Privacy Policy

Welcome to Care Cap Plus, LLC, a Florida Limited Liability Corporation (“Care Cap Plus”, “We”, “Us”, or “Our”).  We have developed this HIPAA Privacy Policy (the “Privacy Policy” or “Policy”) to inform you about how we will collect, process, store and/or use information, including personally identifiable information and/or Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)), which you submit, or that we collect from you through the Company’s websites (www.carecapplus.com), mobile applications, third-party API integrations, proprietary software, telephone,  email and SMS communications (the “Information”).

Please read this policy carefully to understand our policies and practices regarding your Information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Services, including our website.

This Policy is governed by applicable state and/or federal law. By engaging with Care Cap Plus or using our website, you are accepting the practices described in this Policy and accept its terms. You also give your express permission for us to collect, process, store, and use Information in accordance with this Policy.

While the purpose of this Policy is to describe how we and our partners collect, use, and share Information about you, this Privacy Policy applies only to how we and our partners collect, use, and share Information about you with respect to the Services covered by the terms and conditions contained within the agreements between Care Cap Plus and Medical Providers and/or Company (as defined below), as well as the terms and conditions of the Servicing Agreement.

In addition, we take privacy very seriously. We share a commitment with Covered Entities to protect the privacy and confidentiality of Protected Health Information that we obtain subject to the terms of a Business Associate Agreement.

This Privacy Policy is provided to help you better understand how we use, disclose, and protect Protected Health Information in accordance with the terms of Business Associate Agreements.

Definitions

  • “Business Associate” (“BA”) means an entity that performs functions or activities on behalf of a Covered Entity when those services involve access to, or the use or disclosure of, Protected Health Information.
  • “Business Associate Agreement” (“BAA”) means a formal written contract between a BA and a Covered Entity that requires the BA to comply with specific requirements related to PHI.
  • “Covered Entity” means a health plan, healthcare provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.
  • “Protected Health Information” (“PHI”) means all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment, or in relation to the payment for the provision of health care services.

HIPAA Policy

Where and if applicable, the storage, processing and transmission of “individually identifiable health information” (as defined by HIPAA) is subject to laws and regulations governing the use and disclosure of health information Providers create or receive, including HIPAA, as amended from time-to-time. Care Cap Plus gains access to this protected health information only through its role as a Business Associate (as defined by HIPAA).  The use and responsibilities of both Care Cap Plus, and your Medical Provider, are outlined and governed by a Business Associate Agreement (BAA).  Under this agreement, we cannot use or disclose individually identifiable health information in a way that your Provider would otherwise not be able to. We are also required to, among other things, apply reasonable and appropriate security measures, including technical, physical and administrative safeguards, to protect the confidentiality, integrity, and availability of the individually identifiable health information we store and process on behalf of such Providers. For the purpose of this Policy, the term “Provider(s)” means any user who is a “healthcare provider” (as defined by HIPAA) or any user who is a member of such healthcare provider’s “workforce” (as defined by HIPAA).

Information You Submit or We Collect on Your Behalf:

We collect information from you when you:

  • Enter information on our Mobile App and/or the Site, such as when you register for our Services, use our Services to send a message to someone else, or complete a form;
  • Upload a document, image, or other data file on our Services;
  • Contact us via phone, email, SMS, regular mail or other means; or
  • Make a customer service request.

Identifiable information we collect about you may include your name, address, telephone number, email address, or the information you or your Medical Provider enter on or upload to our Services.

Payment Information

Depending on the Services you use, we may also collect your billing information, including a bank account, credit or debit card account information, or other forms of payment. By submitting your Payment Information, you expressly consent to the sharing of your information with third-party payment processors and other third-party services (including, but not limited to, vendors who provide fraud detection services to us and other third-parties). Further, you acknowledge and agree that both Care Cap Plus and any third-parties Care Cap Plus provides information to, may store your Payment Information for future use. The third-party payment processors that we utilize are contractually obligated to keep your Payment Information secure and confidential.

Information Provided from Your Use of Our Services or from Third-Parties:

For all web traffic, regardless of registration with us or submission of any information to Care Cap Plus, our analytics tools will automatically receive certain information about the software running on, IP Address, the computer, mobile phone, or tablet (each, a “Device”) you use to interact with our Services.

Device Information: When you interact with our Services, we collect information about your Device such as the URL of services your Device is requesting, the referring web pages, your IP address, Device type, operating system, browser type, application identifier, and, under certain circumstances, the location information your Device sends to us.

