Privacy Policy

Lavender Health, Inc.

Effective Date: 01-01-2026
Last Updated: 01-01-2026

1. INTRODUCTION

This Privacy Policy ("Policy") describes how Lavender Health, Inc. ("Lavender Health," "we," "us," or "our") collects, uses, discloses, stores, and protects information obtained through our revenue cycle management ("RCM") platform, website, applications, and related services (collectively, the "Services"). Our Services integrate with electronic health record ("EHR") and electronic medical record ("EMR") systems, process healthcare claims and billing data, access practice financial information, and facilitate payment processing.

We provide our Services primarily to healthcare providers, practices, clinics, hospitals, health systems, and other covered entities as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). This Policy applies to all users of our Services, including healthcare providers ("Providers"), their staff, patients whose data may be processed through our platform, and visitors to our website.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you are using our Services on behalf of a healthcare practice or organization, you represent that you have the authority to bind that organization to this Policy.

2. REGULATORY FRAMEWORK AND COMPLIANCE

Lavender Health is committed to compliance with all applicable federal and state privacy and security laws, including but not limited to:

(a) Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164), and the HIPAA Breach Notification Rule (45 CFR Part 160 and Subpart D of Part 164).

(b) The Health Information Technology for Economic and Clinical Health Act (HITECH Act), including provisions related to breach notification, enforcement, and business associate obligations.

(d) The Payment Card Industry Data Security Standard (PCI DSS) as applicable to payment card data processed through our payment partners.

(e) The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), to the extent applicable.

(f) Other state privacy and data breach notification laws, including but not limited to laws in Texas, New York (SHIELD Act), Colorado, Connecticut, Virginia, and other states that have enacted consumer data privacy legislation.

(g) The Federal Trade Commission Act (FTC Act), Section 5, prohibiting unfair or deceptive trade practices.

(h) The Telephone Consumer Protection Act (TCPA) to the extent we engage in communications with patients or providers.

(i) The CAN-SPAM Act to the extent we send commercial electronic messages.

(j) The Children's Online Privacy Protection Act (COPPA) with respect to data of individuals under 13 years of age.

(k) 42 CFR Part 2, governing the confidentiality of substance use disorder patient records, to the extent applicable.

(l) State medical records retention and confidentiality laws applicable to the jurisdictions in which our Provider clients operate.

3. OUR ROLE UNDER HIPAA: BUSINESS ASSOCIATE

Lavender Health operates as a Business Associate under HIPAA when providing RCM and related services to Covered Entities. In this capacity:

(a) We enter into a Business Associate Agreement ("BAA") with each Covered Entity client before accessing, receiving, creating, or maintaining Protected Health Information ("PHI") on their behalf.

(b) We use and disclose PHI only as permitted or required by the applicable BAA and in compliance with HIPAA.

(c) We implement administrative, physical, and technical safeguards to protect PHI in accordance with the HIPAA Security Rule.

(d) We require all subcontractors and downstream vendors that access PHI on our behalf to enter into Business Associate Agreements with us.

(e) We report any impermissible use, disclosure, or breach of unsecured PHI to the applicable Covered Entity without unreasonable delay and in no event later than as required by applicable law and the BAA.

(f) We make our internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining compliance.

(g) We apply the minimum necessary standard when using, disclosing, or requesting PHI, except where an exception applies under 45 CFR 502(b).

Our BAA with each Provider client governs the specific terms under which we handle PHI. In the event of a conflict between this Policy and a BAA, the terms of the BAA will control with respect to PHI.

4. INFORMATION WE COLLECT

4.1 Protected Health Information (PHI)

Through our integration with EHR and EMR systems and our RCM services, we may access, receive, create, maintain, or transmit the following categories of PHI:

(a) Patient demographic information, including name, date of birth, gender, address, telephone number, email address, Social Security number, and insurance member identification numbers.

(b) Clinical data, including diagnoses, diagnosis codes (ICD-10), procedure codes (CPT, HCPCS), treatment histories, lab results, medication lists, clinical notes, and referral information, to the extent necessary for billing, coding, claims submission, and revenue cycle management.

