Introduction
PatientSwaps LLC ("we," "our," "us," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you visit our website, use our services, and interact with us through various channels.
PatientSwaps is a HIPAA-compliant care facility coordination service that helps families and loved ones transition between senior care facilities. We understand that your health information is sensitive and personal, and we take our responsibilities seriously.
HIPAA Compliance Notice
PatientSwaps LLC is a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). We maintain safeguards to protect your Protected Health Information (PHI) and comply with HIPAA Privacy and Security Rules.
1. Information We Collect
Information You Provide Directly
When you submit a swap intake form through our HIPAA-enabled Jotform platform, we collect:
- Resident Information: Full name, date of birth, current living situation, primary care needs, preferred timeline for transition
- Applicant Information: Full name (applicant/family contact), relationship to resident, email address, phone number
- Health & Care Details: Medical situation description, POA/MDPOA status, care requirements, preferences for facility type
- Insurance & Administrative Information: Insurance provider and policy information (when required for matching)
- Compliance Information: Documentation and notes required for HIPAA compliance
Information Collected Automatically
When you visit our website or use our services, we may automatically collect:
- Device information (browser type, IP address, operating system)
- Usage data (pages visited, time spent on site, links clicked)
- Referral source information
- General location data (city/state level, not precise GPS)
Information from Third Parties
We may receive information about you from:
- Senior care facilities referring you to our service
- Healthcare providers coordinating transitions
- Family members submitting information on your behalf
2. How We Use Your Information
We use the information we collect for the following purposes:
Service Delivery
- Matching families with appropriate senior care facilities
- Coordinating care transitions and bilateral facility swaps
- Communicating swap status, timing, and logistics with families and facilities
- Managing compliance documentation and HIPAA requirements
- Facilitating introductions with transportation partners when appropriate
Business Operations
- Processing payments through Stripe
- Sending transactional emails (swap confirmations, status updates, completion notices)
- Maintaining operational records and audit trails
- Improving our service quality and user experience
Legal & Compliance
- Fulfilling HIPAA Privacy and Security Rule requirements
- Responding to legal requests or regulatory inquiries
- Detecting and preventing fraud or misuse of our services
- Protecting the rights and safety of our users, staff, and the public
3. Legal Basis for Processing Health Information
We process Protected Health Information (PHI) under the following legal authorities:
- Explicit Consent: You provide written consent when submitting your intake form through our HIPAA-enabled Jotform
- Treatment, Payment, and Healthcare Operations (TPO): We use PHI to coordinate care transitions, manage the swap logistics, and handle related administrative tasks
- Legal Compliance: We process PHI as required by federal and state law, including HIPAA
4. How We Protect Your Information
HIPAA Safeguards
We maintain comprehensive physical, technical, and administrative safeguards to protect your PHI:
- Encryption: All PHI is transmitted using HTTPS encryption and stored in encrypted formats
- Access Controls: Only authorized personnel have access to PHI on a need-to-know basis
- Audit Controls: We maintain detailed audit logs of all PHI access and modifications
- Data Minimization: We collect and retain only the information necessary for each purpose
- Regular Risk Assessments: We conduct periodic security assessments and vulnerability testing
- Business Associate Agreements (BAAs): All third-party vendors who access PHI have signed BAAs and meet HIPAA requirements
Non-HIPAA Data Protection
For non-health related information, we implement industry-standard security practices including SSL certificates, secure server infrastructure, and regular security monitoring.
5. How We Share Your Information
Information Sharing with Business Associates
We share your information with third-party service providers who have signed Business Associate Agreements (BAAs) and meet HIPAA requirements:
| Service Provider | Purpose | BAA Status |
|---|---|---|
| Jotform (HIPAA-enabled) | Intake form collection and storage | ✓ Signed |
| Google Workspace | Secure PHI database and email communication | ✓ Signed |
| Paubox | Encrypted email for sensitive communications | ✓ Signed |
| Airtable | De-identified operational data only (no PHI) | Not applicable |
| Make.com | Automation workflows with de-identified data only (no PHI) | Not applicable |
Information Sharing with Facilities & Partners
- With Facilities: We share only the information necessary to facilitate the swap, such as resident name, care needs, and transfer timing. Facilities have their own HIPAA obligations as covered entities or business associates.
- With Transportation Partners: When connecting families with transportation providers, we share only de-identified details (swap ID, facility address, date/time, general care category). Patient names and specific medical conditions are NOT shared with transportation partners unless the family explicitly authorizes it.
- With Family Members: We facilitate communication between families and facilities to ensure coordinated care transitions.
Payment Processing
Payment information is processed through Stripe, a PCI-DSS compliant payment processor. We do NOT store complete credit card numbers. Stripe does not receive PHI or patient names in transaction metadata; payments are identified by de-identified order IDs only.
Information We Do NOT Share
We will never:
- Sell or rent your PHI to third parties
- Share your health information for marketing or advertising purposes
- Disclose PHI to vendors without signed BAAs
- Use your information for purposes beyond what you've explicitly authorized
Legal Requirements & Court Orders
We may disclose information when required by law, such as in response to subpoenas, court orders, or government investigations. We will notify you of such requests whenever legally permitted to do so.
