Auth Hero Privacy Policy

Who we serve

Auth Hero is built for California workers' comp clinics and the stakeholders they invite (patients, employers, attorneys, payers, nurse case managers). We are not an electronic medical record (EMR) and we do not provide medical care. In most cases, we act as a Business Associate to Covered Entities (e.g., clinics) under HIPAA and as a Service Provider under the California Consumer Privacy Act, as amended by the CPRA (together, "CCPA/CPRA").

California only. Auth Hero currently operates in the State of California. If you access the Services from outside the U.S., you do so at your own initiative and any data will be stored and processed in the United States.

1) Scope & Relationship to HIPAA

When we handle Protected Health Information ("PHI") on behalf of a Covered Entity (e.g., clinic), we do so pursuant to a Business Associate Agreement ("BAA"). The clinic's Notice of Privacy Practices (NPP) governs how the clinic uses and discloses PHI; this Policy explains Auth Hero's privacy practices for our platform.

PHI processed under a BAA is not subject to certain state consumer privacy rights (e.g., CCPA/CPRA) to the extent those laws exclude PHI handled under HIPAA. Where information is not PHI, CCPA/CPRA rights described below may apply.

2) Personal Information We Collect

The categories we collect depend on how you use the Services and your role (clinic staff, patient, employer, attorney, payer, etc.). Information may be collected from you, your clinic/employer/attorney/payer, or automatically via the Service.

Account & Identity

Name, contact details, role, organization, job title, user credentials, multi-factor settings.

Case & Document Data (may include PHI)

Workers' comp case identifiers; RFAs, referrals, medical notes, prior authorizations, imaging reports, progress notes, work status forms; comments, tags, and metadata; version history; who uploaded/viewed/modified documents and when.

Messaging & Tasks

Case-linked messages and attachments; task assignments, due dates, completion status; notification history.

Regulatory & Audit

Full audit trails (access logs, permission changes, exports), retention flags (e.g., legal hold), consent/authorization artifacts provided by clinics or other stakeholders.

Payment/Commercial (if applicable)

Billing contact info, business addresses, purchase history (for clinic subscriptions or workplace bundles). We do not store full card numbers—payments are processed by PCI-compliant vendors.

Device/Usage

IP address, device/browser type, app events, crash reports, session timestamps, limited diagnostic telemetry. We use only necessary cookies by default; optional analytics are opt-in.

Sensitive Personal Information

To the extent we process PHI (health information) or government IDs (when provided by a clinic or another permitted source), we protect and restrict such data per HIPAA and applicable California law.

3) Sources of Information

• You (account setup; uploads; messages; tasks)
• Your clinic or other stakeholder that invited you (e.g., a clinic adding a payer contact to a case)
• Connected channels you authorize (e.g., clinic fax/email integrations)
• Service providers (e.g., cloud hosting, OCR, identity verification)
• Automatically (security, performance, audit logging)

4) How We Use Information

We use personal information to:

• Provide & support the Services: create/manage accounts; enable case-centric document management, messaging, and tasks; generate audit logs; maintain role-based access controls.
• Comply with law & contracts: meet HIPAA and California workers' comp record-keeping requirements; honor BAAs and customer agreements.
• Security & integrity: authenticate users; prevent, detect, investigate, and respond to fraud, abuse, and security incidents; maintain logs and retention policies (HIPAA baseline 6+ years).
• Service communications: send transactional notices (e.g., access invitations, policy updates, security alerts). You cannot opt out of essential service messages.
• Improve the platform: quality assurance, troubleshooting, analytics on de-identified or aggregated data; optional product analytics are opt-in and never used for targeted ads.
• Legal hold & e-discovery (when enabled by customers): freeze case artifacts, generate export packs for lawful requests.

We do not sell or share personal information as "sale" or "sharing for cross-context behavioral advertising" are defined by CCPA/CPRA. We do not use PHI for advertising or marketing unrelated to your clinic's instructions.

