Privacy

 

Compassly is committed to protecting the privacy and security of the individuals whose information is managed through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HIPAA Privacy Rule, and the HIPAA Security Rule.

1. Scope

This Privacy Policy applies to all users of Compassly, including behavioral health providers, administrative staff, and any third parties authorized to access the Compassly system. It governs all data collected, stored, or transmitted via our platform, including Protected Health Information (PHI) and Personally Identifiable Information (PII).

2. Information We Collect

Compassly may collect and process the following information:

a. Protected Health Information (PHI)

  • Medical records

  • Diagnoses and treatment plans

  • Progress notes and assessments

  • Appointment and encounter data

  • Medication and allergy details

  • Emergency contact and insurance information

b. User and Account Information

  • Names, job titles, and contact details

  • Login credentials and activity logs

  • Organization affiliation and permissions

c. System and Technical Data

  • IP address, browser type, device ID

  • Access times and audit trails

  • System usage metrics for performance and support

3. How We Use Information

We use the information to:

  • Facilitate secure access to clinical records

  • Support documentation, scheduling, billing, and compliance workflows

  • Enable HIPAA-compliant communication between authorized users

  • Improve platform features and user experience

  • Monitor, audit, and enforce system access controls

  • Comply with applicable federal and state laws

4. Safeguards and Security Measures

Compassly implements robust physical, technical, and administrative safeguards to protect PHI, including:

  • Data Encryption: All data is encrypted in transit (TLS 1.2+) and at rest using industry standards.

  • Access Control: Role-based access, user authentication, and permission management restrict access to PHI.

  • Audit Logging: Every access, change, or export of data is logged and monitored.

  • System Monitoring: Real-time threat detection and regular vulnerability scans are conducted.

  • HIPAA Training: All staff and contractors receive training on HIPAA privacy and security practices.

5. Disclosures of Information

We do not sell or lease any user or patient data. PHI may only be disclosed under the following conditions:

  • With the individual’s written authorization

  • For treatment, payment, and healthcare operations (TPO), as permitted by HIPAA

  • To business associates under a valid Business Associate Agreement (BAA)

  • As required by law (e.g., court order, public health reporting)

  • To prevent serious threats to health or safety, when legally justified

6. Patient Rights

Compassly supports healthcare organizations in upholding patients’ HIPAA rights, including:

  • The right to access and request copies of their medical records

  • The right to request amendments to inaccurate information

  • The right to receive an accounting of disclosures

  • The right to restrict or revoke authorizations, where applicable

Requests related to these rights must be directed to the covered entity (your healthcare provider or organization) using Compassly.

7. Data Retention and Disposal

PHI is retained according to applicable legal and contractual requirements. When data is no longer needed, it is disposed of using secure, irreversible methods consistent with NIST guidelines.

8. Changes to This Policy

Compassly may update this policy from time to time to reflect legal, technical, or operational changes. You will be notified of material changes via email or within the Compassly platform.

9. Contact Us

If you have questions about this Privacy Policy or believe your information has been misused, please contact: support@compassly.me