Privacy Policy | TrackER by CCB Tech

HIPAA Notice

TrackER is a healthcare application subject to the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy works in conjunction with your hospital's Notice of Privacy Practices. For questions about how your specific hospital uses your health information, please request their HIPAA Notice of Privacy Practices.

1. Introduction

CCB Tech (Chartiers Creek Business Holdings) ("we," "our," or "us") operates TrackER, an emergency room queue management system. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use TrackER through our web portals, kiosks, and mobile interfaces.

By using TrackER, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Protected Health Information (PHI)

When you check in at a TrackER kiosk or your visit is entered by hospital staff, we collect:

Category	Data Elements
Personal Identifiers	First name, last name, date of birth, phone number
Visit Information	Chief complaint, self-assessed severity, check-in time, assigned room/location
Clinical Status	Current visit status (e.g., "Triage Complete," "Diagnostics Ordered"), assigned provider name
Behavioral Assessment	STAMP threat scores, observations from clinical staff
Communication	SMS messages sent, portal access logs, notification delivery status, opt-in consent records with timestamps

2.2 Technical Information

We automatically collect certain technical data when you access TrackER:

Device Information: Browser type, operating system, device model
Usage Data: Pages viewed, features used, time spent in portal
IP Address: Your internet protocol address (stored in Azure Application Insights with PII filtering)
Authentication Data: FIDO2 passkey credentials (stored as cryptographic hashes only)
Session Data: Login times, session duration, logout events

2.3 Information from Third Parties

We may receive information from:

Hospital EHR Systems: Via HL7/FHIR integrations, we receive patient demographics and visit data
Microsoft Entra ID: If your hospital uses SSO, we receive your name, email, and employee ID
Azure Communication Services: SMS delivery status, phone carrier information

3. How We Use Your Information

We use collected information for the following purposes:

Purpose	Legal Basis (HIPAA/GDPR)
Treatment Operations: Manage your ER queue position, coordinate staff jobs, track visit progress	Treatment / Contractual Necessity
Patient Communication: Send SMS updates, display status on patient portal	Explicit Consent (opt-in checkbox at kiosk or verbal confirmation to staff; see SMS Opt-In & Consent)
Safety & Security: STAMP assessments, security team alerts, buddy system warnings	Healthcare Operations / Vital Interests
Audit & Compliance: Maintain logs of all system actions for regulatory compliance	Legal Obligation
System Improvement: Analyze usage patterns to improve TrackER features	Legitimate Interest (anonymized data only)

4. How We Share Your Information

4.1 Within Your Hospital

TrackER operates on a multi-tenant architecture. Your information is visible only to authorized staff at your hospital:

Nurses: See your queue card, status, STAMP scores, assigned room
Support Staff: See job assignments related to your visit (transport, cleaning, etc.)
Administrators: View aggregate analytics and audit logs (with PHI visible for compliance purposes)
Security Team: Receive alerts for high-risk STAMP assessments

4.2 Service Providers (Business Associates)

We share information with third-party vendors who perform services on our behalf, all under HIPAA Business Associate Agreements:

Provider	Purpose	Data Shared
Microsoft Azure	Cloud hosting, database storage	All TrackER data (encrypted at rest)
Azure Communication Services	SMS notifications, security alerts	Phone numbers, message content
Azure Application Insights	Performance monitoring, error tracking	Usage data (PII filtered)
Azure Key Vault	Secure credential storage	Encryption keys, connection strings (no PHI)

4.3 Legal Disclosures

We may disclose your information when required by law:

To comply with subpoenas, court orders, or legal process
To report suspected abuse, neglect, or domestic violence as required by state law
To public health authorities for disease outbreak tracking
To law enforcement in response to violence or criminal activity

4.4 We Do NOT Sell Your Information

No Marketing or Sale of PHI

CCB Tech does not sell, rent, or trade your health information to third parties for marketing purposes. We do not use your data for advertising. TrackER is a clinical operations tool, not a marketing platform.

SMS-Specific: Your phone number and SMS opt-in consent are used solely for the operational message types described in our SMS Opt-In & Consent page. We will never share your phone number with third parties for promotional or marketing purposes. No purchase is required to opt in to SMS.

