Guardian Health LogoGuardian Health
Guardian Health
Privacy Policy

Guardian Health Privacy Policy

Effective date: January 1, 2025

Protecting personal health information is foundational to Guardian Health. This policy explains our commitments and the safeguards we implement to earn and keep your trust.

1. Introduction

Guardian Health is a product of Hearth and Alloy Inc. ("Guardian Health," "we," "us," or "our"). We provide a secure platform that connects healthcare organizations to electronic health record (EHR) systems. This Privacy Policy describes how we handle personal information, including protected health information (PHI), when you use our services, visit our websites, or otherwise interact with us. This policy is designed to meet the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and applicable state privacy laws.

2. Information We Collect

We collect and process information in order to deliver the Guardian Health services. Information includes: • Account and business details such as names, titles, email addresses, and billing information provided during onboarding. • Protected health information transmitted from EHR partners, including patient demographics, encounter details, clinical notes, and document references, solely for the purpose of providing our services. • Technical and usage data such as IP addresses, device identifiers, logs, and analytics about how our platform is accessed, to improve performance and security. • Support communications and feedback provided to our customer operations team.

3. How We Use Information

Guardian Health uses personal information to provide and improve the platform, authenticate users, process transactions, provision customer accounts, comply with legal obligations, detect and investigate security events, and communicate with you about updates or support. We do not sell PHI or use it for marketing purposes without authorization.

4. Legal Basis and Business Associate Relationship

We act as a Business Associate to Covered Entities and other HIPAA regulated customers. We use and disclose PHI only as permitted under our Business Associate Agreements (BAAs), as required by law, or as otherwise authorized by you. All subcontractors that interact with PHI are required to sign BAAs and implement equivalent safeguards.

5. Data Security and Safeguards

Guardian Health maintains administrative, technical, and physical safeguards that align with HIPAA Security Rule requirements. Measures include role-based access controls with multi-factor authentication, encryption in transit (TLS 1.3) and at rest (AES-256), continuous monitoring, vulnerability management, secure software development practices, and documented incident response procedures. Access to PHI is limited to authorized personnel based on the principle of least privilege.

6. Data Retention and Destruction

We retain PHI and audit logs for a minimum of seven (7) years unless a longer period is required by law or contract. Data is securely destroyed or returned at the end of the retention period using NIST 800-88 compliant procedures. Customers may request earlier deletion or export subject to contractual obligations.

7. Third-Party Services

Guardian Health relies on select sub-processors, including Microsoft Azure for hosting, Azure Key Vault for secrets management, and Stripe for billing. Each third party has executed a Business Associate Agreement with us and maintains compliance certifications appropriate for handling PHI. A current list of sub-processors is available upon request.

8. Individual Rights

Patients whose PHI we process have rights under HIPAA and applicable state laws. Guardian Health assists Covered Entities with: • Requests for access, amendment, or accounting of disclosures of PHI. • Responding to restrictions or confidential communications requests. • Providing electronic copies of PHI in designated record set formats. Please direct requests through your healthcare provider or contact us so we can coordinate with the appropriate Covered Entity.

9. Breach Notification

We maintain an incident response program that includes 24/7 security monitoring. If we discover a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and no later than sixty (60) calendar days after discovery, unless a shorter period is required by contract. Notifications include the nature of the incident, types of information involved, mitigation steps taken, and measures individuals should take.

10. International Data Transfers

Guardian Health stores PHI in data centers located in the United States. When personal data is accessed outside the United States for support purposes, we implement safeguards consistent with applicable data transfer mechanisms.

11. Children’s Privacy

Guardian Health does not provide services directly to minors. Any PHI for individuals under 18 years of age is processed only on behalf of Covered Entities in accordance with HIPAA.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material updates, we will post the revised policy on this page, update the "Effective date" below, and provide additional notice as required by law or contract.

13. Contact Us

If you have any questions or complaints about this Privacy Policy or our privacy practices, please contact: Guardian Health Privacy Office Hearth and Alloy Inc. [Physical mailing address] Email: privacy@guardianhealth.dev Phone: +1 (615) 555-0100

Need a signed copy?

Enterprise customers can request an executed Privacy Policy by emailinglegal@guardianhealth.dev.