Privacy Policy Contents
HIPAA Notice
TrackER is a healthcare application subject to the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy works in conjunction with your hospital's Notice of Privacy Practices. For questions about how your specific hospital uses your health information, please request their HIPAA Notice of Privacy Practices.
1. Introduction
CCB Tech (Chartiers Creek Business Holdings) ("we," "our," or "us") operates TrackER, an emergency room queue management system. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use TrackER through our web portals, kiosks, and mobile interfaces.
By using TrackER, you consent to the data practices described in this policy.
2. Information We Collect
2.1 Protected Health Information (PHI)
When you check in at a TrackER kiosk or your visit is entered by hospital staff, we collect:
| Category | Data Elements |
|---|---|
| Personal Identifiers | First name, last name, date of birth, phone number |
| Visit Information | Chief complaint, self-assessed severity, check-in time, assigned room/location |
| Clinical Status | Current visit status (e.g., "Triage Complete," "Diagnostics Ordered"), assigned provider name |
| Behavioral Assessment | STAMP threat scores, observations from clinical staff |
| Communication | SMS messages sent, portal access logs, notification delivery status, opt-in consent records with timestamps |
2.2 Technical Information
We automatically collect certain technical data when you access TrackER:
- Device Information: Browser type, operating system, device model
- Usage Data: Pages viewed, features used, time spent in portal
- IP Address: Your internet protocol address (stored in Azure Application Insights with PII filtering)
- Authentication Data: FIDO2 passkey credentials (stored as cryptographic hashes only)
- Session Data: Login times, session duration, logout events
2.3 Information from Third Parties
We may receive information from:
- Hospital EHR Systems: Via HL7/FHIR integrations, we receive patient demographics and visit data
- Microsoft Entra ID: If your hospital uses SSO, we receive your name, email, and employee ID
- Azure Communication Services: SMS delivery status, phone carrier information
3. How We Use Your Information
We use collected information for the following purposes:
| Purpose | Legal Basis (HIPAA/GDPR) |
|---|---|
| Treatment Operations: Manage your ER queue position, coordinate staff jobs, track visit progress | Treatment / Contractual Necessity |
| Patient Communication: Send SMS updates, display status on patient portal | Explicit Consent (opt-in checkbox at kiosk or verbal confirmation to staff; see SMS Opt-In & Consent policy) |
| Safety & Security: STAMP assessments, security team alerts, buddy system warnings | Healthcare Operations / Vital Interests |
| Audit & Compliance: Maintain logs of all system actions for regulatory compliance | Legal Obligation |
| System Improvement: Analyze usage patterns to improve TrackER features | Legitimate Interest (anonymized data only) |
4. How We Share Your Information
4.1 Within Your Hospital
TrackER operates on a multi-tenant architecture. Your information is visible only to authorized staff at your hospital:
- Nurses: See your queue card, status, STAMP scores, assigned room
- Support Staff: See job assignments related to your visit (transport, cleaning, etc.)
- Administrators: View aggregate analytics and audit logs (with PHI visible for compliance purposes)
- Security Team: Receive alerts for high-risk STAMP assessments
4.2 Service Providers (Business Associates)
We share information with third-party vendors who perform services on our behalf, all under HIPAA Business Associate Agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Microsoft Azure | Cloud hosting, database storage | All TrackER data (encrypted at rest) |
| Azure Communication Services | SMS notifications, security alerts | Phone numbers, message content |
| Azure Application Insights | Performance monitoring, error tracking | Usage data (PII filtered) |
| Azure Key Vault | Secure credential storage | Encryption keys, connection strings (no PHI) |
4.3 Legal Disclosures
We may disclose your information when required by law:
- To comply with subpoenas, court orders, or legal process
- To report suspected abuse, neglect, or domestic violence as required by state law
- To public health authorities for disease outbreak tracking
- To law enforcement in response to violence or criminal activity
4.4 We Do NOT Sell Your Information
No Marketing or Sale of PHI
CCB Tech does not sell, rent, or trade your health information to third parties for marketing purposes. We do not use your data for advertising. TrackER is a clinical operations tool, not a marketing platform.
SMS-Specific: Your phone number and SMS opt-in consent are used solely for the operational message types described in our SMS Opt-In & Consent policy. We will never share your phone number with third parties for promotional or marketing purposes. No purchase is required to opt in to SMS.
5. Data Security
We implement industry-standard security measures to protect your information:
5.1 Encryption
- In Transit: All data transmitted via HTTPS/TLS 1.3
- At Rest: Azure SQL Database with Transparent Data Encryption (TDE)
- SMS Messages: End-to-end encryption via Azure Communication Services
5.2 Access Controls
- Role-Based Access: Staff see only data relevant to their role (nurses see queue, staff see jobs, etc.)
- Hospital Isolation: Each hospital's data is logically separated; no cross-hospital access
- Authentication: JWT tokens, FIDO2 passkeys, Microsoft Entra ID SSO
- Session Management: Configurable timeouts, automatic logout on inactivity
5.3 Monitoring & Auditing
- Comprehensive Audit Logs: Every data access, modification, and deletion is logged with timestamp and user attribution
- Security Monitoring: Azure Security Center alerts for suspicious activity
- Annual Penetration Testing: Third-party security audits
5.4 Data Breach Notification
In the event of a data breach affecting your PHI, we will:
- Notify your hospital within 24 hours
- Your hospital will notify you as required by HIPAA (within 60 days)
- Report to the Department of Health and Human Services if ≥500 records affected
- Provide breach details, mitigation steps, and remediation timeline
6. Data Retention
We retain your information according to the following schedule:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Active Visit Data | Duration of visit + 30 days | Operational need for follow-up |
| Audit Logs (Patient) | 7 years | HIPAA compliance requirement |
| Audit Logs (Admin/Staff) | 7 years | Legal compliance |
| STAMP Assessments | 7 years | Liability protection, quality improvement |
| SMS Message Logs | 90 days | Telecom compliance |
| Session/Authentication Data | 90 days | Security incident investigation |
After retention periods expire, data is permanently deleted from all systems, including backups.
7. Your Rights
7.1 Access Your Information
You have the right to request a copy of the information we have about your visit. Contact your hospital's Health Information Management (HIM) department or Privacy Officer.
7.2 Request Corrections
If you believe information in TrackER is incorrect, you may request an amendment. Note: Clinical data (STAMP scores, status changes) may require clinical staff review before amendment.
7.3 Opt-Out of SMS
Reply STOP to any TrackER SMS message to immediately unsubscribe. You may also reply HELP for support. You can re-subscribe by texting START. See our SMS Opt-In & Consent policy for complete details including message frequency, data rates, and all opt-out methods.
7.4 Request Restrictions
You may request that we restrict how we use or disclose your information. We will consider your request but are not required to agree if it would interfere with treatment.
7.5 Right to an Accounting of Disclosures
You can request a list of disclosures we've made of your information (excluding disclosures for treatment, payment, or operations). Our audit logs support this requirement.
8. Children's Privacy
TrackER is used in emergency departments that treat patients of all ages, including minors. When a parent or guardian checks in a child under 18:
- The parent/guardian provides consent for SMS notifications
- The parent/guardian's phone receives updates (not the child's)
- All HIPAA protections for minors apply
9. International Data Transfers
TrackER is hosted in Microsoft Azure data centers within the United States. If your hospital is located outside the U.S., your information will be transferred to and processed in the U.S. under applicable data protection frameworks (e.g., EU-U.S. Data Privacy Framework).
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the "Last Updated" date at the top of this page
- Your hospital will be notified at least 30 days before changes take effect
- Hospitals may choose to notify patients via posted notices or email
Continued use of TrackER after changes constitutes acceptance of the updated policy.
11. Contact Information
For Questions About This Privacy Policy:
CCB Tech - Privacy Officer
Chartiers Creek Business Holdings
Canonsburg, PA, United States
Email: [email protected]
Phone: (Contact your hospital for local support)
For Questions About Your Specific Hospital Visit:
Contact your hospital's Privacy Officer or Health Information Management (HIM) department. Each hospital using TrackER has its own privacy practices and designated privacy contacts.
To File a Complaint:
If you believe your privacy rights have been violated, you may file a complaint:
- With your hospital: Contact their Privacy Officer or Compliance Department
- With the federal government: Office for Civil Rights (OCR), U.S. Department of Health and Human Services
You will not be retaliated against for filing a complaint.
This Privacy Policy applies to TrackER software operated by CCB Tech. Your hospital may have additional privacy practices. Please request your hospital's Notice of Privacy Practices for complete information about how your health information is used and protected.