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Encryption

In Transit: All data transmitted via HTTPS/TLS 1.3
At Rest: Azure SQL Database with Transparent Data Encryption (TDE)
SMS Messages: End-to-end encryption via Azure Communication Services

5.2 Access Controls

Role-Based Access: Staff see only data relevant to their role (nurses see queue, staff see jobs, etc.)
Hospital Isolation: Each hospital's data is logically separated; no cross-hospital access
Authentication: JWT tokens, FIDO2 passkeys, Microsoft Entra ID SSO
Session Management: Configurable timeouts, automatic logout on inactivity

5.3 Monitoring & Auditing

Comprehensive Audit Logs: Every data access, modification, and deletion is logged with timestamp and user attribution
Security Monitoring: Azure Security Center alerts for suspicious activity
Annual Penetration Testing: Third-party security audits

5.4 Data Breach Notification

In the event of a data breach affecting your PHI, we will:

Notify your hospital within 24 hours
Your hospital will notify you as required by HIPAA (within 60 days)
Report to the Department of Health and Human Services if ≥500 records affected
Provide breach details, mitigation steps, and remediation timeline

6. Data Retention

We retain your information according to the following schedule:

Data Type	Retention Period	Rationale
Active Visit Data	Duration of visit + 30 days	Operational need for follow-up
Audit Logs (Patient)	7 years	HIPAA compliance requirement
Audit Logs (Admin/Staff)	7 years	Legal compliance
STAMP Assessments	7 years	Liability protection, quality improvement
SMS Message Logs	90 days	Telecom compliance
Session/Authentication Data	90 days	Security incident investigation

After retention periods expire, data is permanently deleted from all systems, including backups.

7. Your Rights

7.1 Access Your Information

You have the right to request a copy of the information we have about your visit. Contact your hospital's Health Information Management (HIM) department or Privacy Officer.

7.2 Request Corrections

If you believe information in TrackER is incorrect, you may request an amendment. Note: Clinical data (STAMP scores, status changes) may require clinical staff review before amendment.

7.3 Opt-Out of SMS

Reply STOP to any TrackER SMS message to immediately unsubscribe. You may also reply HELP for support. You can re-subscribe by texting START. See our SMS Opt-In & Consent page for complete details including message frequency, data rates, and all opt-out methods.

7.4 Request Restrictions

You may request that we restrict how we use or disclose your information. We will consider your request but are not required to agree if it would interfere with treatment.

7.5 Right to an Accounting of Disclosures

You can request a list of disclosures we've made of your information (excluding disclosures for treatment, payment, or operations). Our audit logs support this requirement.

8. Children's Privacy

TrackER is used in emergency departments that treat patients of all ages, including minors. When a parent or guardian checks in a child under 18:

The parent/guardian provides consent for SMS notifications
The parent/guardian's phone receives updates (not the child's)
All HIPAA protections for minors apply

9. International Data Transfers

TrackER is hosted in Microsoft Azure data centers within the United States. If your hospital is located outside the U.S., your information will be transferred to and processed in the U.S. under applicable data protection frameworks (e.g., EU-U.S. Data Privacy Framework).

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:

We will update the "Last Updated" date at the top of this page
Your hospital will be notified at least 30 days before changes take effect
Hospitals may choose to notify patients via posted notices or email

Continued use of TrackER after changes constitutes acceptance of the updated policy.

11. Contact Information

For Questions About This Privacy Policy:

CCB Tech - Privacy Officer
Chartiers Creek Business Holdings
Canonsburg, PA, United States
Email: privacy@ccbtec.com
Phone: (Contact your hospital for local support)

For Questions About Your Specific Hospital Visit:

Contact your hospital's Privacy Officer or Health Information Management (HIM) department. Each hospital using TrackER has its own privacy practices and designated privacy contacts.

To File a Complaint:

If you believe your privacy rights have been violated, you may file a complaint:

With your hospital: Contact their Privacy Officer or Compliance Department
With the federal government: Office for Civil Rights (OCR), U.S. Department of Health and Human Services

You will not be retaliated against for filing a complaint.

This Privacy Policy applies to TrackER software operated by CCB Tech. Your hospital may have additional privacy practices. Please request your hospital's Notice of Privacy Practices for complete information about how your health information is used and protected.