Privacy Policy

1. Introduction

OmniWound EMR ("we," "us," or "our") is committed to protecting the privacy and security of all information entrusted to us. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our electronic medical records platform and related services (collectively, the "Service").

This Privacy Policy applies to:

• Healthcare Providers: Medical practices, clinicians, and administrative staff who use our EMR platform
• Patients: Individuals whose health information is processed through our platform
• Website Visitors: Anyone who visits our website or interacts with our marketing materials

2. Information We Collect

2.1 Protected Health Information (PHI)

Through our EMR platform, we collect and process PHI on behalf of healthcare providers, including:

• Patient Demographics: Name, address, phone number, email, date of birth, emergency contacts
• Medical Information: Diagnoses, treatment plans, medications, allergies, medical history
• Clinical Data: Wound assessments, progress notes, vital signs, test results
• Insurance Information: Insurance provider details, policy numbers, coverage information
• Billing Information: Procedure codes, diagnosis codes, billing addresses
• Digital Images: Wound photographs, medical images (when applicable)

2.2 Healthcare Provider Information

We collect information about healthcare providers and their staff, including:

• Account Information: Name, email address, phone number, professional credentials
• Practice Information: Practice name, address, NPI numbers, specialty information
• Usage Data: Login times, feature usage, system interactions
• Billing Information: Payment methods, billing addresses, subscription details
• Support Communications: Support tickets, email communications, phone call records

2.3 Website and Marketing Information

When you visit our website or interact with our marketing materials, we may collect:

• Contact Information: Name, email address, phone number, practice information
• Web Analytics: IP address, browser type, pages visited, time spent on pages
• Form Submissions: Demo requests, newsletter signups, contact form submissions
• Marketing Preferences: Communication preferences, marketing consent

2.4 Automatically Collected Information

Our systems automatically collect certain technical information:

• System Logs: Access logs, error logs, security logs
• Device Information: Device type, operating system, browser version
• Network Information: IP addresses, connection details
• Performance Data: System performance metrics, response times

3. How We Use Information

3.1 Healthcare Operations

We use PHI exclusively for permitted healthcare operations, including:

• Treatment Support: Enabling healthcare providers to document, track, and manage patient care
• Care Coordination: Facilitating communication between healthcare team members
• Quality Improvement: Supporting quality assurance and improvement activities
• Reporting: Generating clinical reports and analytics for healthcare providers
• MIPS Reporting: Supporting Merit-based Incentive Payment System reporting requirements

3.2 Platform Operations

We use collected information to:

• Provide Services: Operate and maintain the EMR platform
• User Support: Provide customer service and technical support
• Security: Monitor for and prevent security threats
• System Improvements: Analyze usage patterns to improve platform functionality
• Account Management: Manage user accounts and subscriptions

3.3 Business Operations

For business purposes, we may use non-PHI information to:

• Marketing: Send newsletters, product updates, and promotional materials (with consent)
• Analytics: Analyze website usage and user engagement
• Communication: Respond to inquiries and provide information about our services
• Legal Compliance: Meet legal and regulatory obligations

4. Information Sharing and Disclosure

4.1 PHI Sharing

We only share PHI in accordance with HIPAA regulations and your healthcare provider's instructions:

Permitted Disclosures:

• Healthcare Providers: With other members of your healthcare team as directed by your provider
• Treatment Purposes: To facilitate ongoing medical care and treatment
• Healthcare Operations: For quality assurance, case management, and care coordination
• Legal Requirements: When required by law, court order, or regulatory authority
• Public Health: For public health activities as required by law
• Emergency Situations: When necessary to prevent serious harm

4.2 Service Providers

We work with trusted third-party service providers who assist in operating our platform:

• Cloud Hosting: Secure cloud infrastructure providers
• Data Backup: Encrypted backup and disaster recovery services
• Analytics: Website analytics and performance monitoring
• Communication: Email delivery and customer support platforms

All service providers sign Business Associate Agreements (BAAs) and are required to maintain the same level of protection for PHI as we do.

4.3 Legal Disclosures

We may disclose information when required by law, including:

• Legal Process: In response to subpoenas, court orders, or legal proceedings
• Regulatory Compliance: To comply with healthcare regulations and oversight
• Law Enforcement: When required for law enforcement purposes under applicable law
• National Security: When required for national security purposes

5. Data Security and Protection

We implement comprehensive security measures to protect all information in our custody:

5.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access controls and multi-factor authentication
• Network Security: Firewalls, intrusion detection, and network monitoring
• Regular Updates: Timely security patches and system updates
• Audit Logging: Comprehensive logging of all system access and activities

5.2 Physical Safeguards

• Data Centers: SOC 2 Type II certified data centers with 24/7 security
• Access Control: Restricted physical access to servers and equipment
• Environmental Controls: Climate control, fire suppression, and power backup systems
• Asset Management: Secure disposal and destruction of hardware

