Healthcare Privacy Notice
Last updated: July 3, 2026
1. Scope of This Notice
This Healthcare Privacy Notice describes how Swipe Savvy, Inc. ("Swipe Savvy," "we," "us," or "our") handles Protected Health Information ("PHI"), electronic PHI ("ePHI"), and consumer health data in connection with Savvy Health and our related healthcare, EHR, practice management, billing, claims, laboratory, e-prescribing, telehealth, patient portal, messaging, and analytics services (the "Healthcare Services").
It supplements our general Privacy Policy. Where the two differ with respect to PHI, this Healthcare Privacy Notice and the applicable Business Associate Agreement control. Our Healthcare Services are offered in the United States only.
2. Our Role as a Business Associate
When a healthcare provider, health plan, clearinghouse, or other HIPAA-regulated customer (each a "Covered Entity" or upstream "Business Associate") uses the Healthcare Services, Swipe Savvy acts as a Business Associate and processes PHI on that customer's behalf. The customer is the covered entity or controller of the PHI; Swipe Savvy processes PHI only as permitted by the applicable Business Associate Agreement ("BAA"), our Healthcare Terms, the underlying services agreement, the customer's lawful instructions, and applicable law.
Swipe Savvy is a health information technology provider. We do not provide medical, clinical, pharmacy, laboratory, or other licensed professional services, and we do not form a provider-patient relationship. See our Healthcare Terms for details.
3. Consumer Health Data
Some information we process is not PHI under HIPAA but is nonetheless health-related — for example, consumer-entered wellness data, retail health-product purchase data, biometric or wearable data, or health-related location data ("Consumer Health Data"). We handle Consumer Health Data under the underlying agreement, our Privacy Policy, and applicable state consumer-health-data, biometric, genetic, reproductive-health, minor-confidentiality, and breach-notification laws.
4. We Do Not Sell PHI or Consumer Health Data
We do not sell PHI, and we do not use PHI for marketing in a manner prohibited by HIPAA. We do not receive remuneration in exchange for PHI except as permitted by HIPAA and the applicable agreement. We do not sell Consumer Health Data except as expressly permitted by applicable law and the applicable agreement.
5. De-Identified and Aggregated Data
Subject to the applicable BAA and applicable law, we may de-identify PHI in accordance with 45 CFR 164.514. De-identified and aggregated data is not PHI and may be used for analytics, benchmarking, product improvement, security, operations, quality, research, and development.
We do not use PHI to train generalized, foundation, or third-party AI models. We require AI vendors and AI-related subcontractors that process PHI to agree in writing not to use PHI to train models and not to retain PHI except as necessary to provide the contracted service or as otherwise permitted by the BAA.
6. Subprocessors and Offshore Support
We use subprocessors — including cloud hosting, AI/LLM, SMS, email, clearinghouse, fax, payment, transcription, laboratory-integration, and support vendors — to provide the Healthcare Services. We require subprocessors that create, receive, maintain, or transmit PHI on our behalf to enter into written agreements with privacy, security, and BAA flow-down obligations. Our current list of material PHI-handling subprocessors is available on our Subprocessors page.
We may use trained support, engineering, and technical personnel located outside the United States, including in the Philippines, to access data for support, maintenance, troubleshooting, implementation, and security purposes, subject to confidentiality obligations, minimum-necessary restrictions, access controls, logging, and training. Unless otherwise agreed in a signed order form, production PHI is hosted in the United States, though remote access from outside the United States may occur.
7. Security Safeguards
We maintain commercially reasonable administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of the data we process, including safeguards applicable to ePHI under the HIPAA Security Rule. These include access controls, audit controls, transmission security, encryption or equivalent protections where reasonable and appropriate, authentication, logging, workforce controls, incident response, and vendor controls.
We do not represent that we have completed SOC 2, HITRUST, ISO 27001, or any other specific third-party certification unless expressly stated in a signed writing issued by Swipe Savvy.
8. Substance Use Disorder Records (42 CFR Part 2)
Certain records may be subject to the federal confidentiality rules for substance-use-disorder records at 42 CFR Part 2 ("Part 2 Records"). Where our customer submits Part 2 Records and we are aware of them, we process such records only as permitted by Part 2, HIPAA, the applicable BAA, the customer's lawful instructions, and applicable law. We do not use or disclose Part 2 Records in any civil, criminal, administrative, legislative, law-enforcement, or other proceeding against a patient except as permitted by Part 2, written patient consent, or a valid court order. Customers are responsible for identifying, tagging, and restricting Part 2 Records and for obtaining required patient consents.
9. State Health-Privacy Rights (California & Washington)
Depending on where you live, you may have rights over your health-related information under state law. Individuals in California (including under the California Consumer Privacy Act, as amended, and the Confidentiality of Medical Information Act) and in Washington (including under the Washington My Health My Data Act) may have rights to access, correct, delete, or restrict the use of certain health-related data, and to withdraw consent, subject to applicable exceptions.
Because Swipe Savvy typically processes PHI as a Business Associate on behalf of a healthcare provider or plan, individuals should generally direct requests concerning their medical records to their provider or plan (the covered entity). We will support our customers in responding to those requests as required by the applicable BAA and law. For Consumer Health Data that we handle outside a BAA, you may contact us using the details below.
10. Contact Us
For questions about this Healthcare Privacy Notice or our handling of health-related data, contact:
- Privacy Inquiries: privacy@swipesavvy.com
- Mail: Swipe Savvy, Inc. — Attn: Legal / Privacy / Security, 250 N. Orange Ave., Ste. 1250, Orlando, FL 32801
With a copy of privacy, security, breach, HIPAA, and BAA notices to our outside counsel: Paul Lee, Esq., OlenderFeldman LLP, plee@olenderfeldman.com, (908) 964-2464.
This Notice is governed by the laws of the State of Florida, without regard to conflict-of-law rules, unless a signed order form states otherwise.