I. Roles

• When a healthcare provider (Covered Entity) uses Apex to handle PHI, the provider is the HIPAA Covered Entity and data controller; Apex is Business Associate/processor.
• Our Business Associate Agreement (BAA) and Data Processing Addendum (DPA) govern processing.
• For website visitors and marketing contacts where PHI is not involved, Apex may act as a controller/business for state privacy laws.
• This Privacy Policy applies to all data we collect in connection with the Apex EHR Services, regardless of the method of collection (electronic, paper, or verbal).

II. Categories of Information We Collect

• Identifiers: Name, email, phone number, address, IP address
• Professional Information: NPI, specialty, clinic/practice details, licensing
• Device/Network Activity: Cookies, logs, usage analytics
• Support and Communications Records: Chat logs, support tickets, correspondence
• Payment/Contract Metadata: Invoices, billing references, account relationships (not card numbers)
• PHI: Collected only when directed by a Covered Entity under a BAA

III. Sources of Information

• Directly from you, your employer/clinic, or integrations you authorize (eRx, labs, clearinghouses, SSO)
• Cookies, SDKs, and analytics tools
• Public/professional sources (e.g., NPI registry)

IV. Purposes of Use

• Provide, maintain, and secure the Apex EHR Services
• Account administration, billing, and customer support
• Compliance with law and regulatory reporting
• Product analytics, R&D, and service improvement (PHI is never used for advertising)
• Fraud, abuse, and security incident detection and prevention
• Communication regarding updates, system alerts, and product information
• Data may be anonymized or de-identified for aggregate analytics and research

V. Data Retention

• Data is retained only as long as necessary for business, contractual, or legal purposes
• PHI and personal data are securely deleted or de-identified once no longer required
• Non-personal information and feedback may be stored indefinitely

VI. Disclosures of Information

• To your organization and authorized users for operational purposes
• Subprocessors (hosting, email, analytics, support) under DPAs or BAAs
• Regulators or law enforcement when legally required
• In business transfers (mergers, acquisitions, asset sales) with continued protections
• With your consent or as disclosed at the time of collection
• PHI and personal data are not sold for advertising purposes

VII. Cookies and Privacy Choices

• Cookies and similar technologies help operate, secure, and improve services
• Users can manage preferences in the Privacy Preferences Center or browser settings
• PHI is never used for advertising or retargeting

VIII. Do-Not-Track Signals and Browser Extensions

• Apex does not currently respond to “Do-Not-Track” browser signals
• Third-party browser extensions may access data within your session and are used at your own risk
• Only supported browsers without third-party extensions should be used to access services

IX. Children

• We do not knowingly collect personal information from children under 13 (COPPA)
• PHI related to minors is processed only under a BAA with the Covered Entity

X. PHI Safeguards (HIPAA Compliance)

• Administrative, physical, and technical safeguards
• Least-privilege access, MFA, and SSO enforcement
• Encryption in transit and at rest
• Audit logging and access monitoring
• Workforce training, vulnerability management, and patching
• Incident response and breach notification per HIPAA
• Data is hosted in the U.S.; overseas access by authorized support personnel is governed by contractual and technical safeguards

XI. Intended for U.S. Use Only

• Apex services are designed for use within the U.S.
• Data may be transferred and stored in the U.S. from other jurisdictions with consent
• Users accessing services outside the U.S. assume all legal responsibility

XII. Your Privacy Rights

• Residents of CA, CO, CT, VA, UT, OR, TX, MT, and other applicable states may request:
• Access, portability, correction, deletion
• Opt-out of sale/share and targeted advertising
• Appeal denied requests
• Submit requests via Privacy Rights Request Form or email privacy@apexehr.com

XIII. Third-Party Advertising, Links, and Content

• Services may contain links or content from third parties not controlled by Apex
• Apex is not responsible for their privacy or security practices
• Users should review third-party policies before interacting

XIV. Changes to This Privacy Policy

• Policy may be updated periodically
• “Effective Date” is updated when revisions are posted
• Continued use of services constitutes acceptance of the revised Policy

XV. Contact

Questions may be sent to:
Apex EHR LLC
16192 Coastal Highway, Lewes, DE, 19958
Email: admin@apexehr.com