RosettaHealth Privacy Policy

Effective Date: 08/11/2025
Last Updated: 08/11/2025

RosettaHealth, Inc. (“RosettaHealth,” “we,” “our,” or “us”) is committed to protecting the privacy and security of the information we process on behalf of our customers. We operate as a HIPAA Business Associate and provide secure, cloud-based health information exchange services.

This Privacy Policy explains how we collect, use, disclose, and protect information, including protected health information (“PHI”) and personally identifiable information (“PII”), and the choices available to our customers and other individuals.

1. Our Role Under HIPAA

RosettaHealth is not a HIPAA Covered Entity. We act solely as a Business Associate to our customers, who are covered entities or other business associates. Our handling of PHI is governed by:

  • The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations

  • Business Associate Agreements (“BAAs”) with each customer

  • Applicable state privacy and security laws

2. Information We Process

We may process the following categories of information in providing services to our customers:

  • Protected Health Information (PHI) – e.g., patient names, dates of birth, medical record numbers, diagnosis codes, and other information provided to us by customers for secure exchange.

  • Personally Identifiable Information (PII) – e.g., contact details for customer representatives or portal users.

  • Technical and Usage Data – e.g., IP addresses, API call metadata, audit logs, and system activity related to service delivery.

We do not collect PHI directly from individuals; all PHI is received from our customers in the course of providing contracted services.

3. How We Use Information

We use information solely to:

  • Deliver and support our health information exchange services

  • Facilitate secure transmission of data between authorized parties

  • Maintain audit logs, security monitoring, and compliance reporting

  • Detect, investigate, and prevent security incidents

  • Comply with legal and regulatory obligations

We do not sell PHI or PII and do not use PHI for marketing purposes.

4. How We Share Information

We may share information only as permitted by law, our BAAs, and this Privacy Policy:

  • With Authorized Parties: PHI is exchanged only with entities designated and authorized by our customers.

  • With Subcontractors: We may engage HIPAA-compliant subcontractors (e.g., cloud hosting providers) under written agreements requiring equivalent privacy and security safeguards.

  • For Legal Compliance: We may disclose information if required by law, regulation, or court order, following applicable notice requirements.

5. Security Safeguards

We maintain administrative, physical, and technical safeguards consistent with HIPAA, SOC 2, and other applicable frameworks, including:

  • Encryption of data in transit and at rest

  • Multi-factor authentication and strict access controls

  • Continuous security monitoring and vulnerability scanning

  • Regular risk assessments and compliance audits

6. Individual Rights

While RosettaHealth does not collect PHI directly from individuals, requests to access, amend, or restrict PHI should be directed to the relevant healthcare provider or covered entity. If we receive such a request directly, we will forward it to the applicable customer.

7. Breach Notification

If a breach of unsecured PHI occurs, we will notify affected customers without unreasonable delay and in accordance with our BAAs and HIPAA requirements. Customers are responsible for notifying affected individuals as required by law.

8. Data Retention

We retain PHI and related system logs only as long as necessary to fulfill our contractual obligations and comply with legal requirements. Upon contract termination, data is returned or securely destroyed in accordance with our BAAs and Data Management Policy.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised “Last Updated” date.

10. Contact Us

For questions about this Privacy Policy or our privacy practices, contact our Privacy Officer:

Doug Hill
Privacy Officer – RosettaHealth, Inc.
Email: privacy@rosettahealth.com