Privacy Policy
Last updated: July 1, 2026. This Privacy Policy explains how PatientTrac Corp. (“PatientTrac,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards information through the PatientTrac website, public forms, support channels, and hosted clinical applications.
PatientTrac is a clinical software company. When we maintain protected health information (“PHI”) for a health care provider, health plan, or another HIPAA-regulated customer, we generally act as a business associate and handle PHI according to our customer agreement, Business Associate Agreement (“BAA”), and applicable law.
Scope of this policy
This policy applies to information collected through patienttrac.com, PatientTrac public forms, product demonstrations, sales and support communications, and PatientTrac-hosted services. It does not replace the privacy practices of a physician practice, hospital, surgery center, clinic, health plan, or other customer that uses PatientTrac.
Information we collect
- Website and inquiry information: name, organization, role, email, phone, message content, product interests, and demo or BAA request details.
- Account and administrative information: user profile, organization, role, authentication status, MFA/TOTP status, configuration settings, and audit-relevant events.
- Customer clinical data: patient, encounter, documentation, intake, billing, messaging, recovery, and related clinical records processed on behalf of customers.
- Technical and security data: IP address, device/browser data, logs, session events, access timestamps, error diagnostics, and security telemetry.
- Support information: troubleshooting data, support tickets, configuration details, and limited record examples when provided by authorized customer personnel.
How we use information
- Provide, secure, maintain, and improve PatientTrac services.
- Authenticate users, enforce role-based access, support multi-tenant isolation, and preserve audit trails.
- Respond to sales, support, legal, privacy, security, and BAA requests.
- Operate revenue-cycle, documentation, interoperability, intake, monitoring, messaging, and related workflows on behalf of customers.
- Detect, prevent, investigate, and remediate security events, unauthorized access, fraud, and misuse.
- Comply with legal obligations and enforce contracts.
PHI and HIPAA-regulated data
When PatientTrac processes PHI for a HIPAA-regulated customer, our permitted uses and disclosures are governed by the applicable BAA and service agreement. We do not use PHI for unrelated marketing. We do not sell PHI. We support customer-directed workflows such as access, amendment, accounting of disclosures, ROI, C-CDA, EHI export, audit reporting, and clinical documentation only as permitted by the customer agreement and applicable law.
AI features and clinical review
PatientTrac AI features are designed as clinician-assistive tools. AI outputs may include drafts, summaries, flags, suggestions, red-flag prompts, or educational support for review by authorized users. AI features do not replace professional judgment, do not independently diagnose or prescribe, and should not be treated as a final clinical decision.
PatientTrac’s AI integrations are designed to run server-side so API keys are not exposed in the browser.
Security safeguards
PatientTrac is designed around concrete security mechanisms, including organization-level multi-tenant isolation, Row-Level Security, role-based access, TOTP multi-factor authentication, server-side keys, audit logging, and hash-chained PHI audit events where applicable. No security program can guarantee absolute security, but PatientTrac uses administrative, technical, and operational safeguards intended to protect confidentiality, integrity, and availability.
Retention and deletion
We retain information for as long as reasonably necessary to provide services, comply with legal or contractual obligations, resolve disputes, enforce agreements, preserve audit integrity, and support customer data-export or termination obligations. PHI retention and return/destruction obligations are handled under the applicable customer agreement and BAA.
Choices and requests
Website visitors may contact us to update contact information, opt out of non-transactional communications, or ask privacy questions. Patients seeking access to medical records should contact their provider or health plan directly. PatientTrac will assist customers with rights requests when required by an applicable BAA or service agreement.
Contact
Privacy and legal inquiries may be directed to privacy@patienttrac.com or PatientTrac Corp., United States. BAA requests should be submitted through the Request a BAA page.