Privacy Policy

1. Introduction

PHORZEN LLC ("we," "our," or "us") is committed to protecting your privacy and the security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website and use our services, including PhorzenEMR and revenue cycle management services.

This Privacy Policy applies to information collected through:

• Our website (phorzen.com)

• PhorzenEMR software platform

• Revenue cycle management services

• Customer support interactions

• Marketing and business communications

By using our services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. HIPAA Compliance

2.1 Protected Health Information (PHI)

As a provider of healthcare services and software, we handle Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA).

2.2 Business Associate Status

When you use our services for healthcare operations, we act as your Business Associate under HIPAA. Our handling of PHI is governed by:

• Our Business Associate Agreement (BAA)

• HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E)

• HIPAA Security Rule (45 CFR Part 164, Subpart C)

• HITECH Act requirements

2.3 PHI Safeguards

We implement comprehensive administrative, physical, and technical safeguards to protect PHI, including:

• Encryption in transit and at rest

• Access controls and authentication

• Audit logging and monitoring

• Regular security assessments

• Staff training on HIPAA compliance

• Incident response procedures

2.4 Separation of PHI and Non-PHI

This Privacy Policy addresses both PHI and non-PHI data. Where applicable, we distinguish between:

• PHI: Information subject to HIPAA, governed by our BAA

• Non-PHI: General business information, governed by this Privacy Policy

3. Information We Collect

3.1 Information You Provide Directly

Registration and Account Information

• Name and contact information (email, phone, address)

• Professional credentials and licenses

• Practice or organization details

• National Provider Identifier (NPI)

• Tax Identification Number (TIN)

• Billing and payment information

Patient Health Information (PHI)

When you use our services, you may submit PHI including:

• Patient demographics

• Medical history and diagnoses

• Treatment and medication information

• Insurance and billing data

• Clinical notes and documentation

• Test results and medical images

Business and Practice Information

• Practice management data

• Financial and billing records

• Staff and user information

• Payer contracts and agreements

• Performance metrics and analytics

Communications

• Customer support inquiries

• Feedback and survey responses

• Marketing communications preferences

• Event registrations

• Newsletter subscriptions

3.2 Information Collected Automatically

Usage Data

• IP addresses

• Browser type and version

• Operating system

• Pages visited and time spent

• Referring URLs

• Access times and dates

• Device identifiers

Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain user sessions

• Remember preferences

• Analyze usage patterns

• Improve user experience

• Deliver relevant content

Types of Cookies We Use:

• Essential Cookies: Required for service functionality

• Analytics Cookies: Help us understand usage patterns

• Preference Cookies: Remember your settings

• Marketing Cookies: Deliver relevant advertisements (with consent)

You can control cookies through your browser settings. Blocking certain cookies may limit functionality.

Log Files

We automatically collect log information including:

• IP addresses

• Browser information

• Page requests

• Time stamps

• Error messages

3.3 Information from Third Parties

We may receive information from:

• Healthcare clearinghouses

• Insurance payers

• Payment processors

• Credentialing organizations

• Background check providers

• Data validation services

• Marketing partners (with consent)

4. How We Use Your Information

4.1 Use of PHI

We use PHI only as permitted by HIPAA and our BAA:

• Treatment: Facilitate healthcare delivery and clinical workflows

• Payment: Process claims, billing, and revenue cycle management

• Operations: Support healthcare operations and quality improvement

4.2 Use of Non-PHI

Service Provision

• Create and manage your account

• Provide requested services

• Process transactions and payments

• Deliver customer support

• Send service-related communications

Service Improvement

• Analyze usage patterns and trends

• Develop new features and functionality

• Conduct research and analytics

• Improve user experience

• Test and optimize performance

Communication

• Respond to inquiries

• Send administrative notifications

• Provide technical support

• Share product updates

• Send newsletters (with consent)

Marketing and Business Development

• Send promotional materials (with consent)

• Conduct market research

• Analyze market trends

• Develop business intelligence

• Create de-identified benchmarking data

Legal and Compliance

• Comply with legal obligations

• Enforce our Terms and Conditions

• Protect against fraud and abuse

• Respond to legal requests

• Protect our rights and property

4.3 De-Identified Data

We may create de-identified, aggregated data from PHI for:

• Research and analytics

• Industry benchmarking

• Service improvement

• Marketing and business purposes

• Public health reporting

De-identified data cannot reasonably identify individuals and is not subject to HIPAA restrictions.

5. How We Share Your Information

5.1 Sharing of PHI

We share PHI only as permitted by HIPAA:

With Your Authorization

We disclose PHI based on valid patient authorizations you provide.

