Privacy Policy

Last Updated: December 2025

1. Introduction

Scale Health Forward ("we," "our," or "us") is committed to protecting your privacy and the privacy of protected health information (PHI). We implement security practices aligned with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

2. HIPAA-Aligned Security Practices

Scale Health Forward is committed to implementing security practices aligned with HIPAA requirements. We understand the critical importance of protecting patient health information and have implemented safeguards designed to align with HIPAA's Privacy, Security, and Breach Notification Rules. However, we recommend that customers consult with their compliance teams to ensure our services meet their specific requirements.

2.1 Business Associate Agreements (BAA)

As a Business Associate under HIPAA, we enter into Business Associate Agreements (BAAs) with covered entities and other business associates who use our services. These agreements ensure that we handle protected health information (PHI) in accordance with HIPAA requirements.

2.2 Administrative Safeguards

• Designated security officer responsible for HIPAA compliance
• Workforce training on HIPAA requirements and privacy practices
• Access controls limiting PHI access to authorized personnel only
• Regular risk assessments and security audits
• Incident response procedures for potential breaches

2.3 Physical Safeguards

• Secure facilities with controlled access
• Workstation security measures
• Device and media controls

2.4 Technical Safeguards

• End-to-end encryption for data in transit and at rest
• Access controls and authentication mechanisms
• Audit logs and monitoring systems
• Data integrity controls
• Transmission security measures

3. Information We Collect

3.1 Protected Health Information (PHI)

When you use our services as a healthcare provider or billing organization, we may collect and process PHI, including but not limited to:

• Patient demographic information
• Medical record numbers
• Diagnosis and treatment information
• Billing and claims information
• Other information necessary for providing our services

3.2 Non-PHI Information

We may also collect non-PHI information, including:

• Account registration information (name, email, organization)
• Usage data and analytics
• Technical information (IP address, browser type, device information)
• Cookies and similar tracking technologies

4. How We Use Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process claims and handle denials
• Generate context-aware patient documentation
• Comply with legal and regulatory obligations
• Respond to your inquiries and provide customer support
• Send important service-related communications
• Detect and prevent fraud or abuse

We do not use PHI for marketing purposes without your explicit authorization.

5. How We Share Information

We may share information in the following circumstances:

• With Your Authorization: We may share PHI as authorized by you or as necessary to provide our services
• Business Associates: We may share PHI with third-party service providers who are bound by BAAs and HIPAA requirements
• Legal Requirements: We may disclose information when required by law, court order, or regulatory authority
• Business Transfers: In the event of a merger, acquisition, or sale, information may be transferred as part of that transaction

We do not sell PHI or use it for marketing purposes without authorization.

6. Data Security

We implement industry-standard security measures to protect information, including:

• Encryption of data in transit using TLS/SSL protocols
• Encryption of data at rest using strong encryption algorithms
• Regular security assessments and penetration testing
• Access controls and authentication requirements
• Network security and monitoring
• Regular backups and disaster recovery procedures

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest standards.

7. Data Retention

We retain PHI in accordance with HIPAA requirements and as necessary to provide our services. We retain information for as long as:

• Necessary to fulfill the purposes outlined in this policy
• Required by law, regulation, or contractual obligations
• Necessary to resolve disputes and enforce agreements

Upon termination of service or request, we will securely dispose of or return PHI in accordance with HIPAA requirements and our BAA.

8. Your Rights

Under HIPAA and applicable privacy laws, you have certain rights regarding your PHI, including:

• Right to Access: Request access to your PHI
• Right to Amendment: Request corrections to your PHI
• Right to Accounting: Request an accounting of disclosures
• Right to Restriction: Request restrictions on use or disclosure
• Right to Confidential Communications: Request alternative communication methods
• Right to Complain: File a complaint with us or the Department of Health and Human Services

To exercise these rights, please contact us using the information provided below.

9. Breach Notification

In the event of a breach of unsecured PHI, we will:

• Notify affected individuals without unreasonable delay, and in no case later than 60 days after discovery
• Notify the Secretary of Health and Human Services as required by HIPAA
• Notify media outlets if the breach affects more than 500 residents of a state or jurisdiction
• Provide detailed information about the breach and steps being taken to address it

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website. You can control cookie preferences through your browser settings. Note that disabling cookies may affect website functionality.

11. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or wish to exercise your rights regarding this Privacy Policy or our HIPAA compliance practices, please contact us:

Contact: contact@scalehealthfwd.com
Website: scalehealthfwd.com

For HIPAA-related complaints, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights.