Privacy Policy

1. Introduction

ClinicalRIS is a product of Claridad Health Solutions ("Claridad", "we", "our", or "us"). Claridad is committed to protecting your privacy and the confidentiality of Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our radiology information system platform ("Service").

This policy applies to all users of ClinicalRIS, including healthcare providers, imaging centers, radiologists, technologists, billing staff, referring physicians, and patients whose information may be processed through our platform.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

2. Information We Collect

2.1 Account and Professional Information

• Full name, email address, phone number, and mailing address
• Professional credentials, medical licenses, and NPI numbers
• Organizational affiliations and role information
• Account login credentials and authentication data
• Billing information, including credit card or bank account details
• Communication preferences and settings

2.2 Protected Health Information (PHI)

As a healthcare technology platform, we process PHI on behalf of covered entities. This may include:

• Patient demographics (name, date of birth, gender, address, contact information)
• Medical record numbers and patient identifiers
• DICOM medical images (X-rays, CT scans, MRIs, ultrasounds, etc.)
• Radiology reports and diagnostic findings
• Clinical notes, orders, and referral information
• Insurance and billing information related to patient care
• Appointment and scheduling data

2.3 Technical and Usage Information

• IP addresses and device identifiers
• Browser type, operating system, and device information
• Pages visited, features used, and time spent on the platform
• Error logs and performance data
• DICOM network connection logs (AE titles, IP addresses, ports)

2.4 Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

• Essential Cookies: Required for authentication, security, and platform functionality. These cannot be disabled.
• Functional Cookies: Remember your preferences, settings, and customizations for an improved user experience.
• Analytics Cookies: Help us understand how users interact with our Service to improve functionality and features.

You can manage your cookie preferences at any time through our cookie consent banner or by contacting us. Disabling non-essential cookies will not affect your ability to use critical Service features.

3. HIPAA Compliance

3.1 Business Associate Agreements

We execute Business Associate Agreements (BAAs) with all covered entities before processing any PHI. Our BAA outlines our obligations to protect PHI and report any breaches.

3.2 Administrative Safeguards

• Designated Privacy and Security Officers
• Comprehensive workforce training on HIPAA requirements
• Written policies and procedures for PHI handling
• Regular risk assessments and security evaluations
• Incident response and breach notification procedures
• Sanction policy for policy violations

3.3 Physical Safeguards

• SOC 2 Type II certified data centers
• 24/7 physical security and surveillance
• Biometric access controls and visitor logging
• Environmental controls (fire suppression, climate control)
• Secure media disposal procedures

3.4 Technical Safeguards

• Unique user identification and authentication
• Role-based access control (minimum necessary standard)
• Automatic session termination after inactivity
• Comprehensive audit logging of all PHI access
• Encryption of all data at rest and in transit
• Integrity controls and validation mechanisms

3.5 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected covered entities within 24 hours of discovery, enabling them to fulfill their notification obligations under HIPAA Breach Notification Rule (45 CFR §§ 164.400-414).

4. How We Use Your Information

4.1 Service Delivery

• Providing access to the radiology information system
• Processing and storing DICOM medical images
• Generating and distributing radiology reports
• Managing patient worklists and scheduling
• Facilitating HL7/FHIR interoperability with other systems
• Sending critical findings notifications
• Processing claims and managing billing

4.2 Operations and Support

• Providing technical support and customer service
• Monitoring system performance and availability
• Troubleshooting issues and debugging
• Conducting security monitoring and threat detection
• Performing backups and disaster recovery

4.3 Improvement and Analytics

• Analyzing usage patterns to improve the Service
• Developing new features and functionality
• Generating de-identified aggregate statistics (never using PHI)

4.4 Legal and Compliance

• Complying with legal obligations and court orders
• Responding to lawful requests from authorities
• Enforcing our Terms of Service
• Protecting our rights and property

5. Information Sharing and Disclosure

5.1 Authorized Disclosures

We may share information in the following circumstances:

• With your organization: Sharing data with authorized users within your healthcare organization
• Service providers: Third-party vendors who help us operate the Service (under strict contractual obligations)
• Healthcare operations: As permitted under HIPAA for treatment, payment, and healthcare operations
• Legal requirements: When required by law, subpoena, or court order
• Business transfers: In connection with a merger, acquisition, or sale of assets

5.2 Third-Party Service Providers

We work with carefully selected service providers who may process data on our behalf:

• Cloud infrastructure: Data hosting and storage
• Payment processors: Subscription billing (PCI-DSS compliant)
• Email services: Transactional and notification emails
• Analytics: Usage analytics (no PHI is shared)

All third-party providers are bound by confidentiality agreements and, where applicable, Business Associate Agreements.

6. Data Security

6.1 Encryption

• Data at rest: AES-256 encryption for all stored data
• Data in transit: TLS 1.3 for all network communications
• DICOM transfers: DICOM TLS encryption supported
• Backups: Encrypted backup storage with separate key management

6.2 Access Control

• Multi-factor authentication (MFA) support
• Role-based access control with granular permissions
• IP whitelisting and geofencing options
• Session management and automatic timeout
• Password complexity requirements and rotation policies

6.3 Monitoring and Auditing

• Real-time security monitoring and alerting
• Intrusion detection and prevention systems
• Comprehensive audit logs retained for 7+ years
• Regular vulnerability scanning and penetration testing
• Annual third-party security assessments

6.4 Disaster Recovery

• Geographically redundant data storage
• Automated daily backups with point-in-time recovery
• Recovery Point Objective (RPO): 1 hour
• Recovery Time Objective (RTO): 4 hours
• Regular disaster recovery testing

7. Data Retention

We retain information for as long as necessary to provide our services and comply with legal obligations:

• Medical records and images: Minimum 7 years, or longer as required by state law (some states require 10+ years, pediatric records until age 21+)
• Audit logs: 7 years minimum
• Account information: Duration of account plus 3 years
• Billing records: 7 years for tax and accounting purposes
• Backup data: 90 days rolling retention

Upon account termination, we provide 90 days to export your data. After this period, data is securely deleted according to our data destruction procedures.

8. Your Rights

8.1 General Rights

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Export your data in standard formats
• Opt-out: Unsubscribe from marketing communications
• Restriction: Request limitation of processing in certain circumstances

8.2 HIPAA Rights (for PHI)

If your PHI is processed through our platform, you have rights under HIPAA including:

• Right to access your medical records
• Right to request amendments to your records
• Right to an accounting of disclosures
• Right to request restrictions on certain uses
• Right to receive confidential communications
• Right to receive breach notifications

Note: These requests should typically be directed to your healthcare provider (the covered entity), who will coordinate with us as needed.

10. International Data Transfers

ClinicalRIS primarily stores and processes data in the United States. If you access our Service from outside the U.S., your information may be transferred to and processed in the U.S., where data protection laws may differ from those in your jurisdiction.

For customers requiring data residency within specific regions, please contact us to discuss available options.

11. Children's Privacy

ClinicalRIS is designed for use by healthcare professionals and is not directed at children under 13. We do not knowingly collect personal information from children under 13 for account registration. However, our platform may process pediatric patient health information as part of legitimate healthcare operations, which is handled in accordance with HIPAA and applicable state laws regarding minors' health records.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email at least 30 days before changes take effect
• Provide a summary of changes in our notification
• Obtain consent where required by law

We encourage you to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about our data practices, please contact us: