Privacy Policy
Last Updated: February 6, 2026
OneMed Solutions ("we", "our", or "us") is committed to protecting your privacy and the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the OneMed CRM platform ("Service").
This policy complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and applicable state privacy laws. For users in the European Union, this policy also addresses requirements under the General Data Protection Regulation (GDPR).
1. Notice of Privacy Practices (HIPAA)
This section serves as the Notice of Privacy Practices (NPP) required under HIPAA §164.520. It describes how medical information about patients may be used and disclosed, and how patients can get access to this information.
1.1 Uses and Disclosures of Protected Health Information (PHI)
We may use and disclose PHI for the following purposes:
- Treatment: To provide, coordinate, or manage healthcare treatment and related services
- Payment: To process payments for healthcare services rendered
- Healthcare Operations: To support business activities including quality assessment, training, and compliance activities
- As Required by Law: When required to comply with federal, state, or local laws
- Public Health Activities: For public health surveillance or reporting as required by law
1.2 Patient Rights
Under HIPAA, patients have the following rights regarding their PHI:
- Right to Access: Request a copy of your medical records
- Right to Amend: Request corrections to your medical records
- Right to Restrict: Request restrictions on certain uses and disclosures of your PHI
- Right to Accounting: Request a list of certain disclosures made of your PHI
- Right to Confidential Communications: Request communications through alternative means or at alternative locations
- Right to a Copy of this Notice: Request a paper copy of this privacy notice at any time
1.3 Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals in accordance with HIPAA Breach Notification Rule (§164.400-414):
- Individual notification within 60 days of breach discovery
- Notification to the HHS Secretary as required
- Media notification if breach affects 500 or more individuals in a state
2. Information We Collect
2.1 Personal Information (Staff/Users)
- Name, email address, phone number
- Employee identification and role information
- Login credentials and authentication data
- IP address, browser type, and device information
- Activity logs and access timestamps
2.2 Protected Health Information (Patients)
- Patient demographics (name, date of birth, address, phone)
- Medical information (prescriptions, diagnoses, treatment plans)
- Insurance and billing information
- Medical device and supply records
3. How We Protect Your Information
We implement administrative, physical, and technical safeguards as required by HIPAA Security Rule (§164.300-318):
| Safeguard Type | Measures |
|---|---|
| Administrative | Security policies, employee training, risk assessments, incident response procedures |
| Physical | Secure data center facilities (AWS), workstation policies, device management |
| Technical | Encryption at rest and in transit, multi-factor authentication, audit logging, access controls, automatic session timeout |
4. Data Retention
We retain information in accordance with applicable law and business requirements:
- PHI: Retained for a minimum of 6 years after the last service date, or as required by applicable state law (whichever is longer)
- User account data: Retained for the duration of the user's employment plus 3 years
- Audit logs: Retained for a minimum of 6 years per HIPAA requirements
- Session data: Automatically purged upon session expiration
5. Data Sharing and Third Parties
We may share information with the following categories of recipients:
- Cloud Infrastructure: Amazon Web Services (AWS) — BAA in place
- Payment Processing: Authorize.net — for processing patient payments
- ERP System: Odoo — for order and inventory management
- Shipping: UPS/Shippo — for medical supply delivery
- Communications: RingCentral — for patient notifications (SMS/Fax)
All third parties with access to PHI have executed Business Associate Agreements (BAAs) as required by HIPAA.
6. GDPR Rights (EU Users)
If you are located in the European Economic Area (EEA), you have additional rights:
- Legal Basis: We process data based on legitimate interest (healthcare operations) and legal obligation (HIPAA compliance)
- Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements
- Right to Portability: You may request your data in a machine-readable format
- Right to Object: You may object to processing of your personal data
- International Transfers: Data is processed in the United States. By using the Service, you consent to the transfer of data to the US
- Data Protection Officer: Contact privacy@onemedcrm.com
7. Complaints
If you believe your privacy rights have been violated, you may:
- Contact our Privacy Officer at privacy@onemedcrm.com
- File a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint
- EU users may file a complaint with their local Data Protection Authority
You will not be retaliated against for filing a complaint.
8. Changes to This Policy
We reserve the right to update this Privacy Policy at any time. Material changes will be communicated to users through the Service. The "Last Updated" date at the top of this page indicates when this policy was last revised.
9. Contact Information
Privacy Officer
OneMed Solutions
Email: privacy@onemedcrm.com
Address: 1951 NW 7th Ave, Suite 300, Miami, FL 33136
Phone: (305) 699-3101