5.3 Administrative Safeguards

• Security Training: Regular security awareness training for all employees
• Incident Response: Comprehensive security incident response procedures
• Risk Assessment: Regular security risk assessments and vulnerability testing
• Vendor Management: Due diligence and ongoing monitoring of third-party vendors
• Business Associate Agreements: Contractual protections with all service providers

6. Your Rights and Choices

6.1 Patient Rights (PHI)

As a patient, you have the following rights regarding your PHI:

• Access: Right to access and obtain copies of your health information
• Amendment: Right to request amendments to your health information
• Restriction: Right to request restrictions on how your PHI is used or disclosed
• Accounting: Right to receive an accounting of disclosures of your PHI
• Confidential Communication: Right to request confidential communications
• Complaint: Right to file a complaint about privacy practices

Note: These requests must be made to your healthcare provider, not directly to OmniWound EMR.

6.2 Healthcare Provider Rights

As a healthcare provider using our platform, you have rights regarding your account information:

• Access: Access and update your account information
• Data Portability: Export your data in standard formats
• Account Deletion: Request deletion of your account and associated data
• Marketing Opt-out: Unsubscribe from marketing communications

6.3 Website Visitor Rights

Website visitors have the following choices:

• Marketing Communications: Opt-out of marketing emails at any time
• Analytics: Use browser settings to limit tracking
• Contact: Contact us to request information about data we have collected

7. Data Retention and Deletion

7.1 PHI Retention

PHI retention is governed by:

• Healthcare Provider Instructions: We retain PHI as instructed by healthcare providers
• Legal Requirements: Federal and state medical record retention laws
• Standard Practices: Generally, medical records are retained for 6-10 years from the last patient encounter
• Minors: Records for minors are retained until the age of majority plus applicable retention period

7.2 Account Data Retention

• Active Accounts: Account data is retained while accounts remain active
• Inactive Accounts: Data may be retained for up to 7 years after account closure for legal and business purposes
• Financial Records: Billing and payment information is retained for 7 years

7.3 Website Data Retention

• Analytics Data: Website analytics data is retained for 26 months
• Marketing Data: Marketing contact information is retained until opt-out or 3 years of inactivity
• Support Records: Customer support communications are retained for 3 years

7.4 Secure Deletion

When data is deleted, we ensure:

• Secure Erasure: Data is securely overwritten and cannot be recovered
• Backup Purging: Data is removed from all backup systems
• Third-Party Notification: Service providers are notified to delete data
• Certification: Deletion is documented and certified when required

8. Third-Party Services

We use the following categories of third-party services:

8.1 Essential Platform Services

• Cloud Infrastructure: Amazon Web Services (AWS) - HIPAA-compliant hosting
• Database Services: Encrypted database hosting and management
• Backup Services: Automated encrypted backup solutions
• Content Delivery: Global content delivery network for performance

8.2 Analytics and Monitoring

• Google Analytics: Website traffic and user behavior analysis (anonymized data only)
• System Monitoring: Platform performance and uptime monitoring
• Security Monitoring: Security event monitoring and threat detection

8.3 Communication Services

• FormSpree: Contact form processing and email delivery
• Email Services: Transactional and marketing email delivery
• Support Platform: Customer support ticket management

8.4 Business Services

• Payment Processing: Secure payment processing for subscriptions
• Legal Services: Legal document storage and compliance management
• Accounting Services: Financial record keeping and reporting

9. International Users

OmniWound EMR is designed for and operates exclusively within the United States:

• US-Only Service: Our platform is intended for healthcare providers operating in the United States
• Data Location: All data is stored and processed within the United States
• US Law Compliance: We comply with US federal and state privacy laws, including HIPAA
• International Access: Access from outside the US may be limited or restricted

If you are accessing our website from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and our central database is operated.

10. Children's Privacy

Our platform handles pediatric patient information in accordance with applicable laws:

• Parental Consent: Pediatric patient information is collected only with appropriate parental or guardian consent
• Age-Appropriate Handling: Special protections for minors' health information
• Extended Retention: Pediatric records are retained until age of majority plus applicable retention period
• Access Rights: Parents/guardians have rights to access and control their minor children's health information

Our website is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through our website.

11. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws:

• Notification: We will notify healthcare providers of material changes via email and platform notifications
• Effective Date: Changes become effective 30 days after notification unless immediate compliance is required by law
• Website Posting: The current version is always available on our website with the effective date clearly marked
• Continued Use: Continued use of our platform after changes become effective constitutes acceptance of the updated policy

12. Contact Information

For questions about this Privacy Policy or our privacy practices, please contact us:

Filing Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

• OmniWound EMR: Contact our Privacy Officer using the information above
• US Department of Health and Human Services: Office for Civil Rights (OCR)
  Website: www.hhs.gov/ocr/privacy/
  Phone: 1-800-368-1019

You will not be retaliated against for filing a complaint about our privacy practices.

---

This Privacy Policy is effective as of September 17, 2025. OmniWound EMR reserves the right to modify this policy at any time in accordance with applicable law and the procedures outlined above.