropriate data processing agreements or BAAs. Our current subcontractors with access to PHI or practice data are:

Amazon Web Services (AWS) — cloud infrastructure, database hosting, and email delivery. BAA executed.

Elation Health — EHR integration partner. Provides API access to patient clinical data and supports automated patient messaging on behalf of the practice. Message content is limited to scheduling and care coordination communications; no clinical PHI is included in patient-facing messages. PHI access is governed by the Elation Health API agreement.

Health Information Networks (Manifest MedEx and other Qualified Health Information Organizations) — provide hospital admission, discharge, and transfer (ADT) data feeds to support transitional care management workflows. PHI access is governed by Participation Agreements and Business Associate Agreements with each network.

Amazon Bedrock (Anthropic Claude 3 Haiku) — AI-powered patient outreach copy generation and engine logic optimization. Operated within the AWS infrastructure under the existing AWS Business Associate Addendum. PHI is de-identified before transmission to AI models.

Stripe — payment processing. No PHI transmitted. Stripe handles payment card data under PCI DSS compliance.

Sentry — application error monitoring. PHI explicitly excluded from error logs.

Please be advised that this list of subcontractors may be modified and/or expanded in the future.

3.2 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government investigations. We will notify the affected practice client of any such request to the extent permitted by law.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of Alema Health’s assets, practice and user data may be transferred to the successor entity. We will notify affected clients and require the successor to honor existing BAAs and privacy commitments.

3.4 No Sale of Data

Alema Health does not sell, rent, or trade patient PHI, practice data, or user information to any third party for any purpose. We do not use patient data for advertising or marketing. Mobile phone numbers collected for SMS communications are never shared with third parties or affiliates for marketing or promotional purposes.

4. Data Security

Alema Health implements administrative, physical, and technical safeguards appropriate to the sensitivity of the information we handle.

While we implement strong security measures, no system is completely secure. In the event of a data breach involving PHI, we will notify affected practice clients in accordance with our BAA and applicable law.

5. Data Retention

We retain patient PHI and practice data for the duration of the active service agreement. Upon termination of a BAA:

PHI will be returned to the practice or securely destroyed within thirty (30) days
Practice account data will be retained for 90 days to allow for transition, then deleted
Billing and financial records are retained for seven (7) years as required by law
HIPAA compliance documentation is retained for six (6) years
De-identified aggregate analytics data may be retained indefinitely

6. Your Rights

6.1 Practice Client Rights

Practice clients have the right to:

Access and review the PHI and practice data we hold on their behalf
Request correction of inaccurate data
Revoke API access to their EHR at any time through their EHR settings
Request deletion of their data upon termination of the service agreement
Receive a copy of our BAA and this Privacy Policy

6.2 Patient Rights

Alema Health is a Business Associate and does not have a direct relationship with patients. Patient rights under HIPAA (access, amendment, accounting of disclosures, restrictions, and confidential communications) are administered by the Covered Entity (the practice). If a patient contacts Alema Health directly, we will promptly forward the request to the applicable practice client.

6.3 California Privacy Rights

To the extent the California Consumer Privacy Act (CCPA) applies to any information Alema Health collects, California residents may have additional rights regarding their personal information. PHI subject to HIPAA is exempt from CCPA. For non-PHI personal information of California residents, you may contact us to exercise applicable CCPA rights. We do not sell personal information.

7. Cookies and Tracking

The Platform uses session cookies and local storage to maintain authentication state and user preferences. We do not use third-party advertising cookies or cross-site tracking technologies. Analytics data is collected for internal Platform improvement purposes only and is not shared with advertising networks.

8. Children’s Privacy

The Platform is not directed to individuals under the age of 18, and we do not knowingly collect personal information from minors outside of PHI accessed through our EHR integration on behalf of practice clients (which may include pediatric patients). Such PHI is handled exclusively in accordance with our BAA and HIPAA requirements.

9. Links to Other Websites

The Platform may contain links to external websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party websites you visit.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify practice clients of material changes by email and by posting the updated policy on the Platform. The “Last Updated” date at the top of this policy indicates when it was most recently revised. Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

HIPAA Privacy & Security Officer

Alema Health, LLC

Email: info@alemahealth.com

Website: www.alemahealth.com

For HIPAA-related inquiries from practice clients, please reference your Business Associate Agreement and contact us at the email above. We will respond within five (5) business days.