Cookies & Similar Technologies: We and our partners collect information about you and your Devices through cookies, web beacons, and similar technologies. A “cookie” is a small data file sent from a website and stored on your Device to identify your Device in the future and allow for an enhanced personalized user experience based on your previous activity on the website. A “session cookie” disappears after you close your web browser, or may expire after a fixed period of time. A “persistent cookie” remains after you close your web browser and may be accessed every time you use our Services. We and our partners may use both session and persistent cookies on our Services. You should consult the settings of your web browser to modify your cookie settings. Please note that if you delete or choose not to accept cookies from us, you may not be able to use certain features of our Services.​

Some of our partners deploy these technologies directly on our Services. These third-parties may collect information over time about your use of our Services, as well as your online activities across other websites or online services. Some third-parties may allow you to opt-out of targeted advertising based on this information. You can find more information about these opt-outs from the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA) and the Future of Privacy Forum.

In connection with the California Online Privacy Protection Act, we are advising you that we do not respond to browser do-not-track signals. All information on who we share your data with and your choices are discussed in this Internet Privacy Policy.

We, and our partners (which include any vendors or agents we are contracted with), automatically gather information whenever you visit, log in, or otherwise interact with our Services, including when you receive emails  from Us,  or log into the Mobile App.

Use and Disclosure of PHI

We use information collected automatically and/or submitted by you to provide you with a superior experience, and, as necessary, to administer services offered by Care Cap Plus.

We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of performing our obligations under our Services Agreements to Covered Entities, provided that such use or disclosure is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates.

We may use PHI internally for our own internal management, administration and data aggregation, but only to the extent such use of PHI is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates.

We may disclose PHI to downstream subcontractors or agents that provide supporting services to us; however, we will require such subcontractors and agents to comply with the same terms and conditions that apply to us under the applicable Business Associate Agreement and PHI, including the implementation and maintenance of required safeguards as defined in our Risk Management Policy and Safeguards Policy.

In addition, we use your information, which may be aggregated with Information of other users of Care Cap Plus, in the following ways:

  • Provide, improve, test and monitor the functionality and effectiveness of the Site and Mobile App;
  • Respond to questions and communications;
  • Store information so you will not have to re-enter every time you wish to use the Site or Mobile App;
  • Administer and manage the Company, the Site, and Mobile App;
  • Develop and test new features;
  • Diagnose or fix technology problems;
  • Notify you about your account;
  • Provide client service and/or marketing products or services;
  • Administer, enhance, and communicate with you regarding the Company’s events, marketing, and advertising; and/or
  • Make communications necessary to notify you regarding order confirmations, products, services, market research, requests, fraud, marketing, security, privacy, and administrative issues.
  • We may use your Payment Card Information as stated in the “Payment Information” Section above;
  • Any other purpose described in this Policy; or
  • When we otherwise have your permission.

Other uses and disclosures not described in this Privacy Policy will be made only with the express written authorization from a Covered Entity or patient.

Care Cap Plus will not sell or rent any of your personal information to third-parties for their marketing purposes and only shares your personal information with third-parties as described above. Information that has been made anonymous so that it does not identify a specific user is not considered personal information and we may share aggregated, non-identifiable user information with third-parties, such as advertisers and content distributors.​

Federal and state laws allow you to restrict the sharing of your personal information in certain instances such as sharing your information so that third-parties can market to you.  However, because we will not share your information in these instances, there is no need for you to opt-out from this kind of information sharing.

Revocation of Your Consent to Use and Disclose PHI

Many permitted uses and disclosures of PHI are only possible with your express patient consent.  Patient written authorization is required for any use or disclosure of PHI that is used for any reason other than patient financial consultation, collections and/or communications regarding such.

You may revoke your consent to use and disclose your PHI at any time by sending written revocation of your consent to the processing of your PHI to us at [email protected]. All PHI processed before we receive your revocation of consent will be considered legally processed with your consent. In addition, you may request that all of your PHI be removed from our systems and processes by sending written request for removal and destruction of all your data to us at [email protected]. Upon receipt of your request, we will take all steps necessary to remove all of your PHI completely and permanently unless we are unable to do so for legal, compliance, or other legitimate reasons.

