Health1st AI, Inc. (“Health1st AI,” “we,” “our,” or “us”) is committed to protecting your privacy and the security of your personal information and Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (health1st.ai) and use our AI-powered healthcare workflow automation platform (the “Services”).
This policy applies to information we collect through our website, software applications, and services. It does not apply to information collected offline or through third-party sites linked from our platform.
HIPAA Notice: If you are a healthcare provider or covered entity using our Services, this Privacy Policy supplements the terms of our Business Associate Agreement (BAA). For PHI, the BAA governs our obligations under HIPAA.
2. Information We Collect
2.1 Information You Provide Directly
We collect information you provide when you:
Create an account: Name, email address, phone number, job title, organization name, professional credentials
Request a demo: Name, email, phone, organization details, areas of interest
Subscribe to our newsletter: Email address, name, preferences
Contact customer support: Communication content, attachments, support tickets
Participate in surveys or feedback: Responses, opinions, usage data
2.2 Information Collected Automatically
When you access our Services, we automatically collect:
Device information: IP address, browser type, operating system, device identifiers
Usage data: Pages viewed, features used, time spent, click patterns, navigation paths
Location data: General geographic location based on IP address (not precise location)
Cookies and tracking: Session identifiers, authentication tokens, preferences (see Section 7)
2.3 Protected Health Information (PHI)
If you are a covered entity or healthcare provider using our clinical documentation, revenue cycle, or interoperability services, we process PHI on your behalf as a Business Associate under HIPAA. This includes:
Patient clinical notes, diagnoses, treatment plans (for AI scribe services)
Medical billing records, claims data, CPT/ICD codes (for RCM services)
Patient identifiers necessary for EHR integration (for interoperability services)
Important: We only process PHI as instructed by you (the covered entity) and in accordance with our BAA. We do not use PHI for our own purposes, sell PHI, or use it for marketing without your explicit authorization.
3. How We Use Your Information
3.1 General Use of Non-PHI Data
We use information collected from website visitors and non-clinical users to:
Provide, operate, and maintain our Services
Process transactions and send related information
Respond to your inquiries and provide customer support
Send administrative information (service updates, security alerts, policy changes)
Personalize your experience and deliver relevant content
Monitor and analyze usage patterns to improve our Services
Detect, prevent, and address technical issues and security threats
Send marketing communications (with your consent, and you can opt out)
Comply with legal obligations and enforce our agreements
3.2 Use of PHI
We use and disclose PHI only as permitted by HIPAA and our BAA with you, including:
Treatment: Generating clinical documentation, suggesting medical codes, facilitating care coordination
Healthcare Operations: EHR integration, data interoperability, quality improvement analytics
As Required by Law: Responding to subpoenas, court orders, regulatory inquiries
With Your Authorization: Any other uses require your explicit written consent
3.3 AI Model Training
Our Policy on AI Training:
We DO NOT use customer PHI to train our AI models without explicit written consent. Our AI models are trained on:
Publicly available medical literature and datasets
De-identified data (properly anonymized per HIPAA Safe Harbor or Expert Determination methods)
Synthetic data generated to simulate clinical scenarios
Customer data only when explicitly authorized in writing for specific research purposes
4. How We Share Your Information
We do not sell, rent, or trade your personal information or PHI. We may share information in the following limited circumstances:
4.1 Service Providers
We engage third-party companies to perform functions on our behalf, such as:
Cloud infrastructure providers (AWS) - covered by BAA for PHI
Payment processors for billing
Email service providers for communications
Analytics platforms (Google Analytics for website only)
Customer support tools
All service providers handling PHI execute Business Associate Agreements and are contractually obligated to maintain HIPAA compliance.
4.2 Legal Requirements
We may disclose information if required by law or in response to valid legal process, including:
Subpoenas, court orders, or legal proceedings
Government or regulatory requests (e.g., HHS Office for Civil Rights)
To protect our rights, privacy, safety, or property and that of our users
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any change in ownership or use of your information. PHI transfers remain subject to HIPAA and existing BAAs.
4.4 With Your Consent
We may share information for any other purpose with your explicit consent.
5. Data Security
We implement industry-leading security measures to protect your information:
Encryption: AES-256 encryption at rest, TLS 1.3+ in transit
Access Controls: Role-based access, multi-factor authentication, principle of least privilege
Employee Training: Mandatory security and HIPAA training, background checks
Breach Notification: In the unlikely event of a data breach affecting PHI, we will notify affected individuals and covered entities within 60 days as required by HIPAA. For non-PHI breaches, we will notify affected users without unreasonable delay in accordance with applicable state and federal laws.
6. Your Privacy Rights
6.1 HIPAA Rights (for PHI)
If you are a patient whose PHI is processed by our Services, you have the following rights under HIPAA:
Right to Access: Request a copy of your PHI
Right to Amend: Request corrections to inaccurate PHI
Right to an Accounting: Request a list of PHI disclosures
Right to Request Restrictions: Request limits on how PHI is used or disclosed
Right to Confidential Communications: Request PHI be communicated by alternative means
To exercise HIPAA rights, contact your healthcare provider (the covered entity). As a Business Associate, we support covered entities in responding to these requests.
6.2 General Privacy Rights
For non-PHI personal information, you have the right to:
Access: Request a copy of the personal information we hold about you
Correction: Request corrections to inaccurate information
Deletion: Request deletion of your personal information (subject to legal retention requirements)
Portability: Request a machine-readable copy of your data
Opt-Out: Unsubscribe from marketing communications at any time
Objection: Object to certain processing activities
To exercise these rights, email us at info@health1st.ai. We will respond within 30 days.
6.3 State-Specific Rights
Residents of certain states have additional privacy rights:
California (CCPA/CPRA): Right to know what personal information is collected, right to delete, right to opt-out of sale (note: we do not sell personal information), right to non-discrimination
Virginia (VCDPA): Right to access, correct, delete, and obtain a copy of personal data
Colorado (CPA): Similar rights to Virginia
7. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance user experience and analyze usage patterns:
Essential Cookies: Required for authentication, security, and core functionality
Analytics Cookies: Google Analytics to understand website usage (anonymized IP addresses)
Preference Cookies: Remember your settings and preferences
You can control cookies through your browser settings. Disabling cookies may limit functionality. We do not use third-party advertising cookies on our platform.
8. International Data Transfers
Health1st AI is based in the United States. All data is stored in U.S.-based AWS data centers. We do not transfer PHI outside the United States. If you access our Services from outside the U.S., your information will be transferred to, stored, and processed in the U.S. By using our Services, you consent to this transfer.
9. Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will delete it. If you believe we have collected information from a child, contact us at info@health1st.ai.
10. Data Retention
We retain information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law:
PHI: Retained according to covered entity instructions and applicable record retention laws (typically 6-7 years)
Audit Logs: Retained for 7 years (HIPAA requirement)
Account Information: Retained while account is active, plus 90 days after account closure
Marketing Data: Retained until you opt out or request deletion
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:
Posting the updated policy on this page with a new “Last Updated” date
Sending an email notification to registered users (for material changes)
Displaying a prominent notice on our website (for significant changes affecting PHI)
Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy.
HIPAA-Specific Inquiries: If you have questions about how we handle PHI as a Business Associate, please contact our HIPAA Privacy Officer at info@health1st.ai.
