Effective date: 2026-05-02. Last reviewed: 2026-05-02.
This Notice describes how Protected Health Information (PHI) about you may be used and disclosed and how you can access this information. Please review it carefully.
1. Who this Notice covers
HealthDash operates the platform that your healthcare provider, clinic, or pharmacy (the Covered Entity) uses to handle your records. HealthDash is a Business Associate of the Covered Entity. If you are looking for the specific Notice of Privacy Practices that applies to your care, ask the Covered Entity directly — they may have additional protections beyond this Notice.
2. Our pledge
We are required by law to maintain the privacy of your PHI, give you this Notice, abide by the terms of the Notice currently in effect, and notify you and the Covered Entity if your PHI is breached.
3. Uses and disclosures we make for the Covered Entity
We use and disclose PHI only as the Covered Entity directs us to, and only as permitted by HIPAA and our BAA. Typical uses:
- Treatment: storing and transmitting clinical records the Covered Entity creates while treating you.
- Payment: handling billing data, claim attachments, and insurance card images on the Covered Entity's behalf.
- Health care operations: scheduling, intake forms, internal reporting that the Covered Entity uses to operate.
4. Uses and disclosures NOT made by us
We do not:
- Sell PHI.
- Use PHI for our own marketing.
- Use PHI to train AI models without explicit, separate consent flowing through your Covered Entity.
- Disclose PHI to third parties except (a) subprocessors under BAA, (b) as required by law, or (c) as the Covered Entity authorizes.
5. Required disclosures
We disclose PHI when required by:
- The Department of Health and Human Services to investigate HIPAA compliance.
- Court orders, subpoenas, and other lawful process — after notifying the Covered Entity unless prohibited.
6. Your rights
You have the right to:
- Inspect and copy your PHI. Submit the request to the Covered Entity; we facilitate the response on their behalf.
- Request an amendment of incorrect PHI. Same process.
- Request an accounting of disclosures we made.
- Request restrictions on uses or disclosures.
- Receive confidential communications by alternative means.
- Receive a paper copy of this Notice.
- File a complaint with the Covered Entity, with us, or with the Office for Civil Rights at HHS — without retaliation.
7. Breach notification
If your PHI is breached, we will notify the Covered Entity within the timeframe set in our BAA (typically 24–72 hours of discovery). The Covered Entity is responsible for notifying you. We document every suspected breach in our incident log and retain investigation reports for 6 years per §164.530(j).
8. Safeguards
We implement HIPAA Security Rule administrative, physical, and technical safeguards including encryption-at-rest, encryption-in-transit, tamper-evident audit logging, role-based access, workforce training, incident response, and annual risk analysis. Details in our Security Statement.
9. Subprocessors
Each subprocessor that touches PHI signs a BAA with us before any PHI flows to them. Current subprocessors are listed at /legal/subprocessors and notified to the Covered Entity at least 30 days before any change.
10. Changes to this Notice
We may revise this Notice. The new Notice applies to all PHI we maintain. Material changes are communicated to Covered Entities, who are responsible for distributing updates to patients.
11. Contact
HealthDash Privacy Officer: [email protected]
HHS Office for Civil Rights: https://www.hhs.gov/hipaa/filing-a-complaint/