5) Disclosures of Information

We disclose personal information only as described below:

• Your Clinic/Organization & Case Stakeholders: Access is role-based and invite-only; clinics control who may view/upload/act on a case.
• Service Providers / Subprocessors: Cloud hosting (e.g., U.S.-based infrastructure), secure fax/email gateways, OCR, error monitoring, support tools, authentication/MFA, backup/DR, and (opt-in) analytics. We bind them by contract to use information only to perform services for Auth Hero and to implement appropriate safeguards. A current list is available upon request.
• Legal & Compliance: To comply with law, regulation, subpoena, or court order; to protect rights, safety, and property; to enforce our agreements or investigate security issues.
• Corporate Events: In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and continued protection of the data.
• De-identified/Aggregated Data: We may use and share de-identified or aggregated information for analytics, benchmarking, or product improvement. We commit not to re-identify such data.

We do not disclose PHI to third parties for their independent marketing and do not permit vendors to use PHI for advertising.

6) Cookies & Tracking

Essential cookies support login, security, and core features.

Optional analytics (e.g., product usage to improve UX) are off by default and enabled only with user or customer admin consent.

We do not use cross-site tracking for behavioral advertising.

Most browsers let you control cookies; blocking essential cookies may impair functionality. Our Services do not respond to "Do Not Track" signals.

7) Data Security

We implement administrative, technical, and physical safeguards aligned to HIPAA and industry practices, including (without limitation):

• Encryption in transit and at rest;
• Role-based access controls and least-privilege;
• Logging, monitoring, and intrusion detection;
• Secure development practices and vulnerability management;
• Business continuity and disaster recovery.

No system is perfectly secure; we maintain an incident response program and will provide breach notifications as required by law and our BAAs.

8) Data Retention

We retain personal information as needed to provide the Services, meet HIPAA's 6-year minimum (or longer if required by law or the customer's retention policy), resolve disputes, and enforce agreements. Where feasible, we de-identify or delete data that is no longer required. If deletion is not immediately feasible (e.g., backups), we securely store and isolate it until deletion is possible.

9) Children

The Services are not intended for individuals under 18. If we learn we have collected personal information from someone under 18, we will delete it consistent with law.

10) Your Privacy Rights (California)

If your information is PHI processed under HIPAA on behalf of a clinic, your clinic's Notice of Privacy Practices governs your rights, and the requests should generally be directed to the clinic.

For non-PHI personal information subject to CCPA/CPRA, California residents may have the right to:

• Know/Access the categories and specific pieces of personal information we collected about you;
• Correct inaccurate personal information;
• Delete personal information (subject to exceptions, including HIPAA and legal retention);
• Opt out of "sale" or "sharing" for cross-context behavioral advertising (we do not sell or share personal information for such advertising);
• Limit use of Sensitive Personal Information (we use sensitive data only for permitted, necessary purposes such as providing the Services and complying with law).

How to submit a request: Email privacy@authhero.com or use the in-app privacy request form (when available). We will verify your identity and respond within the timelines required by California law. You may designate an authorized agent to submit a request on your behalf, subject to verification. We will not discriminate against you for exercising your rights.

11) Role Clarification: Business Associate & Service Provider

For clinic-provided data (including PHI), Auth Hero acts as a Business Associate under HIPAA and a Service Provider under CCPA/CPRA. We process such data solely to provide the Services and as permitted by our agreements and applicable law.

For Auth Hero's own operations (e.g., our marketing site contact forms), Auth Hero may act as a business in limited contexts; we still do not sell/share personal information for cross-context ads.

12) Third-Party Links & Features

Our Services may include links to third-party sites or services (e.g., secure file delivery, video calls) that are not controlled by Auth Hero. Their privacy practices govern those properties. Review their policies before sharing information.

13) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will update the "Effective Date" and provide additional notice as appropriate (e.g., in-product banner or email to admins). Your continued use of the Services after an update indicates acceptance.

14) Contact Us

If you are a patient or stakeholder invited by a clinic, you may also contact your clinic regarding PHI rights under HIPAA.

Summary of Key Commitments

• We are not an EMR and do not provide medical care.
• We act as a Business Associate for PHI, with BAAs in place.
• We do not sell or share personal information for cross-context behavioral advertising.
• HIPAA-aligned audit logging and 6+ year retention; strong security controls.
• California-only operations; U.S. data hosting.
• Clear California privacy rights for non-PHI data; HIPAA rights via your clinic for PHI.

Versions

Privacy Policy v1 (current)