Privacy Policy

Introduction and Scope

Navix Health Inc. ("Navix Health," "we," "us," or "our") provides electronic medical records, customer relationship management, and revenue cycle management software and services exclusively to behavioral health treatment facilities, including residential treatment centers, detox facilities, partial hospitalization and intensive outpatient programs, and outpatient mental health, addiction, and eating disorder treatment centers (collectively, "Covered Entities" or "Facilities").

This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our website (navixhealth.com), our software platform, and related services (collectively, the "Services"). This Policy applies to: (a) representatives of Facilities who register for, access, or use our Services; and (b) information about patients and clients of Facilities that is processed through our platform.

As a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"), we are bound by the terms of our Business Associate Agreements with Covered Entities and by applicable federal and state privacy laws, including 42 CFR Part 2 governing the confidentiality of substance use disorder patient records.

2. Information We Collect

2.1 Facility Account Information

When a Facility registers for our Services, we collect: business name and contact information; names, email addresses, and phone numbers of authorized users; billing and payment information; and information necessary to configure and deliver our Services.

2.2 Protected Health Information

Through the provision of our Services to Facilities, we process Protected Health Information ("PHI") as defined under HIPAA, including patient and client health records, treatment information, diagnoses, assessments, clinical notes, insurance information, and other individually identifiable health information. We process PHI solely as a Business Associate on behalf of Covered Entities and in accordance with our Business Associate Agreements.

2.3 Substance Use Disorder Records

Our platform processes records related to substance use disorder treatment that are subject to the heightened protections of 42 CFR Part 2. These records receive additional safeguards as described in Section 10 of this Policy.

2.4 Usage and Technical Information

We automatically collect information about how users interact with our Services, including: IP addresses, browser type, device information, pages visited, features used, and timestamps. We use cookies and similar technologies as described in Section 7.

3. How We Use Information

3.1 Service Delivery

We use information to: provide, maintain, and improve our Services; process transactions and send related notices; respond to customer service requests; and fulfill our obligations under Business Associate Agreements.

3.2 Product Development and Improvement

We use information to analyze usage patterns, identify areas for improvement, develop new features, and enhance the functionality and user experience of our Services. This includes analysis of aggregated and de-identified data as described in Sections 4 and 5.

4. Artificial Intelligence and Machine Learning

We use artificial intelligence ("AI") and machine learning ("ML") technologies to improve our products and services and to provide advanced functionality to Facilities. This section describes how we develop, train, and deploy AI/ML features.

4.1 AI/ML Features

Our AI/ML capabilities include, but are not limited to: automated form completion and data extraction from clinical documents; clinical documentation assistance and suggestions; analytics, reporting, and decision support tools; quality improvement and outcome analysis; compliance monitoring and auditing assistance; and pattern recognition for operational efficiency.

4.2 Training Data and Model Development

To develop and improve AI/ML features, we process information in the following ways:

(a) : De-Identified Data. We use De-Identified Information (as defined in Section 5) to train, develop, test, and improve our AI/ML models. Because De-Identified Information does not identify any individual, it is not subject to the restrictions applicable to PHI under HIPAA or this Privacy Policy. Our use of De-Identified Information for AI/ML purposes does not require additional authorization from Facilities or patients.

(b) : Aggregated Data. We aggregate information across multiple Facilities in de-identified form to identify patterns, develop benchmarks, train models on diverse data sets, and generate insights. This Aggregated Data cannot be used to identify any individual patient or specific Facility and may be used for any lawful purpose.

(c) : Facility-Specific Processing. With appropriate authorization under our Business Associate Agreement, we process Facility data to provide AI-powered features within that Facility's account (such as form auto-completion based on the Facility's own records). This processing occurs under the terms of our Business Associate Agreement and does not involve sharing identifiable data with other Facilities. patients.

4.3 AI/ML Safeguards

We implement the following safeguards for AI/ML processing: all training data undergoes de-identification before use in model training; we maintain technical and organizational measures to prevent re-identification; AI/ML models are designed to output predictions and suggestions, not to reproduce training data; we conduct regular audits of AI/ML systems for accuracy, bias, and privacy compliance; and Facilities retain control over whether to enable AI-powered features in their accounts.

5. De-Identification of Health Information

De-Identified Information" means health information that has been processed to remove identifiers such that the information does not identify an individual and there is no reasonable basis to believe the information can be used to identify an individual.

5.1 De-Identification Methods

We de-identify health information using methods consistent with HIPAA's Safe Harbor standard (45 CFR 164.514(b)(2)), which requires removal of the following categories of identifiers: names; geographic subdivisions smaller than a state; dates directly related to an individual (except year) including birth date, admission date, discharge date, and date of death; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers; full-face photographs and comparable images; and any other unique identifying number, characteristic, or code.

Additionally, we do not have actual knowledge that the remaining information could be used, alone or in combination with other information, to identify an individual.

5.2 Use of De-Identified Information

De-Identified Information is not Protected Health Information under HIPAA and may be used for any lawful purpose, including: AI/ML model training and development; product research and improvement; benchmarking and analytics; academic research and publication (in aggregated form); and industry reporting.

5.3 Re-Identification Prohibition

We do not attempt to re-identify De-Identified Information, and we contractually prohibit any third parties who receive De-Identified Information from us from attempting re-identification.

6. Data Retention

6.1 Active Accounts

We retain information for as long as a Facility's account is active and as needed to provide Services. Facilities may request deletion of specific records in accordance with applicable law and our Business Associate Agreement.

