1. Who We Are
CliniqPro is a clinical documentation intelligence platform for home health agencies. We are a Business Associate under HIPAA and execute a BAA with every client before any Protected Health Information is processed.
2. Information We Collect
Account information: Name, agency name, email address, role, and billing information provided during registration.
Clinical documents: Documentation uploaded by Client users (OASIS, visit notes, evaluations, care plans) for analysis purposes. This may include PHI.
Usage data: Session logs, feature usage, and interaction data to improve the Platform.
Platform communications: Messages sent through the clinical chat interface.
3. How We Use Your Information
- To provide clinical documentation analysis services;
- To improve AI model accuracy and platform features;
- To generate de-identified, aggregate industry benchmarks (no agency or patient is identifiable);
- To send service notifications and billing communications;
- To comply with legal obligations including HIPAA.
4. Aggregate and De-Identified Data
CliniqPro may use de-identified, aggregated data — stripped of all information that could identify a patient or agency — to publish industry research and improve AI models. This process complies with HIPAA de-identification standards (45 CFR §164.514(b)).
De-identified aggregate data is never traceable back to any individual patient or agency. We publish this data only in aggregate form.
5. HIPAA Compliance
We operate as a HIPAA Business Associate. All PHI is processed under a signed BAA. We maintain administrative, physical, and technical safeguards as required by the HIPAA Security Rule, including encrypted storage on AWS, access controls, and audit logging.
6. Data Sharing
We do not sell, rent, or share identifiable Client Data or patient information with third parties, except:
- When required by valid legal process (court order, subpoena, or lawful administrative order) — see Section 11 for our full policy on government requests;
- With service providers operating under confidentiality obligations and, where required, Business Associate Agreements (AWS, Stripe, SendGrid);
- In de-identified aggregate form for research and benchmarking in compliance with HIPAA de-identification standards (45 CFR §164.514(b)) — see Section 4.
CliniqPro will never share your agency's identifiable data with competitors, marketing partners, data brokers, or any third party for commercial purposes.
7. Data Retention and Deletion
CliniqPro retains different categories of data for different periods based on legal requirements and operational necessity:
- Patient PHI and clinical documents: Retained for the duration of the active subscription. Upon termination, Client has 60 days to export all data. After 60 days, data is permanently deleted.
- QA flag history and resolution records: Retained for the duration of the active subscription plus the 60-day retention period.
- Clinical AI chat logs: Retained for the duration of the active subscription plus the 60-day retention period.
- Account and billing records: Retained for 7 years from the date of last transaction, as required by applicable financial recordkeeping law.
- De-identified aggregate data: May be retained indefinitely, as it contains no information traceable to any individual or agency.
- Legal hold: In the event of active litigation, government investigation, or valid legal process, relevant data may be retained beyond standard retention periods as required by law, regardless of subscription status.
Automated Execution — No Human Discretion at Time of Deletion. Data deletion pursuant to CliniqPro's retention schedule is executed automatically by CliniqPro's systems, without human intervention or individual decision-making at the time of execution. The deletion logic was designed, programmed, and documented prior to the inception of any specific client relationship, dispute, or legal proceeding, and is applied uniformly to all clients under the same conditions. The act of automated deletion pursuant to this pre-established schedule does not reflect the intentional decision, discretionary judgment, or willful conduct of CliniqPro, its founders, employees, developers, or any affiliated personnel with respect to any specific client, case, or matter. Good-faith, automated destruction of records pursuant to a consistently applied, pre-existing retention policy — executed prior to receipt of any notice of litigation, investigation, or legal hold obligation — does not constitute spoliation of evidence, destruction of evidence, or obstruction of any legal or regulatory process under applicable law.
To request deletion of your agency's data prior to the end of your subscription, contact privacy@cliniqpro.com. Deletion requests are subject to any applicable legal holds and our contractual data retention obligations.
8. Security
CliniqPro uses AWS infrastructure with encryption at rest and in transit, role-based access controls, and regular security monitoring. We maintain an incident response plan and will notify affected clients of any breach as required by HIPAA and applicable law.
9. Your Rights
Agency administrators may access, update, or request deletion of their account data at any time through the platform or by contacting us. Rights regarding patient PHI are governed by your agency's HIPAA policies and our BAA.
10. Security Incident Response
In the event of a security incident or data breach involving PHI, CliniqPro will:
- Investigate the incident and contain the breach as quickly as possible;
- Notify affected Clients as required by HIPAA's Breach Notification Rule (45 CFR §§ 164.400–414) — within 60 days of discovery of a breach affecting 500 or more individuals, or as part of annual reporting for smaller breaches;
- Notify HHS/OCR as required by HIPAA;
- Provide affected Clients with a description of the breach, the PHI involved, and recommended steps to protect themselves.
CliniqPro maintains cyber liability insurance and an incident response plan. To report a suspected security incident: security@cliniqpro.com
11. Government Requests and Legal Process
CliniqPro does not voluntarily disclose Client Data or Protected Health Information to any government agency, regulatory body, or law enforcement authority. We only disclose such information when compelled by valid legal process issued by an authority with proper jurisdiction.
When we receive a legal request for your data, we will:
- Evaluate whether the request has a valid legal basis before responding;
- Notify you before disclosing your data, where legally permitted to do so (notification may be prohibited by court order or gag order);
- Disclose only the minimum necessary information specifically required by the legal process;
- Challenge requests we believe are legally deficient, overly broad, or issued without proper authority.
What we cannot do: As a HIPAA Business Associate, CliniqPro is required to comply with valid legal process under HIPAA's disclosure provisions (45 CFR §164.512). We cannot provide absolute protection against valid court orders or lawful government requests. However, we will always act in the manner most protective of your interests within the bounds of the law.
Types of requests we have authority to receive: Judicial subpoenas, administrative subpoenas (CMS, OIG, DOJ, HHS), court orders, and law enforcement requests compliant with 45 CFR §164.512(f). We do not comply with informal requests or requests lacking proper legal authority.
For questions about a specific legal request involving your agency's data, contact: legal@cliniqpro.com