top of page
LT_Logo_Default2.png

Software Services Privacy Policy

Version 3.0
Effective Date: January 2025
Next Review Date: January 2026

1. Purpose

This Privacy Policy describes the data privacy and security practices that Long Tail Health Solutions, Inc. ("LTHS") applies to information processed within its software products (“Software Services”) provided to hospital and health system customers (“Customers”). This policy governs how LTHS collects, uses, stores, and safeguards data, including Protected Health Information (“PHI”), processed on behalf of its Customers.

2. Scope

This Privacy Policy applies to all information processed within LTHS Software Services, including:

  • PHI received from Customer systems via flat files, API integrations, or manual data entry.

  • End-user information (hospital staff users) required for authentication and application access.

  • Usage data related to end-user interaction with LTHS Software Services.

This policy does not apply to patient-facing applications, as LTHS Software Services are not used directly by patients.

3. Types of Data Processed

a. Protected Health Information (PHI):
PHI is provided by Customers and processed within the Software Services to support hospital operations. PHI may include patient names, dates of birth, medical record numbers, and other identifiers as necessary for the Customer’s business purposes.

b. End-User Authentication Data:
LTHS Software Services support Single Sign-On (SSO) integration managed by Customer IT teams. LTHS does not collect or store end-user credentials. LTHS may log authenticated user identifiers (e.g., email addresses, user IDs) for security auditing and usage monitoring purposes.

c. Usage Data:
LTHS may collect metadata related to user interactions within the Software Services, such as pages visited, features accessed, and timestamps of activity. This data is used solely for operational monitoring, support, security auditing, and product improvement.

4. Data Hosting and Storage

All Customer data, including PHI, is securely hosted within the United States in Amazon Web Services (AWS) environments. LTHS implements strict access controls, encryption at rest and in transit, network segmentation, and continuous security monitoring in accordance with HIPAA and SOC 2 standards.

5. Third-Party Subprocessors

LTHS uses the following subprocessor to support specific functionality within the Software Services:

  • Microsoft Azure OpenAI Service (used exclusively for Large Language Model processing workloads). PHI is transmitted to Azure OpenAI only when explicitly required by the Customer’s configured workflows, and data handling follows the Azure HIPAA Business Associate Agreement (BAA) protections.

LTHS will notify Customers of any new subprocessors in accordance with contractual obligations.

6. Data Access and Control

All PHI and end-user data processed within LTHS Software Services remains the property of the Customer. LTHS only accesses Customer data:

  • As authorized in Customer contracts.

  • To provide, maintain, and support the Software Services.

  • To comply with legal obligations or as required by law.

We do not sell or share PHI or end-user personal data for marketing or unrelated business purposes.

7. Data Retention and Disposal

LTHS retains PHI and associated Customer data only for the duration necessary to fulfill contractual obligations, or as required by law. Upon contract termination or at Customer request, LTHS will securely delete or return Customer data in accordance with the Data Disposal Policy.

8. Security Practices

LTHS employs technical, administrative, and physical security measures to protect the confidentiality, integrity, and availability of Customer data, including:

  • AES-256 encryption at rest

  • TLS 1.2+ encryption in transit

  • Multi-factor authentication (MFA) for all LTHS personnel

  • Continuous event monitoring and logging

  • Periodic security assessments and penetration testing

9. Incident Response

LTHS maintains a documented Incident Response Policy. In the event of a suspected or confirmed data incident involving Customer data, LTHS will notify the Customer without unreasonable delay and coordinate investigation, containment, remediation, and reporting activities as specified in contractual agreements and applicable law.

10. Policy Review

This Privacy Policy is reviewed at least annually or upon significant changes to data handling practices, technology infrastructure, or applicable regulations.

bottom of page