Your Rights

You may request information about:

  • The purpose of our use and disclosure of your PHI;
  • The legal basis for our your and disclosure of your PHI;
  • The categories of PHI and the subject concerned;
  • Information on the type or identity of third parties to which your PHI may be disclosed to and the protection provided;
  • The source of the PHI (if you didn’t provide it directly to us); and
  • How long it will be stored.

You have a right to:

  • Access your PHI;
  • Have inaccurate PHI corrected;
  • Request erasure of PHI;
  • Restrict the processing of your PHI;
  • Object to the processing of your PHI;
  • Data portability;
  • Opt out of PHI being transferred to a third party, unless there is a legal reason to do so; and
  • Opt out of direct marketing and/or communications.

To exercise your rights, you can write to our HIPAA Compliance Officer at [email protected].

Requests Regarding PHI

Requests for access to your PHI, requests to amend your PHI, or requests for an accounting of disclosures of your PHI shall be in writing to our HIPAA Compliance Officer at [email protected].  We will act on your request no later than thirty (30) calendar days after we receive your request. If we are not able to act within this timeframe, we will provide you with a written statement of the reasons for the delay and the date by which we will complete our action on your request, which date will be no more than an additional thirty (30) calendar days from the original thirty (30) days.

Access to PHI

As provided in the BAA, we will make available to Covered Entities information necessary for the Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.

Upon request, we will make our internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of a Covered Entity, available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.

Our Responsibilities

As a Business Associate, we have a number of legal responsibilities. They include the responsibility to enter into a written BAA with Covered Entities that requires us to maintain the privacy of PHI, limit our use or disclosure of PHI to those purposes authorized by the Covered Entities, and assist Covered Entities in responding to your requests concerning your PHI; the responsibility to amend PHI relating to you when requested by a Covered Entity; the responsibility to make certain disclosures available to a Covered Entity in order for the Covered Entity to fulfill its obligation to you to provide accountings of certain disclosures to you; the responsibility to enter into a BAA with each of our subcontractors who may have access to your PHI; the responsibility to comply with Privacy Rule provisions, including rules governing the uses and disclosure of PHI and your rights concerning your PHI; the responsibility to perform a Security Rule risk analysis; the responsibility to implement Security Rule safeguards; the responsibility to train personnel concerning the HIPAA Rules; the responsibility to respond immediately to any security violation or breach; the responsibility to timely report security incidents and breaches; and the responsibility to maintain required documentation.

Safeguards

We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BAA. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity. Such safeguards include:

  • Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
  • Providing appropriate training for our staff to assure that our staff complies with our security policies;
  • Making use of appropriate encryption when transmitting PHI over the Internet;
  • Utilizing appropriate storage, backup, disposal, and reuse procedures to protect PHI;
  • Utilizing appropriate authentication and access controls to safeguard PHI;
  • Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents;
  • Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed;
  • Employing session time-outs, where logging back into our Services is required, after a specified period;
  • Requiring unique user links to secured portions of our business partners; and,
  • Utilizing secure password practices, including password strength requirements and secure password reset procedures

Although Care Cap Plus attempts to protect the personal information in its possession, no system can guarantee 100% security at all times. Accordingly, we cannot guarantee the security of information stored on or transmitted to or from our Services despite our best efforts.

Password Policy

All employees are required to use unique passwords and update every 90 days.  Password requirements are:   Minimum length (8), Cannot reuse previous passwords (4), Cannot contain username or user ID, must be complex, and contain one capital alpha character, one lower alpha character, one numeric character and a symbol.  All passwords are created using the 1Password password generator and stored in 1Password. Windows passwords must be updated every 90 days using the same criteria.

1Password is a two key password storage software.  Security features include:

  • AES-GCM-256 authenticated encryption.
  • Encryption keys, initialization vectors, and nonces are all generated using cryptographically secure pseudorandom number generators.
  • PBKDF2-HMAC-SHA256 is used for key derivation
  • Accounts are  protected by a 128-bit Secret Key in combination with an account password.

1Password also provides:

  • Security Breach notification
  • Autofill to prevent Phishing
  • Browser verification

Mitigation of Harm

In the event of a use or disclosure of PHI that is in violation of the requirements of the BAA, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:

  • Reporting any use or disclosure of PHI not provided for by the BAA and any security incident of which we become aware to the Covered Entity; and
  • Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.

Records

Our Services require us to retain personally identifiable and/or health information of our users (“Records”).  Care Cap Plus shall retain and store your Records as required under the terms of our various agreements, as well as required under certain federal and state laws.

