PRIVACY POLICY
Effective Date: March 14, 2025
Transparent Health Group, LLC, and its subsidiary Precision Group Administrators LLC, (“Transparent Health Group,” “THG,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information – including Protected Health Information (PHI) – in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Service Organization Control 2 (SOC 2) security and privacy standards. We implement rigorous controls to meet or exceed the requirements of HIPAA and SOC 2 in protecting your data
By using our website or services, you acknowledge that you have read and understood this Privacy Policy. If any part of this Policy conflicts with applicable laws or regulations that provide you with greater privacy rights or protections (such as HIPAA or certain state laws), those laws will govern
This Policy is designed to be consistent with HIPAA’s Notice of Privacy Practices requirements and other relevant privacy laws.
Scope and Purpose
Scope: This Privacy Policy applies to all information we handle through our websites, platforms, and services, including PHI and other personal data. Protected Health Information (PHI) is individually identifiable health information (such as medical records, health plan or insurance information, and any data that relates to your health status, healthcare, or payment for healthcare) that is created, received, or maintained by health care providers, health plans, or their business associates. In other words, PHI includes any health or medical information that can identify you (for example, your name with your medical history or insurance ID). This Policy also covers other personal information you provide to us (such as contact details or account information), even if it is not strictly classified as PHI.
Purpose: The purpose of this Policy is to inform you of how Transparent Health Group collects, uses, and protects your information. We are dedicated to maintaining the confidentiality, integrity, and availability of your data in accordance with HIPAA regulations and SOC 2 Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). We maintain appropriate safeguards to protect your information and limit uses or disclosures to those allowed by law or authorized by you. By adhering to these standards, we ensure we meet our legal obligations and uphold your trust.
Information Collection and Use
Information We Collect: We collect information that you voluntarily provide to us or that is provided through your healthcare interactions. This may include:
- Identification and Contact Information: Name, address, phone number, email, date of birth, and other basic identifiers.
- Health and Medical Information (PHI): Health plan enrollment details, member IDs, medical record numbers, treatment histories, medications, diagnoses, provider and clinic information, claims and billing information, or any other health-related information you or your healthcare providers supply to us.
- Insurance and Payment Information: Health insurance carrier details, policy and group numbers, payment history, and bank or payment card information if needed for processing healthcare payments.
- Website Usage Data: If you use our online portals or mobile application, we may collect login credentials, IP address, device information, and usage data. (Note: We do not use this data for marketing or advertising; it is used only to support the functionality and security of our services.)
We collect and use PHI only as necessary to provide our services and as permitted or required by law. For example, we use your information to set up and manage your health plan accounts, enable processing of insurance claims, coordinate benefits, provide customer support, and enable related health benefits programs. These uses are considered part of healthcare “treatment, payment, and health care operations,” which are allowed under HIPAA without specific authorization. We may also use your information to communicate with you about your plan or benefits (for instance, sending explanations of benefits or answering your questions), to improve our services and website functionality, and for other purposes that you have consented to or that are disclosed to you at the time you provide the information. We will not use your PHI for any purpose not allowed by HIPAA or not described in this Policy unless we obtain your written authorization.
How We Store and Protect Data: All personal information and PHI that we collect is stored on secure systems with stringent safeguards. Your data is stored on secure servers in controlled facilities; we employ network firewalls, intrusion detection systems, and continuous monitoring to guard against unauthorized access. Access to systems containing PHI is strictly limited to authorized personnel who require it to perform their job duties, and we enforce multi-factor authentication (MFA) and robust access controls for all internal system access. These measures ensure that even if one set of credentials is compromised, an attacker cannot gain access without a second verification step, providing an extra layer of protection for your sensitive data. We also train our staff on privacy and security, and we have policies in place to prevent improper use or disclosure of your information.
Cookies and Tracking: Our website may use cookies or similar technologies to enhance user experience or for essential functionality (such as maintaining your session when you log into a secure portal). We do not use these tools to collect PHI, and any analytics are only used to improve our website performance. You can adjust your browser settings to refuse cookies, but note that certain features of our site (especially secure account features) may not function properly without them.
User Rights Under HIPAA
HIPAA grants you specific rights regarding your PHI. Transparent Health Group is committed to upholding these rights and facilitating your exercise of them. Your principal rights include:
- Right to Access and Obtain a Copy: You have the right to see and get a copy of the PHI that we maintain about you, such as your health records or claims information, with limited exceptions. This includes the right to receive an electronic copy of your records if we maintain them electronically. We will provide access or copies in the format you request if readily producible, or in a mutually agreed format. We may charge a reasonable, cost-based fee as allowed by law for providing copies.