6.2 Upon Termination

Upon termination of Services: we will retain data for a transition period as specified in our service agreement (typically 25 years) to facilitate migration to a new provider; after the transition period, we will securely delete or return PHI as directed by the Facility and in accordance with our Business Associate Agreement; we may retain De-Identified Information and Aggregated Data indefinitely for the purposes described in this Policy; and we will retain records as required by applicable law, including for audit, compliance, and legal purposes.

6.3 Backup and Archival Copies

Backup copies of data may persist in our systems for a reasonable period following deletion requests due to technical limitations of backup systems. Such backup data is protected by the same security measures as active data and is permanently deleted in accordance with our backup retention schedule.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to recognize your browser, maintain session state, remember preferences, and analyze how our Services are used. You may disable cookies through your browser settings, though this may affect functionality. We may use third-party analytics services to help understand usage patterns; these service providers are contractually prohibited from using collected information for their own purposes.

8. SMS Communications

We may use your provided mobile number to send transactional SMS messages related to your account activities, such as appointment reminders, confirmations, and schedule updates. These messages are sent only to users who have opted in to receive SMS notifications.

Message frequency will vary based on your interactions with our Services. Standard message and data rates may apply.

You can opt out of receiving SMS messages at any time by replying "STOP" to any message or by adjusting your notification preferences in your account settings. For assistance, reply "HELP" to any message or contact our support team at support@navixhealth.com.

We utilize third-party service providers to facilitate the delivery of SMS messages. These providers are contractually obligated to protect your information and use it solely for the purpose of delivering SMS communications on our behalf.

9. Information Sharing and Disclosure

9.1 No Sale of Information

We do not sell, rent, or trade personally identifiable information or Protected Health Information to third parties for their marketing purposes. Our use of De-Identified Information and Aggregated Data for internal product improvement purposes, including AI/ML model training, does not constitute a sale under applicable law because such data does not identify any individual.

9.2 Service Providers and Subcontractors

We may share information with third-party service providers who perform services on our behalf, such as hosting, data storage, payment processing, and customer support. These providers are bound by contractual obligations to protect information and, where applicable, are subcontractors under our Business Associate Agreements.

9.3 Legal Requirements

We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Disclosures of substance use disorder records are made only in accordance with 42 CFR Part 2, which generally requires a court order.

9.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, information may be transferred as part of that transaction. We will notify affected Facilities of any change in ownership or control and any choices they may have regarding their information.

10. Security Measures

We implement administrative, technical, and physical safeguards designed to protect information in accordance with HIPAA Security Rule requirements (45 CFR Part 164 Subpart C). These measures include: encryption of data in transit and at rest; access controls and authentication requirements; audit logging and monitoring; regular security assessments and testing; workforce training on privacy and security; incident response procedures; and business continuity and disaster recovery planning.

11. Confidentiality of Substance Use Disorder Records

11.1 Consent Requirements

Except as permitted by 42 CFR Part 2, disclosure of substance use disorder records requires written patient consent that specifies: the name of the person or organization to receive the information; the purpose of the disclosure; how much and what kind of information will be disclosed; the patient's signature and date; a statement that consent may be revoked; and the date, event, or condition upon which consent expires.

11.2 Prohibition on Re-Disclosure

Information disclosed pursuant to patient consent is accompanied by a statement that federal law prohibits recipients from making further disclosure without additional patient consent or as otherwise permitted by 42 CFR Part 2.

11.3 De-Identification Under Part 2

Information that has been de-identified in accordance with HIPAA standards such that it does not identify a patient and there is no reasonable basis to believe it could identify a patient is not subject to the restrictions of 42 CFR Part 2. Our de-identification procedures are designed to meet this standard.

12. Notice of Health Information Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOUR CLIENTS AND PATIENTS MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

12.1 Our Responsibilities

As a Business Associate, we are required to: maintain the privacy and security of PHI; provide notice of our legal duties and privacy practices; abide by the terms of our Business Associate Agreements; notify Covered Entities and the Department of Health and Human Services of breaches of unsecured PHI; and make reasonable efforts to use, disclose, and request only the minimum necessary PHI.

12.2 Permitted Uses and Disclosures

We may use and disclose PHI for: treatment, payment, and health care operations activities on behalf of Covered Entities as specified in our Business Associate Agreements; creating De-Identified Information as described in this Policy; and purposes required or permitted by law.

13. California Privacy Rights

California residents have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). However, HIPAA-covered health information processed by a covered entity or business associate is exempt from CCPA/CPRA. For personal information not covered by the HIPAA exemption, California residents have the right to: know what personal information is collected; request deletion of personal information; opt out of the sale or sharing of personal information; correct inaccurate personal information; and limit use of sensitive personal information. We do not sell personal information as defined under CCPA/CPRA. Our use of De-Identified Information does not constitute a sale because such information does not identify any individual.

14. Information About Minors

Our Services are provided to Facilities, not directly to patients or the general public. We do not knowingly collect personal information directly from individuals under 18 years of age. Facilities may use our platform to maintain records of minor patients in accordance with applicable law and with appropriate parental or guardian consent. The treatment of minor patient records is governed by HIPAA, state law, and our Business Associate Agreements.

15. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Facilities through email notification or prominent notice within the Services. Changes become effective upon posting unless otherwise specified. Continued use of our Services after changes are posted constitutes acceptance of the updated Policy.

17. Contact Information

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Navix Health Inc.

Email: support@navixhealth.com

To file a privacy complaint with the federal government, contact the Office for Civil Rights, U.S. Department of Health and Human Services at ocrcomplaint@hhs.gov or (800) 368-1019.