Praxia Health LLC ("Praxia," "we," "us," or "our") respects your privacy and is committed to protecting the information shared with us by clients, prospective clients, and visitors to our website. This Privacy Policy explains what information we collect, how we use it, and the choices you have. This policy applies to information collected through our website, communications, and the provision of our services. Protected Health Information (PHI) handled on behalf of clients is governed primarily by the executed Business Associate Agreement and applicable HIPAA regulations, as described in Section 3 below.
1. Information We Collect
We collect only the information necessary to operate, deliver, and improve our services. This includes:
- Contact information: name, email address, phone number, mailing address, and role at your practice, collected when you inquire about our services, schedule a consultation, or sign an agreement.
- Practice information: practice name, specialty, provider details, NPI and tax identifiers, payer mix, EHR or practice management systems in use, and operational details necessary to scope and deliver services.
- Account & billing information: billing contact, billing address, and payment method details (payment card data is processed by our PCI-compliant payment processor; Praxia does not store full card numbers).
- Communications: records of emails, support requests, scheduled calls, and meeting notes related to your engagement.
- Usage data: anonymized website analytics such as pages visited, referral source, browser type, device type, and approximate geographic region. This data is aggregated and does not include PHI.
- Protected Health Information (PHI): when handling PHI on behalf of clients, we collect only the minimum necessary information required to perform the contracted service, in accordance with the BAA and HIPAA's minimum necessary standard.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery: performing the back-office operations contracted in your service agreement, including intake, verification, billing, claims, and reporting.
- Communication: responding to inquiries, coordinating scheduled work, providing service updates, and sending invoices and account notices.
- Service improvement: analyzing aggregated, de-identified usage and operational data to improve workflows, training, and service quality.
- Compliance and legal obligations: meeting our obligations under HIPAA, the HITECH Act, state privacy laws, and other applicable regulations.
- Security and fraud prevention: detecting, investigating, and preventing unauthorized access, fraudulent activity, or misuse of our services.
We do not sell, rent, or trade personal information or PHI. We do not use PHI for marketing.
3. HIPAA & Protected Health Information
Praxia acts as a Business Associate (as defined by HIPAA) when handling PHI on behalf of healthcare provider clients ("Covered Entities"). A signed Business Associate Agreement (BAA) is executed prior to the exchange of any PHI and governs:
- The permitted and required uses and disclosures of PHI
- Our obligation to safeguard PHI using administrative, physical, and technical safeguards as required by the HIPAA Security Rule
- Breach notification procedures and timelines consistent with the HITECH Act
- Return or destruction of PHI upon termination of the engagement
- Limits on subcontracting and the requirement that any subcontractor handling PHI enter into a written agreement containing the same restrictions
PHI is never sold, used for advertising, or shared with parties outside of the permitted uses defined in the BAA and HIPAA.
4. Data Security
We maintain reasonable and appropriate administrative, physical, and technical safeguards designed to protect the information entrusted to us. These include:
- Encryption of data in transit (TLS 1.2 or higher) and at rest where technically feasible
- Role-based access controls and the principle of least privilege for all personnel
- Multi-factor authentication on all systems used to handle client information or PHI
- Workforce training on HIPAA, security awareness, and incident response
- Vendor due diligence and signed BAAs with all subcontractors that may handle PHI
- Routine review of access logs, security configurations, and risk assessments
No system is perfectly secure. In the event of a confirmed breach of unsecured PHI, we will notify affected Covered Entities in accordance with HIPAA's breach notification requirements.
5. Third-Party Services
Praxia partners only with vendors that meet our HIPAA and security requirements. Key third parties used in service delivery include:
- Google Workspace — email, file storage, and collaboration, operated under an executed Business Associate Agreement with Google.
- Zoom for Healthcare — secure video meetings for client consultations and case review, operated under Zoom's HIPAA-compliant configuration and BAA.
- Payment processor — a PCI-DSS compliant processor handles credit card and ACH payments; Praxia does not store full payment card data.
- EHR and practice management systems — when contracted, Praxia accesses Client-owned systems under the Client's user accounts and the executed BAA.
We use only HIPAA-compliant vendors for any workflow that may touch PHI, and we maintain BAAs with each such vendor.
6. Your Rights
Depending on your role and applicable law, you may have the following rights regarding personal information we hold:
- Access: request a copy of the personal information we hold about you.
- Correction: request correction of information that is inaccurate or incomplete.
- Deletion: request deletion of personal information, subject to legal and contractual record-retention obligations.
- Restriction or objection: request that we restrict certain processing or object to specific uses where permitted by law.
- Withdrawal of consent: where processing is based on consent, withdraw that consent at any time without affecting prior lawful processing.
Patient rights with respect to PHI (including access, amendment, accounting of disclosures, and restrictions) are exercised through the Covered Entity that holds the patient relationship. Praxia, as a Business Associate, will assist Covered Entities in responding to such requests as required by HIPAA and the BAA.
To exercise any of these rights, contact us at privacy@praxiahealth.co. We will respond within the timeframes required by applicable law.
7. Cookies & Analytics
Our website uses a minimal set of cookies and similar technologies. We use only privacy-respecting analytics to understand aggregate website traffic and improve content. The data collected does not include PHI and is not used to build advertising profiles. Specifically:
- We do not run third-party advertising or remarketing pixels on pages that collect personal information.
- We do not place tracking technologies on any workflow that may transmit PHI.
- You may control or block cookies through your browser settings; doing so may affect basic functionality such as form submission.
8. Contact
If you have questions about this Privacy Policy, our practices, or wish to exercise any of your rights, please contact:
Praxia Health LLC
Privacy Officer
Email: privacy@praxiahealth.co
If you are a patient with a concern about the handling of your health information, please first contact your healthcare provider. Praxia will support providers in addressing patient requests and complaints in accordance with HIPAA.