For Treatment, Payment, and Operations

• Healthcare providers involved in patient care

• Insurance payers for claims processing

• Clearinghouses for electronic transactions

• Business Associates (e.g., hosting providers, analytics services)

As Required by Law

• Public health authorities

• Law enforcement in specific circumstances

• Court orders and legal proceedings

• Regulatory oversight agencies

5.2 Sharing of Non-PHI

Service Providers and Partners

We share information with trusted third parties who assist our operations:

• Cloud hosting providers (AWS, Azure)

• Payment processors

• Email service providers

• Analytics platforms

• Customer support tools

• Marketing platforms

All service providers are contractually obligated to protect your information.

Business Transfers

In the event of merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

Legal Requirements

We may disclose information to:

• Comply with legal obligations

• Respond to lawful requests from authorities

• Enforce our rights and Terms

• Protect against fraud and abuse

• Protect health and safety

With Your Consent

We may share information for purposes not described here with your explicit consent.

5.3 What We Don't Share

We do not:

• Sell your personal information to third parties

• Use PHI for marketing without authorization

• Share information with unauthorized parties

• Disclose PHI for purposes incompatible with HIPAA

6. Data Security

6.1 Security Measures

We implement industry-standard security controls:

Technical Safeguards

• 256-bit AES encryption at rest

• TLS 1.2+ encryption in transit

• Multi-factor authentication (MFA)

• Role-based access controls

• Intrusion detection systems

• Regular vulnerability scanning

• Automated security monitoring

Administrative Safeguards

• Security policies and procedures

• Workforce training programs

• Incident response plans

• Regular risk assessments

• Business continuity planning

• Disaster recovery procedures

Physical Safeguards

• SOC 2 Type II certified data centers

• 24/7 physical security

• Environmental controls

• Secure equipment disposal

• Access logging and monitoring

6.2 Data Backup and Recovery

• Automated daily backups

• Geographically redundant storage

• Tested recovery procedures

• 99.9% uptime commitment

• Disaster recovery capabilities

6.3 Security Limitations

While we implement robust security measures, no system is completely secure. You acknowledge:

• Internet transmission risks

• Shared responsibility for security

• Importance of strong passwords

• Need for secure device management

6.4 Security Incident Response

In the event of a security incident:

• We investigate promptly

• Notify affected parties as required by law

• Mitigate potential harm

• Document and report to authorities

• Implement corrective measures

HIPAA breaches are reported within 60 days per regulatory requirements.

7. Data Retention

7.1 PHI Retention

• Active Accounts: PHI retained during active subscription

• Post-Termination: 90-day grace period for data retrieval

• Archive Period: 7 years minimum for compliance with healthcare regulations

• Legal Holds: Extended retention when required

7.2 Non-PHI Retention

• Account Data: Duration of account plus 3 years

• Financial Records: 7 years per tax requirements

• Communications: 2 years or as needed

• Marketing Data: Until consent withdrawal

• Analytics Data: Aggregated indefinitely

7.3 Data Deletion

Upon request, we will:

• Delete or de-identify your data

• Provide confirmation of deletion

• Maintain records only as legally required

• Honor state-specific deletion rights

Note: Some data may be retained in backups for limited periods per our backup policies.

8. Your Rights and Choices

8.1 Rights Under HIPAA

If you are a patient whose information we process, you have:

• Right to Access: Request copies of your PHI

• Right to Amend: Request corrections to inaccurate PHI

• Right to Accounting: Receive a list of PHI disclosures

• Right to Restrict: Request limits on use and disclosure

• Right to Confidential Communications: Request alternative contact methods

• Right to Notification: Be notified of breaches

Contact your healthcare provider to exercise these rights.

8.2 General Privacy Rights

Access and Portability

• Request a copy of your information

• Receive data in portable format

• Transfer data to another service (where feasible)

Correction and Update

• Correct inaccurate information

• Update your account details

• Complete incomplete information

Deletion

• Request deletion of your data (subject to legal obligations)

• Close your account

• Withdraw consent for processing

Restriction and Objection

• Opt out of marketing communications

• Limit data processing

• Object to automated decision-making

• Restrict third-party sharing

Withdrawal of Consent

• Revoke consent at any time

• Unsubscribe from emails

• Disable cookies

• Update communication preferences

8.3 How to Exercise Your Rights

To exercise any privacy rights:

Email: privacy@phorzen.com
Mail: PHORZEN LLC Privacy Office, 5800 Piney Glade Rd, Fredericksburg, VA 22407, United States

We will respond to requests within 30 days.

8.4 State-Specific Rights

California Residents (CCPA/CPRA)

California residents have additional rights including:

• Right to know what information is collected

• Right to delete personal information

• Right to opt-out of sales (we don't sell data)

• Right to non-discrimination

• Right to correct inaccurate information

Other State Laws

Residents of Virginia, Colorado, Connecticut, Utah, and other states with privacy laws have similar rights. Contact us to exercise state-specific rights.

9. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. While our systems may contain pediatric patient data submitted by healthcare providers, we process such data only under HIPAA and at the provider's direction.

If you believe we have inadvertently collected information from a child, contact us immediately at privacy@phorzen.com.

10. International Data Transfers

10.1 Data Location

Our servers are primarily located in the United States. By using our services, you consent to transfer of your information to the United States.

10.2 International Users

If you access our services from outside the United States:

• Your information will be transferred to and processed in the United States

• U.S. privacy laws may differ from your country's laws

• We implement appropriate safeguards for international transfers

• We comply with applicable cross-border transfer requirements

10.3 European Economic Area (EEA)

For EEA residents, we rely on:

• Standard Contractual Clauses (SCCs)

• Adequacy decisions

• Your explicit consent

• Necessity for contract performance

11. Marketing Communications

11.1 Email Marketing

We may send promotional emails about:

• New products and features

• Industry news and insights

• Educational content

• Special offers and events

11.2 Opt-Out

You can opt out of marketing emails by:

• Clicking "unsubscribe" in any email

• Updating preferences in your account

• Contacting privacy@phorzen.com

You cannot opt out of transactional or service-related communications.

11.3 Phone and SMS

We do not send promotional calls or texts without explicit consent. You may opt out at any time.

12. Cookies and Tracking

12.1 Cookie Management

Control cookies through:

• Browser settings

• Our cookie banner

• Account preferences

• Third-party opt-out tools

12.2 Do Not Track

We currently do not respond to "Do Not Track" signals but respect browser privacy settings.

12.3 Third-Party Analytics

We use analytics services including:

• Google Analytics (with IP anonymization)

• Mixpanel

• Hotjar (session recording with PHI exclusions)

These services have their own privacy policies.

13. Changes to This Privacy Policy

13.1 Updates

We may update this Privacy Policy to reflect:

• Changes in our practices

• Legal or regulatory requirements

• New features or services

• User feedback

13.2 Notification

Material changes will be communicated via:

• Email notification to account holders

• Prominent website notice

• In-app notifications

• Updated "Last Modified" date

13.3 Acceptance

Continued use after changes constitutes acceptance. For material changes affecting PHI, we will obtain consent as required by HIPAA.

14. Third-Party Links and Services

Our website and services may contain links to third-party websites. We are not responsible for the privacy practices of external sites. We encourage you to read their privacy policies before providing information.

Integrated third-party services (e.g., payment processors) have separate privacy policies. We select partners who maintain appropriate privacy and security standards.

15. Business Transitions

In the event of:

• Merger or acquisition

• Asset sale

• Bankruptcy proceedings

• Business restructuring

Your information may be transferred. We will:

• Notify you before transfer

• Ensure receiving party honors this Privacy Policy

• Provide opt-out options where feasible

• Maintain HIPAA protections for PHI

16. Questions and Complaints

16.1 Contact Us

For privacy questions or concerns:

Email: privacy@phorzen.com
Mail: PHORZEN LLC Privacy Office
5800 Piney Glade Rd
Fredericksburg, VA 22407
United States

16.2 HIPAA Complaints

To file a HIPAA complaint:

• Contact our Privacy Officer at privacy@phorzen.com

• File with the U.S. Department of Health and Human Services Office for Civil Rights

16.3 State Privacy Rights

California residents: Contact us at privacy@phorzen.com

Other states: Reference your state's Attorney General or consumer protection office

16.4 Response Time

We respond to privacy inquiries within:

• 30 days for general inquiries

• 60 days for HIPAA access requests

• As required by applicable state laws

17. Data Protection Officer

For GDPR or European privacy matters:

Data Protection Officer
Email: dpo@phorzen.com
PHORZEN LLC
5800 Piney Glade Rd
Fredericksburg, VA 22407
United States

18. Legal Basis for Processing (EEA)

For EEA residents, we process data based on:

• Consent: You have given clear consent

• Contract: Processing is necessary for our contract with you

• Legal Obligation: Processing is required by law

• Legitimate Interests: Processing is necessary for our legitimate business interests

You have the right to withdraw consent and object to processing.

19. Automated Decision Making

We do not use fully automated decision-making that produces legal or similarly significant effects. Any automated processing (e.g., fraud detection) includes human review.

20. Accessibility

This Privacy Policy is available in accessible formats. Contact privacy@phorzen.com for alternative formats.

Last Updated: January 18, 2026

Effective Date: January 18, 2026

By using our services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Contact Information

PHORZEN LLC
Email: privacy@phorzen.com
Legal: legal@phorzen.com
Support: support@phorzen.com
Address: 5800 Piney Glade Rd, Fredericksburg, VA 22407, United States

Privacy Officer: [To be designated]
Data Protection Officer: [To be designated] (for EEA matters)

For HIPAA-related concerns, contact your healthcare provider or our Privacy Officer.