Privacy Policy

Version: 2.0
Effective Date: January 1, 2024

If you are a patient of a healthcare provider that uses Charted Health, please review our Patient Consent and Data Use Agreement / Opt‑Out Form to understand how your data may be used and how to opt out of deidentified data sharing.

Introduction

Charted Health, LLC (“Charted Health,” “we,” “our,” or “us”) provides electronic medical record (EMR) and healthcare data technology services to healthcare providers and their patients. We are committed to protecting the privacy, security, and integrity of the information we process. This Global Privacy Policy explains how we collect, use, disclose, and protect personal and health-related information across all regions where we operate, including the United States, European Union, United Kingdom, Canada, and other jurisdictions with data protection laws.

This policy complements, and does not override, any Business Associate Agreement (BAA) or Data Processing Agreement (DPA) between Charted Health and healthcare providers.

Scope

Visitors to our website (chartedhealth.com)
Users of our software, platforms, and mobile applications
Healthcare providers and organizations using Charted Health’s products
Patients whose information is processed through Charted Health EMR systems

Note: Provider-specific BAAs/DPAs govern the handling of Protected Health Information (PHI) within the EMR.

Information We Collect

A. Information from Patients (via Providers)

Demographic and contact information (name, address, phone, email)
Medical history, diagnoses, prescriptions, and treatment data
Insurance and billing information
Technical and usage data from patient portals or mobile apps

Charted Health does not collect PHI directly from patients without the involvement of a healthcare provider. We process PHI strictly under our HIPAA Business Associate Agreement (BAA).

B. Information from Providers and Users

Business contact and account information
System usage and configuration data
Security logs and device identifiers
Feedback and support communications

C. Information from Website Visitors

Cookies and analytics data (browser type, IP address, pages visited)
Information submitted via forms or online communications

How We Use Information

Healthcare Delivery Support: Operating the EMR system, facilitating provider workflows, and supporting patient care.
Security & Compliance: Maintaining system integrity, auditing, and preventing unauthorized access.
Research & Product Improvement: Using deidentified data to improve accuracy, reliability, and performance of clinical algorithms, user experience, and system features.
Commercial Use of Deidentified Data: Creating and licensing deidentified datasets for lawful research, analytics, and innovation. These datasets never include identifiable PHI. Patients can opt out at any time via the Patient Data Use Agreement.
Legal & Regulatory Obligations: Complying with laws, court orders, and enforcement requests.

Legal Basis for Processing (GDPR / UK GDPR)

Contractual necessity: To provide EMR and related services to healthcare providers.
Legal obligation: To comply with healthcare and data protection laws.
Legitimate interests: For system improvement, security, and deidentified analytics.
Consent: For optional communications or participation in studies, where required.

Deidentified and Aggregated Data

Charted Health deidentifies PHI in accordance with HIPAA §164.514, using Safe Harbor and/or Expert Determination methods. Once data is deidentified, it is no longer considered personal or protected information under HIPAA, CCPA/CPRA, or GDPR.

Used to improve system functionality, AI models, or analytics tools
Licensed or shared for research or industry benchmarking
Retained for lawful business or compliance purposes

Patients can opt out of deidentified data inclusion by following instructions in the Patient Consent and Data Use Agreement.

Your Rights

Depending on your jurisdiction, you may have the right to:

Access and receive a copy of your data
Correct or update your information
Request deletion of your information (where applicable)
Restrict or object to processing
Withdraw consent (where processing is based on consent)
Opt out of deidentified data inclusion (via the Data Use Agreement)
Lodge a complaint with a relevant regulatory authority

To exercise these rights, contact: privacy@chartedhealth.com

Data Sharing and Transfers

We may share information with:

Authorized service providers and business associates (under HIPAA or contractual controls)
Subprocessors providing infrastructure, analytics, or support (under binding agreements)
Regulators or authorities as required by law

If data is transferred outside your jurisdiction (e.g., to the U.S.), Charted Health uses lawful mechanisms such as Standard Contractual Clauses (SCCs), adequacy decisions, and appropriate safeguards.

Security

Encryption at rest and in transit
Role-based access control and multifactor authentication
Logging, monitoring, and security audits
Continuous risk assessments and incident response protocols

Data Retention

We retain identifiable data only as long as necessary for service provision, legal compliance, and contractual obligations, or as required by providers under healthcare regulations. Deidentified data may be retained indefinitely for research, analytics, and lawful business use.

Minor’s Data

Charted Health does not knowingly collect or process data directly from individuals under 13 years old. Any pediatric information processed within the EMR is managed solely under the healthcare provider’s HIPAA obligations.

Contact Information

Charted Health Privacy Office
Email: privacy@chartedhealth.com
Phone: 888-299-5524
Address: 920 S Kimball Avenue, Suite 100, Southlake, TX 76092

Policy Updates

We may update this Global Privacy Policy periodically. Any material changes will be posted on this page with a revised “Effective Date.” Continued use of our services after such updates constitutes acceptance of the revised policy.