(c) Insurance and payer information, including health plan identifiers, policy numbers, group numbers, payer names, eligibility and benefits data, prior authorization information, and explanation of benefits (EOB) records.

(d) Claims and billing data, including charge information, claim submission records, remittance advice, payment posting records, denial and appeal information, coordination of benefits data, and accounts receivable data.

(e) Encounter and visit information, including dates of service, place of service, rendering and referring provider information, facility information, and service line details.

(f) Patient financial information related to healthcare services, including patient balances, payment histories, payment plan arrangements, collections data, and patient responsibility estimates.

4.2 Practice Financial and Operational Data

In connection with our RCM services, we collect and process financial and operational data belonging to healthcare practices, including:

(a) Practice revenue data, including gross charges, net collections, adjusted collections, write-offs, contractual adjustments, and revenue by payer, provider, service line, and location.

(b) Accounts receivable data, including aging reports, days in A/R, denial rates, denial reasons, appeal outcomes, and collection rates.

(d) Practice banking and account information necessary for payment processing and electronic funds transfer, including bank account numbers, routing numbers, and account holder information.

(e) Practice tax identification numbers (TIN) and National Provider Identifier (NPI) numbers.

(f) Staffing and operational data to the extent relevant to billing workflows, including provider credentialing information and enrollment status with payers.

(g) Financial performance metrics, key performance indicators (KPIs), and benchmarking data.

4.3 Payment and Transaction Data

Through our integration with Stripe, Inc. ("Stripe") and other payment processors, we may collect or facilitate the collection of:

(a) Patient payment card information (credit card numbers, debit card numbers, expiration dates, CVV codes), which is collected and processed directly by Stripe and is not stored on Lavender Health's systems. See Section 10 for more detail.

(b) Bank account and ACH information for electronic payments.

(d) Billing contact information associated with payment methods.

4.4 User Account and Access Data

We collect information from individuals who create accounts or access our platform, including:

(a) Name, email address, phone number, and professional credentials.

(b) Username, password (stored in hashed and salted form), and multi-factor authentication credentials.

(d) IP addresses, browser type, device identifiers, operating system, and access timestamps.

(e) Audit logs of user activity within the platform, including data accessed, actions taken, records modified, and session duration.

4.5 Website and Analytics Data

When you visit our website or use our platform, we may automatically collect:

(a) IP address, browser type and version, operating system, device type, and screen resolution.

(b) Pages visited, referring URLs, time spent on pages, click patterns, and navigation paths.

(d) Geolocation data derived from IP address (city/state level, not precise location).

4.6 Communications Data

We collect information from communications you send to us, including:

(a) Emails, support tickets, chat messages, and phone call records (calls may be recorded for quality and training purposes with appropriate notice).

(b) Feedback, survey responses, and feature requests.

5. HOW WE USE INFORMATION

5.1 Uses of PHI

We use PHI strictly as permitted under HIPAA and the applicable BAA, including for:

(a) Treatment, Payment, and Health Care Operations (TPO) activities on behalf of the Covered Entity, including medical coding, charge capture, claims submission and follow-up, payment posting, denial management, appeals, patient billing and collections, eligibility verification, prior authorization, and other revenue cycle functions.

(b) As required by law, including responding to court orders, subpoenas, or administrative requests.

(d) For our proper management and administration or to carry out our legal responsibilities, provided that any disclosure for this purpose is required by law or we obtain reasonable assurances from the recipient that the PHI will be held confidentially.

(e) To provide data aggregation services to the Covered Entity as permitted by the BAA.

(f) To de-identify data in accordance with 45 CFR 164.514(a)-(c), using either the Expert Determination method or the Safe Harbor method, for analytics, benchmarking, product improvement, and research purposes.

5.2 Uses of Practice Financial Data

We use practice financial and operational data to:

(a) Perform and optimize RCM services, including claims processing, denial management, and collections.

(b) Generate financial reports, dashboards, and analytics for the practice.

(d) Process electronic fund transfers and reconcile payments.

(e) Support practice decision-making related to payer contracting, staffing, and operational efficiency.

(f) Improve and develop our Services, including training models and algorithms to enhance billing accuracy, denial prediction, and revenue optimization, using aggregated and de-identified data where appropriate.

5.3 Uses of Payment Data

We use payment and transaction data to:

(a) Process patient payments, refunds, and adjustments through Stripe.

(b) Reconcile payments against claims and patient accounts.

(d) Detect and prevent fraud, chargebacks, and unauthorized transactions.

(e) Comply with PCI DSS requirements and financial reporting obligations.

5.4 Uses of Account and Analytics Data

We use user account, access, and analytics data to:

(a) Authenticate users and manage access to the platform.

(b) Maintain audit trails and support compliance with HIPAA access logging requirements.

(d) Improve user experience, platform functionality, and service delivery.

(e) Communicate with users about their accounts, service updates, and support requests.

(f) Comply with legal obligations.

6. HOW WE DISCLOSE INFORMATION

6.1 Disclosures of PHI

We disclose PHI only as permitted or required under HIPAA and the applicable BAA:

(a) To the Covered Entity or as directed by the Covered Entity.

(b) To health plans, clearinghouses, and other payers for claims submission, eligibility verification, prior authorization, and payment processing.

(c) To subcontractors and downstream Business Associates who require access to PHI to perform services on our behalf, subject to a BAA.

(d) As required by law, including to HHS for HIPAA compliance investigations, to public health authorities, or in response to valid court orders or subpoenas.

(e) To law enforcement in limited circumstances as specified under 45 CFR 164.512(f).

(f) To avert a serious threat to health or safety as permitted under 45 CFR 164.512(j).

(g) We do not sell PHI. We do not use or disclose PHI for marketing purposes without explicit written authorization from the individual, except as permitted by HIPAA for treatment communications and certain limited exceptions.

(h) We do not use PHI for underwriting purposes.

6.2 Disclosures of Practice Financial Data

We may disclose practice financial data:

(a) To the practice and its authorized representatives.

(b) To Stripe and other payment processors as necessary to facilitate transactions.

(d) To payers as necessary for claims resolution and contract negotiation support.

(e) To professional advisors (legal, accounting, auditing) under obligations of confidentiality.

(f) As required by law or legal process.

(g) In connection with a merger, acquisition, reorganization, or sale of assets, subject to confidentiality obligations and applicable BAA requirements.

6.3 Disclosures to Third-Party Service Providers

We engage the following categories of third-party service providers who may access information in the course of providing services to us:

(a) Cloud infrastructure and hosting providers (e.g., Amazon Web Services, Google Cloud Platform, or Microsoft Azure).

(b) Payment processors (Stripe, Inc.).

(d) Clearinghouses and claims processing intermediaries.

(e) Customer support and communication platforms.

(f) Analytics, monitoring, and logging services.

(g) Security, penetration testing, and vulnerability assessment vendors.

(h) Legal, accounting, and compliance advisors.

All third-party service providers that access PHI are required to enter into a Business Associate Agreement or appropriate data processing agreement with us and demonstrate adequate security safeguards.

7. EHR AND EMR INTEGRATION

7.1 How We Connect

Lavender Health integrates with EHR and EMR systems through:

(a) Standardized APIs, including HL7 FHIR (Fast Healthcare Interoperability Resources), HL7 v2.x messaging, and X12 EDI transaction sets.

(b) Direct database connections or secure file transfers where API access is not available, subject to Provider authorization.

7.2 Data Access Scope

(a) We access only the data elements necessary for the specific RCM services we are contracted to perform, consistent with the HIPAA minimum necessary standard.

(b) Data access scopes are defined during onboarding and documented in the BAA and service agreement.

(c) Providers retain full control over which data elements are made accessible to Lavender Health and may revoke or modify access at any time.

(d) We do not modify clinical records in the EHR/EMR. Our write-back capabilities, where enabled, are limited to billing-related fields (e.g., charge entries, claim statuses, payment postings) and are subject to Provider approval and audit logging.