- Right to Request Amendment: If you believe that any PHI we have about you is incorrect or incomplete, you have the right to request that we correct or update the information. For example, if your date of birth or medical history is recorded incorrectly in our records, you can ask us to amend it. We will review your request and either make the requested amendment or inform you in writing of the denial and the reason (such as if we determine the records are accurate as is).
- Right to an Accounting of Disclosures: You have the right to request a list (an “accounting”) of certain disclosures of your PHI that we have made outside of routine uses (such as a list of non-ordinary disclosures, excluding those for treatment, payment, health care operations, and certain other exempted disclosures). This accounting will include the date of each disclosure, who it was disclosed to, and the purpose, for a period of up to six years prior to your request, as required by HIPAA.
- Right to Request Restrictions: You have the right to ask us to restrict the use or disclosure of your PHI for treatment, payment, or health care operations. You can also request a restriction on disclosures to family members or others involved in your care. While we will consider any reasonable request, please note we are not always required to agree to a requested restriction except in specific situations (for example, if you paid for a service out-of-pocket in full and request that we not disclose that service information to your health plan, we must comply with that restriction). If we do agree to a restriction, we will abide by it except in emergencies or as required by law.
- Right to Request Confidential Communications: You have the right to request that we contact you by alternative means or at alternative locations. For instance, you may request that we send communications to a P.O. box instead of your home address, or contact you via email instead of phone. We will accommodate reasonable requests when possible.
- Right to Complain without Retaliation: If you believe your privacy rights have been violated, you have the right to file a complaint. You can file a complaint directly with us (see Contact Information below), and/or you may file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR). We will provide you with the contact information for HHS OCR upon request. We will not retaliate against you for filing a complaint. Filing a complaint will not affect the quality of services you receive from us. To exercise any of these rights, please contact us using the information in the Contact Information section at the end of this Policy. We may need to verify your identity and ask that your request be in writing. We will respond to your request within the timeframes required by law (generally 30 days for access requests, with possible extension, and as promptly as possible for other requests).
Third-Party Data Sharing and Disclosures
We do not sell your personal information or PHI to third parties. We only share your information with others in the ways described here, and only as permitted or required by law. The circumstances under which we may disclose PHI to third parties include:
- Business Associates & Service Providers: We may share PHI with third-party companies or contractors who perform services on our behalf and require access to PHI to carry out those services – for example, data storage providers, cloud hosting services, claims processors, analytics or IT support vendors, mailing or communication service providers, etc. These third parties are known as Business Associates under HIPAA. In every case, we execute Business Associate Agreements (BAAs) with these service providers to ensure they are obligated to safeguard your PHI to the same standards we follow. Our business associates are required to use your information only for the purposes we specify and to implement appropriate security measures. They cannot use or disclose your PHI for their own independent purposes.
- Healthcare Partners and Payment Purposes: We may disclose PHI to other authorized parties as needed for your care and services. For example, we might share relevant PHI with your doctors, clinics, laboratories, pharmacies, or other healthcare providers to facilitate treatment or care coordination. We may also share necessary PHI with your health insurance plan or other payors to manage benefits, obtain payment for services, or resolve billing inquiries. These uses and disclosures for treatment and payment are permitted by HIPAA.
- Healthcare Operations: We may use and disclose PHI as needed for our internal operations and those of other covered entities with which you have a relationship, as allowed by HIPAA. This can include quality improvement activities, fraud detection, administrative activities, customer service, and other operational purposes. For instance, we might share limited information with auditors or accrediting agencies to help ensure we are meeting compliance standards.
- Legal Requirements and Public Safety: We may disclose PHI to third parties if required to do so by law or if certain authorized public health or safety purposes apply. For example, we might disclose PHI in response to a court order, subpoena, or lawful request by regulatory authorities. We may also share PHI with government agencies for reporting communicable diseases, adverse drug events, or for mandatory health oversight audits or inspections. If necessary, we may disclose PHI to law enforcement officials in specific scenarios (such as to locate a missing person or report a crime on our premises, in accordance with HIPAA rules). Additionally, we could share PHI to avert a serious threat to health or safety – for instance, to help prevent a serious and imminent harm to you, another person, or the public (in such cases, the disclosure would only be to someone able to help prevent the threat). All such disclosures will be done strictly in line with HIPAA’s Privacy Rule and other applicable laws, ensuring only the minimum necessary information is shared.
- With Your Authorization: For any purposes outside of those permitted by HIPAA or described above, we will obtain your explicit written authorization before using or disclosing your PHI. For example, most uses of your PHI for marketing purposes, or any sale of PHI, would require your prior authorization under HIPAA. If you provide an authorization, you may revoke it at any time (in writing), and we will stop the future use/disclosure of your PHI for that purpose. Revoking an authorization will not affect any use or disclosure that already occurred in reliance on the authorization.
