Privacy Policy
Last updated: July 8, 2026
HIPAALINK.net, Inc. (“us”, “we”, or “our”) operates the https://www.hipaalink.net website and the HIPAA LINK web and mobile applications (collectively, the “Platform”).
This page informs you of our policies regarding the collection, use and disclosure of personal information when you use the Platform. We will not use or share your information with anyone except as described in this Privacy Policy.
By using the Platform, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Service, accessible at terms-of-service.
California Residents
If you're a resident of California, please read our California Privacy Rights Addendum in conjunction with this Privacy Policy.
Our Role Under HIPAA and Business Associate Agreements
The Platform is designed for use by Health Care Providers and their clients. Where a Provider is a “covered entity” (or a business associate) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), we act as the Provider's Business Associate with respect to any Protected Health Information (“PHI”) that is processed through the Platform.
Our handling of PHI on behalf of a Provider is governed by a Business Associate Agreement (“BAA”) between us and the Provider, which controls in the event of any conflict with this Privacy Policy as to PHI. Providers who require a BAA may request one before enabling features that process PHI. Any third-party vendor that processes PHI on our behalf does so only under a BAA and only as necessary to provide the applicable service.
Information Collection and Use
While using the Platform, we may ask all users to provide us with certain personally identifiable information that can be used to contact or identify you, including:
- Data you provide when you create an account, such as your name and email address.
- Billing and subscription information when you purchase or manage a paid plan (see “Payments and Subscriptions”).
- Information you provide when you contact support or respond to communications.
We also collect certain information automatically, including Log Data, cookies, and approximate location derived from your IP address (see “Log Data,” “Cookies,” and “Approximate Location”).
If You're a Health Care Provider
If you are a Health Care Provider as defined under 42 U.S.C. §300jj (each a “Provider” and collectively, “Providers”), you warrant that your use of the Platform conforms with all applicable laws, rules and regulations.
From Providers, we collect the following additional personally identifiable information:
- First and last name
- Specialty and additional information provided by you when branding and customizing your Waiting Room, such as your National Provider Identifier (“NPI”), mobile phone number, and practice area
- Account, plan, subscription, billing, and usage information
By using the Platform, you allow us to contact you by email and, where you have provided a mobile number, by text message (SMS), regarding features, changes, maintenance, and other products that may be introduced from time to time on the Platform. In addition, if you enable notifications within the Platform (including push notifications in our mobile applications), we will send you a notification that your client is waiting in the Waiting Room.
You may also share your Personal Link with your clients. Your Personal Link can be used to securely host your client sessions.
If You're a Client (Guest)
This section only applies if you have received a unique invitation from a Provider and wish to communicate with the Provider using the Platform. Some features are not activated automatically and require your explicit authorization.
PHI and Encryption
We are committed to protecting PHI that may be exchanged through the Platform. Session media (audio and video) is encrypted in transit, and where technically feasible — such as peer-to-peer sessions — is transmitted directly between participants using end-to-end encryption. Certain sessions (for example, group sessions or sessions that must be relayed through our servers when a direct connection cannot be established) are encrypted in transit but are not end-to-end encrypted.
Except as described in this Privacy Policy (see “AI Notes” and “Fax”), we do not retain the content of your sessions. Where features such as AI Notes or Fax process PHI, that PHI is handled under a BAA and retained only as described in “Data Retention.” We do not sell PHI, and we do not use PHI for advertising.
Types of Data Processed
Name to Enter Waiting Room
A Client does not need an account or to register with us to use the Platform.
A Provider will email or text a link to a Client for entry into the Waiting Room. When a Client clicks that link, it will take the Client to the welcome screen, where the Client will be asked to enter their name and click a button to enter the Waiting Room.
Your name is only seen by the Provider and used for initial identification. There is no verification of the entry, nor any requirement that you use your full name. Your name is used only for the current session and is not stored or otherwise used by the Platform after the session.
Session Privacy
At any time while using the Platform, you may disable the audio, video, or both. Doing so may prevent effective communication between the Provider and the Client, but there may be times when you wish to disable audio or video for personal reasons.
You may also close any open session with a Provider at any time.