7.3 Integration Security

(a) All data transmissions between Lavender Health and EHR/EMR systems are encrypted using TLS 1.2 or higher.

(b) API connections are authenticated using OAuth 2.0, API keys, or equivalent mechanisms.

(d) All integration activity is logged and auditable.

8. REVENUE CYCLE MANAGEMENT DATA PRACTICES

8.1 Claims Data

(a) We process claims data including CMS-1500 and UB-04 claim forms, 837P and 837I electronic claim transactions, 835 electronic remittance advice, 277 claim status inquiry responses, and 271 eligibility responses.

(b) Claims data is retained for the duration necessary to complete the revenue cycle for each claim, resolve any denials or appeals, and satisfy contractual and legal retention requirements.

(c) We maintain a complete audit trail of all claim lifecycle events, including submission, acknowledgment, adjudication, payment, denial, appeal, and write-off.

8.2 Coding Data

(a) Our platform may access clinical documentation for the purpose of supporting accurate medical coding (ICD-10-CM, ICD-10-PCS, CPT, HCPCS, modifiers).

(b) Coding suggestions generated by our platform are recommendations only. Final coding responsibility rests with the Provider's qualified coding professionals.

(c) We do not engage in upcoding, unbundling, or any coding practices that would constitute fraud, waste, or abuse under the False Claims Act or Anti-Kickback Statute.

8.3 Denial and Appeals Data

(a) We collect and analyze claim denial data to identify patterns, root causes, and opportunities for recovery.

(b) Denial and appeal records are maintained for compliance, audit, and benchmarking purposes.

9. DATA SECURITY

9.1 Administrative Safeguards

(a) Designated Privacy Officer and Security Officer responsible for HIPAA compliance.

(b) Workforce training on HIPAA, data privacy, security awareness, and phishing prevention, conducted at hire and at least annually thereafter.

(d) Documented policies and procedures for data access, use, disclosure, incident response, and disaster recovery.

(e) Regular risk assessments conducted in accordance with 45 CFR 164.308(a)(1)(ii)(A), at minimum annually and following any significant change to systems or operations.

(f) Sanctions policy for workforce members who violate privacy or security policies.

(g) Designated incident response team with documented breach response procedures.

9.2 Physical Safeguards

(a) Data is hosted in SOC 2 Type II certified data centers with physical access controls, environmental controls, and redundant infrastructure.

(b) Workstations and devices that access PHI are subject to encryption, screen lock, and remote wipe capabilities.

9.3 Technical Safeguards

(a) Encryption of data at rest using AES-256 or equivalent, and data in transit using TLS 1.2 or higher.

(b) Multi-factor authentication (MFA) required for all platform access.

(d) Unique user identification and authentication for all system users.

(e) Automatic session timeouts after periods of inactivity.

(f) Comprehensive audit logging of all access to PHI, including user identity, timestamp, data accessed, and action performed.

(g) Intrusion detection and prevention systems (IDS/IPS).

(h) Regular vulnerability scanning and annual third-party penetration testing.

(i) Secure software development lifecycle (SDLC) practices, including code review, static analysis, and dependency scanning.

(j) Data loss prevention (DLP) controls.

(k) Network segmentation to isolate systems processing PHI from other environments.

(l) Regular backup procedures with encrypted backups stored in geographically separate locations.

(m) Disaster recovery and business continuity plans tested at least annually.

10. PAYMENT PROCESSING AND STRIPE

10.1 Stripe Integration

(a) Lavender Health integrates with Stripe, Inc. for patient payment processing. Stripe is a PCI DSS Level 1 certified payment processor.

(b) When patients submit payment card information (credit card numbers, debit card numbers, expiration dates, CVV/CVC codes) through our platform, this data is transmitted directly to Stripe via Stripe's client-side libraries (Stripe.js and Stripe Elements) and is never transmitted to, processed by, or stored on Lavender Health's servers.

(c) Lavender Health receives from Stripe only tokenized references to payment methods, transaction confirmations, and limited card details (last four digits, card brand, expiration date) necessary for record-keeping and reconciliation.

(d) Lavender Health does not store full payment card numbers, CVV/CVC codes, or magnetic stripe data on its systems at any time.

10.2 PCI DSS Compliance

(a) By using Stripe as our payment processor and not storing, processing, or transmitting cardholder data on our systems, Lavender Health maintains PCI DSS compliance through SAQ-A or SAQ A-EP eligibility, as applicable.

(b) We conduct annual PCI DSS self-assessment and maintain documentation of our compliance status.

(c) Our integration with Stripe follows Stripe's integration security best practices, including use of HTTPS, Content Security Policy headers, and Subresource Integrity checks.

10.3 Stripe's Privacy Practices

(a) Stripe's collection, use, and disclosure of payment data is governed by Stripe's own Privacy Policy, available at https://stripe.com/privacy.

(b) Stripe acts as an independent data controller with respect to certain data it collects in connection with payment processing.

(c) We encourage users and patients to review Stripe's Privacy Policy for information about how Stripe handles payment data.

10.4 ACH and Bank Transfers

(a) For ACH payments and electronic fund transfers, bank account and routing information may be collected through Stripe's bank account verification process.

(b) This information is subject to the same security protections described in this section and is handled by Stripe in accordance with NACHA operating rules and applicable banking regulations.

11. DATA RETENTION AND DESTRUCTION

11.1 Retention Periods

We retain different categories of data for the following periods:

(a) PHI: As specified in the applicable BAA, or if not specified, for a minimum of six (6) years from the date of creation or the date when the data was last in effect, whichever is later, consistent with HIPAA requirements under 45 CFR 164.530(j). Specific state laws may require longer retention periods, and we comply with the most stringent applicable requirement.

(b) Claims and billing records: Minimum of seven (7) years from the date of service or final claim resolution, whichever is later, consistent with CMS and state Medicaid record retention requirements.

(c) Practice financial data: For the duration of the service relationship plus seven (7) years, or as otherwise required by applicable tax, accounting, or regulatory requirements.

(d) Payment transaction records: Seven (7) years from the date of the transaction, consistent with IRS record retention requirements and state law.

(e) User account data: For the duration of the account's active status plus three (3) years following account closure or termination.

(f) Audit logs: Minimum of six (6) years, consistent with HIPAA requirements.

(g) Website analytics data: Thirteen (13) months from the date of collection, consistent with industry practice.

11.2 Data Destruction

(a) Upon expiration of the applicable retention period, or upon termination of a service agreement (subject to required retention periods), data is securely destroyed using methods consistent with NIST SP 800-88 (Guidelines for Media Sanitization).

(b) Electronic data is destroyed through cryptographic erasure, secure overwrite, or physical destruction of storage media.

(d) Where return of PHI to the Covered Entity is feasible upon termination of the BAA, we will return or destroy PHI as directed by the Covered Entity, retaining only what is necessary for our continued legal obligations.

12. INDIVIDUAL RIGHTS

12.1 Rights Under HIPAA

Patients whose PHI we process on behalf of Covered Entities have the following rights under HIPAA. Because Lavender Health operates as a Business Associate, these requests should generally be directed to the Covered Entity (the patient's healthcare provider). However, we will assist Covered Entities in fulfilling these rights as required by our BAA:

(a) Right to Access: Individuals have the right to inspect and obtain a copy of their PHI maintained in a designated record set, subject to limited exceptions under 45 CFR 164.524.

(b) Right to Amendment: Individuals have the right to request amendment of their PHI if they believe it is inaccurate or incomplete, subject to 45 CFR 164.526.

(c) Right to an Accounting of Disclosures: Individuals have the right to receive an accounting of certain disclosures of their PHI made by us or on our behalf, covering the six (6) years prior to the request, subject to 45 CFR 164.528.

(d) Right to Request Restrictions: Individuals may request restrictions on certain uses and disclosures of their PHI, subject to 45 CFR 164.522.

(e) Right to Confidential Communications: Individuals may request that communications regarding their PHI be made by alternative means or at alternative locations, subject to 45 CFR 164.522(b).

(f) Right to Receive Notice of a Breach: Individuals have the right to receive notification if their unsecured PHI is breached, in accordance with the HIPAA Breach Notification Rule.

(g) Right to a Copy of the Notice of Privacy Practices: This right applies to the Covered Entity's Notice of Privacy Practices. Lavender Health's processing of PHI is covered under the Covered Entity's Notice.

12.2 Rights Under State Consumer Privacy Laws (CCPA/CPRA and Similar)

To the extent that state consumer privacy laws such as the CCPA/CPRA apply to information we collect that is not PHI governed by HIPAA (which is generally exempt from CCPA/CPRA), individuals may have the following rights:

(a) Right to Know: The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).

(b) Right to Delete: The right to request deletion of personal information we have collected, subject to certain exceptions.

(d) Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.

(e) Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

(f) Right to Limit Use of Sensitive Personal Information: Where applicable, the right to limit our use of sensitive personal information to purposes authorized by the CCPA/CPRA.

To exercise any of these rights, please contact us using the information in Section 21. We will respond to verified requests within the timeframes required by applicable law (45 days under CCPA/CPRA, with extensions as permitted).

13. BREACH NOTIFICATION

13.1 HIPAA Breach Notification

In the event of a breach of unsecured PHI, as defined under 45 CFR 164.402:

(a) We will notify the affected Covered Entity without unreasonable delay and in no event later than sixty (60) calendar days from the date of discovery of the breach, or sooner if required by the applicable BAA.

(b) Our notification will include, to the extent known: the nature and extent of the PHI involved, a description of the breach, the date of the breach and date of discovery, a description of what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

(c) We will cooperate with the Covered Entity in providing any required notifications to affected individuals, the Secretary of HHS, and, where applicable, the media, in accordance with 45 CFR 164.404, 164.406, and 164.408.

(d) We maintain an internal breach log documenting all incidents, investigations, and outcomes.

13.2 State Breach Notification

(a) We comply with all applicable state data breach notification laws, which may require notification in shorter timeframes than HIPAA (for example, certain states require notification within 30 or 45 days).

(b) Where state law imposes requirements in addition to HIPAA, we comply with the most protective standard.

14. SUBSTANCE USE DISORDER RECORDS (42 CFR PART 2)

(a) To the extent that our Services involve the processing of patient records relating to substance use disorder treatment from a federally assisted program, such records are subject to the heightened protections of 42 CFR Part 2.

(b) We will not redisclose Part 2 records except as expressly authorized by patient consent that meets the requirements of 42 CFR Part 2 or as otherwise permitted under the regulation.

(c) We process Part 2 records only in accordance with specific written consent from the patient or as permitted under applicable regulatory exceptions.

(d) Note: Federal regulations and recent legislative updates (e.g., CARES Act Section 3221 amendments) may modify Part 2 requirements. We monitor and comply with the most current applicable version of the regulation.

15. COOKIES AND TRACKING TECHNOLOGIES

15.1 Types of Cookies

Our website and platform use the following categories of cookies:

(a) Strictly Necessary Cookies: Required for the operation of our platform, including authentication, session management, and security. These cannot be disabled.

(b) Functional Cookies: Enable personalized features such as language preferences and saved settings.

(c) Analytics Cookies: Help us understand how users interact with our platform to improve functionality and user experience. We use tools such as Google Analytics (with IP anonymization enabled).

(d) We do not use advertising or third-party tracking cookies for targeted advertising purposes.

15.2 Managing Cookies

You can manage cookie preferences through your browser settings or through our cookie consent management tool (where provided). Disabling certain cookies may affect the functionality of our platform.

15.3 Do Not Track

Our platform responds to "Do Not Track" browser signals. When a Do Not Track signal is detected, we disable non-essential analytics tracking.

16. CHILDREN'S PRIVACY

(a) Our Services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13 except as PHI processed on behalf of a Covered Entity for treatment, payment, or health care operations purposes.

(b) PHI of minors is processed in accordance with HIPAA and applicable state laws governing minor consent and parental access to medical records.

(c) If we become aware that we have collected personal information from a child under 13 outside the scope of HIPAA-governed activities, we will promptly delete such information.

17. DE-IDENTIFIED AND AGGREGATED DATA

(a) We may de-identify PHI in accordance with HIPAA's de-identification standards under 45 CFR 164.514. Once properly de-identified, data is no longer PHI and is not subject to HIPAA restrictions.

(b) We may use de-identified and aggregated data for: analytics and benchmarking services for our Provider clients, product development and improvement, research and publication of industry insights, and training of machine learning models to improve billing accuracy and denial prediction.

(c) We implement controls to prevent re-identification of de-identified data and do not attempt to re-identify data once it has been de-identified.

(d) Any published benchmarking data or research findings are presented only in aggregate form and do not identify any individual patient, provider, or practice.

18. CROSS-BORDER DATA TRANSFERS

(a) Lavender Health primarily operates in the United States and stores all PHI within the continental United States.

(b) We do not transfer PHI outside the United States without the express written consent of the applicable Covered Entity and, where required, the authorization of the individual whose PHI is at issue.

(c) If any service provider or subcontractor operates outside the United States, we ensure that appropriate contractual protections, security safeguards, and legal mechanisms are in place before any data transfer occurs.

(d) For non-PHI personal data, if we transfer data outside the United States, we rely on appropriate legal mechanisms such as standard contractual clauses, adequacy determinations, or other lawful transfer mechanisms.

19. AUTOMATED DECISION-MAKING AND ARTIFICIAL INTELLIGENCE

(a) Lavender Health may use automated tools, algorithms, and machine learning models to support RCM services, including coding suggestions, claim scrubbing, eligibility verification, denial prediction, and payment estimation.

(b) Automated outputs are recommendations and decision-support tools only. They do not replace human judgment. All coding, billing, and clinical decisions are subject to human review and final approval by qualified professionals.

(d) Providers may request information about the automated tools used in processing their data. Patients may request information about automated decisions that affect them through their healthcare provider.

20. CHANGES TO THIS POLICY

(a) We may update this Policy from time to time to reflect changes in our practices, regulatory requirements, or Services. Material changes will be communicated through: notice posted on our website, email notification to registered users, and in-platform notification.

(b) The "Last Updated" date at the top of this Policy indicates when the most recent revisions were made.

(d) Changes to how we handle PHI will be made in accordance with the applicable BAA and HIPAA requirements.

21. CONTACT INFORMATION

If you have questions, concerns, or requests related to this Privacy Policy, please contact us:

Lavender Health, Inc.
Attn: Privacy Officer
[INSERT ADDRESS]
[INSERT CITY, STATE, ZIP]

Email: privacy@lavenderhealth.com
Phone: [INSERT PHONE NUMBER]

For HIPAA-related complaints, you may also file a complaint with:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
https://www.hhs.gov/hipaa/filing-a-complaint/index.html

We will not retaliate against any individual for filing a complaint or exercising their rights under this Policy or applicable law.

22. GOVERNING LAW AND DISPUTE RESOLUTION

(a) This Policy is governed by and construed in accordance with the laws of the State of [INSERT STATE], without regard to its conflict of laws provisions, and applicable federal laws, including HIPAA.

(b) Any disputes arising under or in connection with this Policy shall be resolved in accordance with the dispute resolution provisions of the applicable service agreement.

23. SEVERABILITY

If any provision of this Policy is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

24. ACKNOWLEDGMENTS

By using Lavender Health's Services, you acknowledge that:

(a) You have read and understood this Privacy Policy.

(b) You consent to the collection, use, and disclosure of information as described in this Policy.

(c) If you are a Provider, you are responsible for ensuring that your patients are informed about the use of Lavender Health as a Business Associate, including through your own Notice of Privacy Practices.

(d) If you are a Provider, you represent that you have obtained any necessary patient consents or authorizations required under applicable law before transmitting patient data to Lavender Health.

‍