Version: 3.0
Effective Date: January 1, 2023
This notice explains how Charted Health, LLC (“Charted Health”) may use and share information derived from your healthcare provider’s use of the Charted Health electronic medical record (EMR) system. It describes Charted Health’s data practices, your rights, and your ability to opt out of the use of your deidentified data.
Purpose
Your healthcare provider uses the Charted Health EMR to manage your care. Charted Health operates as a HIPAA Business Associate and processes your Protected Health Information (PHI) solely on behalf of your provider. In addition, Charted Health may create and use deidentified data for lawful analytics, research, and product improvement purposes. This document informs you of those practices and your right to opt out.
Data Use and Disclosure Practices
Charted Health processes data in two distinct forms:
Identifiable Data (PHI)
- Used only for treatment, payment, and healthcare operations under HIPAA.
- Never sold or disclosed for marketing or commercial use.
- Protected through administrative, technical, and physical safeguards.
Deidentified or Aggregated Data
Charted Health may deidentify PHI following HIPAA’s deidentification standards (45 CFR §164.514, Safe Harbor or Expert Determination methods).
Once deidentified, data is no longer considered PHI and may be used by Charted Health to:
- Improve and calibrate algorithms, AI models, and clinical decision tools;
- Conduct analytics, benchmarking, and quality improvement;
- Support lawful research and innovation;
- License or share deidentified datasets with qualified third parties for healthcare, scientific, or technical advancement.
Charted Health will not sell or disclose identifiable PHI.
Deidentified data is governed by HIPAA, FTC, and applicable state privacy laws
Opt-Out Rights
You may choose not to have your deidentified data included in Charted Health’s analytics, AI calibration, research, or commercial licensing programs.
To opt out: Email privacy@chartedhealth.com, or mail a written request to:
Charted Health Privacy Office
920 S Kimball Avenue, Suite 100
Southlake, TX 76092
Your opt-out request will apply to future data processing.
Deidentified data already created or used before your request cannot be withdrawn.
Opting out will not affect your care, access to services, or your provider’s use of Charted Health’s EMR system.
Legal Compliance Framework
HIPAA (Health Insurance Portability and Accountability Act)
- Deidentification follows HIPAA §164.514 standards.
- Documentation is maintained for Safe Harbor or Expert Determination methodologies.
- No reidentification is permitted except for security validation or compliance audits.
FTC Fair Information Practices
- Charted Health ensures transparency, notice, and truthful representation of data practices.
- Implements data minimization, encryption, and audit controls.
- Prohibits deceptive or misleading statements regarding data use or sale.
State Privacy Laws (CCPA/CPRA, VCDPA, CPA, etc.)
- Deidentified data is not considered “personal information” under these laws.
- Charted Health commits to preventing reidentification or unlawful use.
- Individuals retain the right to opt out of deidentified data inclusion as described in this notice.
Security and Governance
- All identifiable data is encrypted in transit and at rest.
- Access is limited to authorized personnel under confidentiality agreements.
- Regular risk assessments and third-party audits verify compliance.
- A Data Governance Committee oversees deidentification and privacy standards.
Duration and Effect
- This notice remains effective indefinitely.
- Opt-out requests take effect upon receipt and apply prospectively.
- Charted Health may continue to use or share deidentified data created before opt-out as permitted by law.
Contact Information
Charted Health Privacy Office
Email: privacy@chartedhealth.com
Phone: 888-299-5524
Address: 920 S Kimball Avenue – Suite 100, Southlake, TX 76092You may also contact the U.S. Department of Health and Human Services, Office for Civil Rights, or the California Privacy Protection Agency (CPPA) regarding privacy concerns.
Acknowledgment
Submission of this form indicates that you wish to opt out of having your deidentified data included in Charted Health’s analytics, research, AI calibration, or commercial licensing activities.
If no form is submitted, your deidentified data may be used in accordance with this notice.