File Share
If a Client chooses to share files with the Provider through the Platform, that file is sent securely with end-to-end encryption and no copy is saved on our servers.
Chat & Whiteboard
The Platform enables Providers and Clients to communicate through chat and a whiteboard during a session. Chat messages exist only in local device memory for the duration of the session and are deleted when the session concludes. We do not store chat messages on our servers, and there is no chat history or transcript.
AI Notes
If enabled by the Provider, the AI Notes feature captures session audio in order to generate a written clinical note or summary for the Provider. AI Notes is not a session-recording-and-playback feature: the Platform does not create a video recording of the session, and no session recording is made available to the Provider (or anyone else) to play back. The captured audio is used only to generate the transcript and note, is retained for up to 30 days as described in “Data Retention,” and can be deleted by the Provider at any time.
When AI Notes is active:
- Session audio is transmitted to and processed by third-party transcription and artificial-intelligence providers that act as our subprocessors and operate under a BAA, solely to produce a transcript and generated note.
- The generated note (and any transcript) is made available to the Provider and is treated as PHI under the Provider's control.
- AI Notes is used only when activated for a session. A visible indicator is shown to participants while notes are being taken.
Retention of transcripts and generated notes is described in “Data Retention.” We do not use AI Notes content to train third-party AI models, and our subprocessors are contractually restricted from doing so.
Fax
If enabled, the Platform allows Providers to send and receive faxes, which may contain PHI. To provide this feature:
- Fax documents and related metadata (such as sender, recipient, and cover-sheet information) are transmitted through a third-party fax-delivery provider that acts as our subprocessor under a BAA.
- Received faxes are stored within the Provider's clinic account, isolated to that clinic, and are automatically deleted after the retention period described in “Data Retention.”
Sharing Your Screen
The Platform lets you share all or part of your computer screen with the Provider. You will be asked to confirm that you wish to share your screen or a specific window.
There are obvious privacy considerations with screen sharing. It is up to you to ensure that no sensitive or confidential information (other than what you wish to show the Provider) is viewable during the session. For example, if you do not wish the Provider to see your email or other open windows, it is best to close those applications before sharing.
Payments and Subscriptions
If you purchase a paid plan, add-on, or credits, we and our payment/subscription processor collect and process the information necessary to complete the transaction and manage your subscription, such as your billing details, plan, trial dates, and usage/credit balances. Payment card processing is handled by our third-party payment processor; we do not store full payment card numbers on our own servers.
Referral and Promotional Programs
If you arrive at the Platform through a referral link (for example, a link containing a referral code) or use a promotional code, we record information about that referral or promotion — such as the referral or promo code and associated activity — to administer our referral and promotional programs, apply eligible benefits (such as extended trials), and measure their effectiveness.
Approximate Location
For certain features, we derive an approximate location (such as city and state/region) from your Internet Protocol (“IP”) address using a third-party IP-geolocation reference database. This is an estimate based on your IP address and does not use GPS or precise device location. It may be shown to a Provider (for example, in a session status view) to help the Provider confirm they are connecting with the intended participant.
Log Data
We may also collect information that your browser or device sends whenever you use the Platform (“Log Data”). Log Data may include your IP address, browser or device type and version, the pages or screens of the Platform you visit, the time and date of your visit, the time spent, and other statistics.
Cookies and Similar Technologies
Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. We use cookies and similar technologies to operate the Platform, remember your preferences, support referral/promotional programs, and improve the Platform for you.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. The Help feature on most browsers explains how to accept, disable, or be notified of cookies. If you do not accept cookies, you may not be able to use some features of the Platform.
Mobile Applications and Push Notifications
We offer mobile applications for the Platform (available through the Apple App Store and Google Play). When you use a mobile application, we may collect device information such as device and operating-system type, application version, and, if you enable them, deliver push notifications. Our data-collection practices as described in this Privacy Policy apply to the mobile applications, and the disclosures we provide to the app stores are consistent with this policy.
Do Not Track Disclosure
We support Do Not Track (“DNT”). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable DNT in the Preferences or Settings page of your browser.
