Privacy Policy & Business Associate Agreement
Effective date: June 15, 2026. Last updated: June 15, 2026.
Our Commitment
Patheown handles protected health information (PHI) on behalf of covered entities and business associates. We operate under a signed Business Associate Agreement (BAA) with every client. Your data is encrypted in transit and at rest. We never sell, share, or monetize client data. Period.
What We Collect
CRM records, referral data, scheduling information, and automation logs required to deliver our services.
IP address, browser type, device info, and feature usage. Used solely for security and platform improvement.
How We Use It
- To operate and maintain the Patheown CRM, marketing, and remote staffing services.
- To provide client support and respond to service requests.
- To meet legal obligations, prevent fraud, and enforce our agreements.
- We do not use PHI for advertising, profiling, or any purpose outside agreed service delivery.
Business Associate Agreement (BAA)
Under HIPAA, Patheown acts as a business associate. Every client receives and signs a BAA before any PHI is processed. Key provisions include:
PHI is used only as specified in the BAA and only for the purposes of providing agreed services.
We implement administrative, physical, and technical safeguards meeting or exceeding HIPAA Security Rule standards.
Any subcontractor with PHI access is bound by equivalent protections and monitored under our compliance program.
We notify clients without unreasonable delay if a breach of unsecured PHI is discovered, per 45 CFR 164.410.
Security Measures
- AES-256 encryption at rest. TLS 1.3 encryption in transit.
- Role-based access controls with MFA required for all admin accounts.
- Annual third-party security audits and penetration testing.
- All staff with PHI access complete HIPAA training and sign confidentiality agreements.
Data Retention & Deletion
We retain PHI only as long as necessary to fulfill the BAA and applicable legal obligations. Upon contract termination, client data is returned or securely destroyed according to the BAA terms. Backups are purged on standard retention schedules.
Your Rights
Request copies of your data or corrections to inaccurate records.
Ask us to limit how we use or disclose your PHI where permitted by law.
Receive a record of certain disclosures of your PHI made by Patheown.
File a complaint with us or the U.S. Department of HHS if you believe your privacy rights have been violated.
Company Protection & Limitation of Liability
Patheown provides its platform and services on an as-is and as-available basis. To the fullest extent permitted by law:
- We are not liable for indirect, incidental, special, consequential, or punitive damages.
- Our total liability is capped at the amount paid by the client in the twelve months preceding the claim.
- Clients agree to indemnify Patheown against claims arising from misuse of the platform or violation of applicable law by the client or its users.
- No warranty is made that the platform will be uninterrupted, error-free, or immune from unauthorized access.
Dispute Resolution & Governing Law
This Privacy Policy and the BAA are governed by the laws of the State of Georgia, without regard to conflict of law principles. Any dispute shall first be addressed through good-faith negotiation. Unresolved disputes shall be submitted to binding arbitration in Fulton County, Georgia, under the rules of the American Arbitration Association.
Contact Us
© 2026 Patheown, Inc. All rights reserved. This Privacy Policy is incorporated by reference into every client agreement and BAA. Changes to this policy are effective immediately upon posting and will be communicated to active clients.