Email Communications

DO NOT SEND EMAILS CONTAINING YOUR MEDICAL RECORDS TO CARE CAP PLUS.  If you want to enter additional documents into your account, update/amend your records, or otherwise enter additional information into your records, use the Portal’s secure uploading features or contact your Provider.

Non-Covered Email Communications

Certain emails and other communications from individuals who are not users of our Services are not covered by this Policy. For example, if you contact us regarding a job opening, that communication to us is not covered by this Policy even though that job opening may have been posted on our website, social media pages or elsewhere.

Third-Party Services

This Policy applies only to those Services being provided by Care Cap Plus. It does not apply to services offered by third-parties, including websites and other online services that our Services may display links to, to advertisements appearing within our Services, or on third-party websites and/or which contain advertisements for Care Cap Plus. While visiting such websites, or when you click on such links or advertisements displayed on a Care Cap Plus site or in its app, you will be visiting websites or interactive services operated by third-parties, who may have their own information collection practices and may also collect information through the use of their own analytics tools. We do not have control over how any third-party collects or uses information, so you should review their privacy policies to learn of their practices.

Changes to this Policy

The Company reserves the right to modify or amend this Policy at any time, but should it be necessary to do so, will notify you of any material changes to this Policy by email and/or by posting such changes at the Site or by other acceptable means. All amended terms will automatically take effect thirty (30) days after we provide such notice, or on a date that we specify in the notice. Each version of the Policy is identified at the top of the page by its effective date. Your continued use of the Site after changes have been posted constitutes your acceptance of the Policy as amended. If you do not agree to the changes, please do not use the Site or the Mobile App.  Because this Policy can change at any time, we encourage you to reread it periodically to see if there have been any changes, amendments, or updates. If you object to the changes or any terms within this Policy or the User Agreements, you should discontinue using our Services. Your continued use of our Services following the effective date means that you have consented to the Policy, as amended, changed, or updated.

Viewing and Updating Your Information

Our Services aim to provide you with access to the information you submit and the means to update it within our Services consistent with applicable law. This can be accomplished by logging into our Services and updating that information, or contacting a customer support representative, although please be advised of the important limitations described below. Under certain circumstances, we may ask you to verify your identity before your request is processed.

Underage Users

Our Services are not intended for use by any persons under the age of 18.  Care Cap Plus does not solicit or collect information from or about children under the age of 18, except in cases where they are the subject matter or contained in the documentation of a user over the age of 18.  Care Cap Plus does not solicit or market its services to children under the age of 18.  Care Cap Plus encourages all parents and guardians to talk to their children about online safety and privacy and to monitor their children’s use of the internet and mobile applications.  If you suspect someone, including your child, may be an underage user of our services, please contact us as provided below.

General Data Protection Rule (GDPR)

Care Cap Plus understands that some patients accessing their records may be citizens of the European Union and therefore their health records may fall under the jurisdiction of the GDPR.  If any European Union citizen wishes to exercise their data rights, including, but not limited to, the rights of data portability, the right of erasure (aka the right to be forgotten), and/or the right to object to the processing of personal data or automated decision making, these patients should contact [email protected].  European Union users expressly acknowledge that the creation of an account constitutes acceptance of this Privacy Policy, as does ongoing usage of this account.

Complaints

Any user may file a complaint with Care Cap Plus for any reason (including without limitation, a belief that Care Cap Plus may be in violation of any government regulation) by email at [email protected] or by phone at (800) 264-2274.  All complaints received shall be reviewed by the appropriate Care Cap Plus staff (which in some circumstances may be Care Cap Plus’ Privacy Officer, corporate counsel or other member of senior management).

Additionally, HIPAA permits any person who believes that a Covered Entity and/or Business Associate is not complying with the privacy law to file a complaint with the Secretary of the Department of Health and Human Services.  Nothing in this privacy policy should be construed or interpreted to discourage any person from filing such a complaint.

Changes to Our Privacy Policy

From time to time we may change or update our Privacy Policy. We reserve the right to make changes or updates at any time. If we make material changes to the way we process your PHI, we will provide you notice via our services or by other communication channels.

How to Contact Us

If you have any questions regarding this Privacy Policy, please contact:

Attention: Chief Operating Officer
Email: [email protected]
Telephone: (800)264-2274

Revised: April 5, 2023