Service Providers and Subprocessors
We use third-party service providers to help us operate and provide the Platform. These providers act on our behalf, have access only to the information necessary to perform their specific tasks, and are restricted from using it for any other purpose. Any provider that processes PHI does so only under a BAA. The categories of providers we use include:
- Cloud hosting and infrastructure (application hosting, storage, and databases)
- Real-time communications and telephony (video/audio session delivery, media relay, and SMS/text messaging)
- Transcription and artificial-intelligence services (for the AI Notes feature)
- Fax delivery (for the Fax feature)
- Payment and subscription processing
- IP-geolocation reference data (for approximate location)
- Email delivery and notifications
We do not transmit PHI to any third party except subprocessors engaged under a BAA to provide the features described above.
Communications
We may use your contact information to send you newsletters, marketing or promotional materials, and other information that may be of interest to you. You may opt out of receiving any or all of these communications by following the unsubscribe link or instructions in any email we send, or by contacting us. We will still send you transactional or service-related messages necessary to operate your account.
Data Retention
We retain personal information for as long as necessary to provide the Platform and for legitimate business or legal purposes:
- Account information is retained while your account is active and for a reasonable period afterward, unless a longer period is required by law.
- Received faxes are retained for approximately 90 days and then automatically and permanently deleted.
- AI Notes recordings, transcripts, and generated notes are retained for up to 30 days and are then automatically deleted. The Provider may delete them at any time.
- Log Data is retained for a limited period for security and operational purposes.
- Session media, chat, whiteboard content, and shared files are not retained after the session ends, except as expressly described in this Privacy Policy.
Where we act as a Business Associate, retention and deletion of PHI are governed by the applicable BAA.
Your Rights and Choices
Subject to applicable law and to our obligations as a Business Associate, you may request to access, correct, or delete personal information we hold about you, and you may opt out of marketing communications. Requests concerning PHI held on behalf of a Provider will generally be directed to the applicable Provider (the covered entity). To make a request, please contact us using the information below. California residents should also review our California Privacy Rights Addendum.
Compliance with Laws
We will disclose your personal information where required to do so by law or subpoena, or if we believe such action is necessary to comply with the law and the reasonable requests of law enforcement, or to protect the security or integrity of the Platform.
Breach Notification
We maintain administrative, technical, and physical safeguards designed to protect personal information and PHI. In the event of a breach of unsecured PHI, we will notify the affected Provider (as covered entity) without unreasonable delay and in accordance with the HIPAA Breach Notification Rule and the applicable BAA, so that required notifications can be made.
Business Transactions
If HIPAALINK.net, Inc. is involved in a merger, acquisition, or asset sale, your personal information may be transferred as a business asset. In such cases, we will provide notice before your personal information is transferred and/or becomes subject to a different Privacy Policy.
Security
The security of your personal information is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store, in order to protect it from unauthorized access, destruction, use, modification, or disclosure.
However, please be aware that no method of transmission over the internet, or method of electronic storage, is 100% secure, and we are unable to guarantee the absolute security of the personal information we have collected from you.
International Transfer
Your information, including personal information, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. If you are located outside the United States and choose to provide information to us, please note that we transfer the information, including personal information, to the United States and process it there.
Your consent to this Privacy Policy, followed by your submission of such information, represents your agreement to that transfer.
Links to Other Websites
The Platform may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.
Children's Privacy
Account holders must be 18 or older. The Platform is not directed to children under 13, and we do not knowingly collect personally identifiable information from children under 13 without verified parental consent. A Client who joins a session at the invitation of a Provider may be a minor receiving care under the authority and responsibility of that Provider (and their parent or guardian); in that context, any information is processed on behalf of the Provider.
If you are a parent or guardian and you learn that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to remove that information from our servers.
Changes to this Privacy Policy
This Privacy Policy is effective as of the “Last updated” date above and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.
We reserve the right to update or change our Privacy Policy at any time, and you should check this Privacy Policy periodically. Your continued use of the Platform after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide by and be bound by the modified Privacy Policy.
If we make any material changes to this Privacy Policy, we will notify you either through the email address you have provided us or by placing a prominent notice on our website.
Contact Us
If you have any questions about this Privacy Policy, please contact us at privacy@hipaalink.net.