Privacy Policy
Effective Date: January 1, 2025 | Last Updated: February 5, 2025
1. Introduction
ACO Health Solutions ("AHS," "we," "us," or "our") is committed to protecting the privacy and security of personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our healthcare data analytics services, including The Pulse Platform and our CMS Qualified Registry services.
As a business associate under the Health Insurance Portability and Accountability Act (HIPAA), we maintain strict compliance with federal and state privacy regulations governing the handling of Protected Health Information (PHI).
2. Information We Collect
2.1 Protected Health Information (PHI)
In providing services to Accountable Care Organizations (ACOs), physician groups, and healthcare providers, we may receive and process PHI, which includes:
- Patient demographic information (name, date of birth, address, contact information)
- Medical record numbers and patient identifiers
- Clinical data including diagnoses, procedures, and treatment information
- Insurance and billing information
- Quality measure data for CMS reporting
2.2 Business Contact Information
We collect information from our business clients and their authorized representatives, including:
- Names and professional titles
- Business email addresses and phone numbers
- Organization names and addresses
- Account credentials for platform access
2.3 Technical Information
When you access our platforms, we may automatically collect:
- IP addresses and device identifiers
- Browser type and operating system
- Access times and pages viewed
- System activity logs for security purposes
3. How We Use Information
We use the information we collect for the following purposes:
- Healthcare Analytics: To provide quality reporting, performance analytics, and population health management services to our clients
- CMS Reporting: To submit quality measures and performance data to the Centers for Medicare & Medicaid Services on behalf of our clients
- Service Delivery: To operate, maintain, and improve The Pulse Platform and related services
- Compliance: To meet legal and regulatory requirements, including HIPAA, MIPS, and ACO program requirements
- Security: To detect, prevent, and respond to security incidents and protect against unauthorized access
- Communication: To communicate with clients about services, updates, and support
4. Information Sharing and Disclosure
We do not sell personal information or PHI. We may share information in the following circumstances:
4.1 With Healthcare Clients
We share analytics, reports, and processed data with the covered entities (healthcare providers and organizations) on whose behalf we process information.
4.2 Regulatory Submissions
We submit required quality data and reports to CMS and other regulatory bodies as authorized by our clients and required by applicable programs.
4.3 Service Providers
We may engage trusted third-party service providers who assist in delivering our services. All such providers are bound by appropriate data protection agreements and HIPAA business associate requirements where applicable.
4.4 Legal Requirements
We may disclose information when required by law, court order, or government regulation, or when necessary to protect the rights, property, or safety of AHS, our clients, or others.
5. Data Security
We implement comprehensive administrative, technical, and physical safeguards to protect information, including:
- HITRUST e1 certification, maintained for three consecutive years
- AES-256 encryption for data at rest
- TLS 1.2+ encryption for data in transit
- Multi-factor authentication for system access
- Role-based access controls
- Regular security assessments and vulnerability scanning
- 24/7 security monitoring
- Documented incident response procedures
- Workforce security training through Cyberhoot programs
6. Data Retention
We retain information for as long as necessary to fulfill the purposes for which it was collected, comply with legal and regulatory requirements, and support our clients' needs. Retention periods are determined based on:
- Contractual obligations with clients
- CMS and healthcare regulatory requirements
- HIPAA record retention requirements
- Applicable state and federal laws
When information is no longer needed, we securely dispose of it in accordance with our data destruction policies.
7. Individual Rights
We support the rights of individuals regarding their personal information as required by applicable law:
7.1 HIPAA Rights
Individuals whose PHI we process on behalf of covered entities may have rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their PHI. These requests should be directed to the healthcare provider or organization that is the covered entity for that information.
7.2 Other Privacy Rights
Depending on your jurisdiction, you may have additional rights regarding your personal information. To exercise any applicable rights, please contact us using the information provided below.
8. Business Associate Agreements
As a business associate under HIPAA, we enter into Business Associate Agreements (BAAs) with all covered entities for whom we process PHI. These agreements establish the permitted uses and disclosures of PHI and our obligations to protect such information.
9. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will post the updated policy on this page with a revised effective date. We encourage you to review this policy periodically.
10. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
ACO Health Solutions
Privacy Officer
Email: privacy@acohealthsolutions.com
Phone: Contact your account representative
For security-related inquiries, please contact: security@acohealthsolutions.com