In all cases, we adhere to HIPAA’s “minimum necessary” rule, which means we make reasonable efforts to disclose only the minimum amount of PHI needed for the purpose of the disclosure. We also evaluate all third-party data sharing for compliance with privacy and security requirements. If a third party does not meet our standards or fails to safeguard information as required, we will restrict information sharing and take appropriate action to address the issue.
Data Security Measures and Breach Procedures
Protecting your information is one of our highest priorities. Transparent Health Group maintains a comprehensive information security program with administrative, technical, and physical safeguards designed to protect against unauthorized access or disclosure of your data (in accordance with HIPAA’s Security Rule and SOC 2 criteria). Here are some key security measures we have in place:
- Encryption: All PHI and sensitive data are encrypted in transit (for example, through TLS/SSL when data is transmitted over the internet). Encryption ensures that your information is unreadable to unauthorized individuals. We also encrypt data backups, and employ encrypted channels for internal data transfers, adding an extra layer of protection for your information.
- Access Controls & Multi-Factor Authentication: We limit access to PHI strictly to those employees or agents who need it to perform their job functions (principle of least privilege). Each authorized user is assigned unique access credentials, and we use multi-factor authentication (MFA) for accessing any systems that contain PHI. This means users must provide multiple forms of verification (for example, a password plus a one-time code or biometric factor) before accessing sensitive data, greatly reducing the risk of unauthorized access. We also implement role-based access control and promptly revoke access when a workforce member leaves or no longer requires it.
- Secure Infrastructure and Monitoring: Our IT infrastructure is designed with robust security controls. We host data in secure environments that meet high industry standards (such as SOC 2 certified or HITRUST certified data centers) with strong physical security, environmental controls, and 24/7 surveillance. We use firewalls, anti-malware protection, and intrusion detection/prevention systems to guard our network. All access to PHI is logged and monitored – we maintain detailed audit logs of who accessed what data and when. We regularly review these logs to detect any unauthorized activities and have automated alerts for suspicious access patterns. Our security team conducts periodic risk assessments and vulnerability scans to verify the effectiveness of our controls.
- Backup and Disaster Recovery: We perform regular, secure backups of PHI to prevent data loss. Backups are encrypted and stored in secure, geographically dispersed locations. We maintain disaster recovery (DR) capabilities across multiple regions to ensure that our services and data can be restored in the event of a natural disaster, major outage, or other emergency. This multi-region approach means your data remains available and protected even if one data center experiences an issue. We have a formal Disaster Recovery Plan and Business Continuity Plan, which we test periodically, so that we can quickly recover critical systems and data while maintaining compliance and security.
- Continuous Improvement and Training: We continuously update and refine our security measures in light of new threats and technologies. Our staff receive regular training on privacy, security practices, recognizing phishing attempts, and their responsibilities under HIPAA. We have internal policies covering device security, password management, and handling of PHI. All employees must sign confidentiality agreements and understand the seriousness of protecting PHI. We also have strict sanctions in place for any violations of our privacy and security policies.
- Vendor Management: As noted, any third-party vendor (Business Associate) with access to PHI is required to implement equivalent security measures. We conduct due diligence on our vendors’ security postures and require evidence of their compliance (such as SOC 2 audit reports or HITRUST certification, where applicable). We only partner with vendors who commit to protecting PHI in accordance with HIPAA and our own standards, and we monitor their compliance on an ongoing basis.
- Data Retention and Disposal: We retain your PHI only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. For example, certain regulations may obligate us to keep records for a minimum period (such as at least six years for certain HIPAA-related documentation), or state laws might require retaining medical billing records for a certain number of years. We have a data retention schedule that meets these requirements. When PHI is no longer needed and deletion is permissible, we will securely destroy it in a manner that renders it unreadable (such as using secure shredding for paper or certified wiping for electronic media) or we will de-identify the data in compliance with HIPAA standards.
- Incident Response and Breach Notification: Despite all our precautions, no system can be 100% secure. In the event of a security incident or data breach involving PHI, we have a detailed incident response plan to investigate, mitigate, and resolve the situation as quickly as possible. Our plan includes steps to contain the incident, assess the scope of data involved, remediate the vulnerability, and communicate with affected parties. Breach Notification: If a breach of unsecured PHI occurs, we will notify you without unreasonable delay and no later than is required by law. Under the HIPAA Breach Notification Rule, we are required to inform affected individuals as well as regulators (the HHS Office for Civil Rights), and in certain cases the media, of breaches of unsecured PHI. We will provide notices in accordance with HIPAA’s requirements, which will include a description of the breach, the types of information involved, steps you should take to protect yourself, what we are doing to address the breach, and our contact information for further questions. Notifications will be provided in writing (by mail or email, as appropriate), and if contact information is insufficient, we will use substitute means such as a posting on our website or notice to major media outlets, consistent with legal requirements. We also will notify any affected partners (such as a covered entity if we are acting as a business associate on their behalf) so that they can fulfill any additional obligations.
Transparent Health Group continuously evaluates and upgrades its security practices to adapt to new threats and to incorporate best practices. We align our security program with recognized frameworks (including SOC 2 and the HIPAA Security Rule specifications) to maintain a high level of protection for your data. By taking these steps, we strive to prevent any unauthorized access or disclosures and to promptly address any issues that arise, keeping your trust and maintaining the confidentiality of your health information.
State-Specific Privacy Laws
In addition to federal HIPAA requirements, we recognize that various U.S. states have enacted their own privacy and security laws governing personal information, including health data. We are committed to compliance with all applicable state laws that provide additional protections or rights beyond HIPAA. The HIPAA Privacy Rule generally acts as a floor of protection – meaning that state laws which are more stringent (i.e., provide greater privacy protection or give individuals greater rights with respect to their health information) are not preempted by HIPAA and will remain in force. In other words, if a state law imposes stricter standards or offers you more rights than federal law, we will follow the more protective state law.
Some examples of state-specific protections and how we address them include:
- California Residents: If you are a California resident, you may have rights under laws such as the California Consumer Privacy Act (CCPA) or the California Confidentiality of Medical Information Act (CMIA). Health information that is protected by HIPAA or CMIA is generally exempt from CCPA, but to the extent CCPA applies (for example, for certain personal information we collect that is not PHI), California residents have the right to know about the personal information collected, used, or disclosed, and may have the right to request deletion or opt-out of certain data sharing. Transparent Health Group will provide California residents with any required privacy notices and honor all valid consumer rights requests in accordance with California law. We also comply with CMIA, which governs the confidentiality of medical information in California, ensuring that we obtain any necessary authorizations before releasing medical information except as permitted by law.
- Florida, Texas, New York, and Other States: We comply with state laws such as the Florida Information Protection Act (FIPA), the Texas Medical Records Privacy Act (TMRPA), New York state privacy laws, and others as applicable. For instance, if a state law grants a longer time period for patients to file privacy complaints, or requires faster breach notification, or mandates specific consent for certain disclosures (such as HIV/AIDS status, mental health records, or genetic information), we will adhere to those requirements. We stay informed of the changing state privacy law landscape to ensure ongoing compliance.
- State Data Breach Notification Laws: In addition to HIPAA’s breach notification requirements, almost all states have their own laws requiring notification to individuals in the event of certain security breaches involving personal information. We comply with these state laws, which may include notifying individuals of breaches of certain categories of personal information (even if not classified as PHI) or notifying state regulators/attorneys general in certain cases. Where a state law has a shorter notification deadline or additional content requirements for the notice, we will follow the stricter standard to ensure compliance and transparency.
Please note that this is not an exhaustive list of all state laws we follow, but is intended to illustrate our commitment to state-specific compliance. If you have any questions about state-specific privacy rights, you can contact us for more information. Also, if you are located in a state or jurisdiction that grants you additional privacy rights by law, we will work with you to ensure those rights are respected. Our overarching principle is that we will always strive to protect your information to the highest applicable standard, whether that standard is set by federal or state law.
Contact Information
If you have any questions or concerns about this Privacy Policy or our privacy practices, or if you wish to exercise your rights or file a complaint, please contact our Privacy Officer. We are here to address your inquiries and will respond promptly.
Privacy Officer – Transparent Health Group, LLC
414 Drexel Pl
Swarthmore, PA 19081
Email: privacy@transparenthg.com
Phone: (877) 571-8950
You may also direct general customer service inquiries to us at (646) 367-1750, but for specific privacy-related matters, please reach out to our Privacy Officer through the contact information above to ensure your issue is handled confidentially and by the appropriate staff.
If we need to provide you with notices regarding your information (for example, breach notification or material changes to this Privacy Policy), we may contact you at the most recent email or mailing address you have provided us, or through prominent postings on our website when appropriate.
Your trust is important to us. Transparent Health Group is dedicated to maintaining the privacy and security of your health information. We will continue to update our privacy and security practices as needed to ensure compliance with the law and to meet the evolving standards of data protection. We encourage you to review this Privacy Policy periodically for any updates. If we make significant changes to our privacy practices, we will notify you in accordance with legal requirements (such as by posting the updated policy with a new effective date and/or contacting you directly).
By using our services or providing your information, you acknowledge that you have been informed about how your information may be used and disclosed as described in this Policy. We appreciate the opportunity to serve you and remain committed to safeguarding your personal health information.