6. Cookies & Tracking Technologies
Our website may use cookies and similar tracking technologies to:
- Remember your preferences and login information
- Analyze site traffic and user behavior
- Improve our website performance
- Prevent fraud and enhance security
Most cookies are "session cookies" that expire when you close your browser. We do not use cookies to track health information or make healthcare decisions.
Third-Party Analytics: We use Google Analytics to understand how visitors use our site. You can opt out of Google Analytics tracking by visiting Google's opt-out page.
7. Third-Party Services & External Links
Our website and communications may contain links to third-party services and websites. This Privacy Policy does not apply to external websites, and we are not responsible for their privacy practices. Please review the privacy policies of any third-party sites before providing your information.
Key Third-Party Services
- Jotform: HIPAA-compliant form platform with signed BAA
- Google Workspace: Cloud services with signed BAA covering Gmail, Drive, and Sheets
- Stripe: Payment processing (no PHI transmitted)
- Cloudflare: Website hosting and DNS services (no PHI)
8. Data Retention
We retain information for as long as necessary to provide our services and comply with legal obligations:
- Intake & PHI Data: Retained for 7 years after service completion to comply with HIPAA audit and legal retention requirements
- Payment Records: Retained as required by financial and tax regulations (typically 3-7 years)
- Audit Logs: Retained for a minimum of 6 years per HIPAA requirements
- Website Analytics: Retained for up to 14 months; then aggregated and anonymized
Upon request, we will securely dispose of your information when it is no longer needed, subject to legal retention requirements.
9. Your Privacy Rights & Choices
HIPAA Privacy Rights
Under HIPAA, you have the right to:
- Access Your Records: Request a copy of your PHI at any time
- Request Amendments: Ask us to correct inaccurate or incomplete information
- Request Restrictions: Ask us to limit how we use or disclose your PHI (though we may not be able to grant all requests)
- Request Confidential Communications: Ask that we communicate with you using a specific method or address
- Request an Accounting: Receive a detailed accounting of all disclosures of your PHI
- Revoke Consent: Withdraw your authorization for us to use or disclose your PHI (though we may continue to use previously disclosed information as required by law)
California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how we use it
- Delete personal information we have collected (subject to certain exceptions)
- Opt-out of the "sale" of your personal information (we do not sell PHI)
- Non-discrimination: We will not discriminate against you for exercising your rights
Colorado Privacy Rights (CPA)
If you are a Colorado resident, you have the right to:
- Access, correct, and delete personal information we collect
- Opt-out of targeted advertising and certain data uses
How to Exercise Your Rights
To exercise any of these rights, please contact us using the information in Section 12 below. We will respond to your request within 30 days (60 days for complex requests) or as required by applicable law.
10. Children's Privacy
PatientSwaps' services are designed for adults (age 18+) or authorized guardians managing care decisions for elderly or incapacitated individuals. We do not knowingly collect personal information from children under 13.
If we become aware that we have collected information from a child under 13, we will delete that information and notify the parent or guardian. Parents who believe their child has provided information to PatientSwaps should contact us immediately.
11. HIPAA Notice of Privacy Practices
This Privacy Policy is a summary of your privacy rights. PatientSwaps maintains a comprehensive Notice of Privacy Practices (NPP) that provides detailed information about your HIPAA rights. You may request a copy of our full NPP by contacting us at hello@patientswaps.com.
Key points from our Notice of Privacy Practices:
- We maintain strict confidentiality of your health information
- We use and disclose your PHI only as permitted by HIPAA and this policy
- You have the right to access, amend, and request restrictions on your health information
- You have the right to request an accounting of disclosures
- You may file a complaint with the U.S. Department of Health & Human Services (HHS) Office for Civil Rights if you believe your privacy rights have been violated
12. How to Contact Us
Privacy Questions or Concerns?
If you have questions about this Privacy Policy, your privacy rights, or how we handle your information, please contact us:
Email: hello@patientswaps.com
Mailing Address:
PatientSwaps LLC
Colorado, USA
We will respond to privacy inquiries within 10 business days.
File a Complaint
If you believe we have violated your privacy rights under HIPAA, you may file a complaint with:
- PatientSwaps Privacy Officer: hello@patientswaps.com
- U.S. Department of Health & Human Services (HHS) Office for Civil Rights: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
You will not be retaliated against for filing a complaint.
13. Privacy Policy Changes
PatientSwaps may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date at the top of this page.
Your continued use of PatientSwaps services after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically to stay informed about how we protect your information.
14. Additional Notices
State-Specific Disclosures
Colorado: PatientSwaps is based in Colorado and complies with Colorado's consumer privacy laws, including the Colorado Privacy Act (CPA).
California: If you are a California resident, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Data Processing & International Transfer
All information is processed and stored within the United States. PatientSwaps does not transfer PHI internationally.
Accessibility
This Privacy Policy is available in alternative formats upon request. Please contact hello@patientswaps.com to request a different format.
LEGAL NOTICE: This Privacy Policy is a template and should be reviewed by qualified legal counsel specializing in HIPAA, healthcare privacy, and state consumer privacy laws before final publication. Ensure all provisions comply with federal regulations and the specific laws of states where PatientSwaps operates. Updates may be needed as business practices evolve or regulations change.