Privacy Policy
Last updated: 2025-01-01
1. Who We Are
LivingPatterns operates a HIPAA-covered health information platform that connects patients with their healthcare practitioners. This Privacy Notice describes how we collect, use, protect, and share your Protected Health Information (PHI) and other personal data.
2. Information We Collect
- Identity information: name, date of birth, sex
- Contact information: email address, phone number
- Account credentials: password hash (we never store your plain-text password)
- Health assessment data you submit through the platform
- Usage and access logs (IP address, browser type, timestamps) for HIPAA audit purposes
3. How We Use Your Information
- Providing you access to your health records and practitioner-created workflows
- Enabling your practitioner to manage your care
- Sending appointment reminders and care notifications (with your consent)
- Maintaining a HIPAA-compliant audit trail of all PHI access
- Improving platform security and reliability
4. How We Protect Your Information
- All data is transmitted over HTTPS with HSTS enforced
- Passwords are hashed with bcrypt (cost factor 10) — never stored in plain text
- Sensitive secrets are encrypted at rest using AES-256-CBC
- Sessions use HMAC-SHA256-signed tokens and expire after 15 minutes of inactivity
- Account lockout activates after 5 failed login attempts
- All PHI access is logged to a tamper-evident audit trail
- We apply defence-in-depth security headers (CSP, X-Frame-Options, HSTS, etc.)
5. Sharing Your Information
We share your PHI only with your treating practitioner(s) and any Business Associates who help us operate the platform under signed Business Associate Agreements (BAAs). We do not sell your data. We may disclose information as required by law (e.g., court order or public health reporting).
6. Your Rights Under HIPAA
As a patient, you have the right to:
- Access and receive a copy of your health information
- Request corrections to inaccurate information
- Receive an accounting of disclosures of your PHI
- Request restrictions on certain uses of your PHI
- File a complaint with the U.S. Department of Health and Human Services (HHS)
To exercise any of these rights, contact your practitioner directly or email us at the address below.
7. Audit Log Retention
HIPAA requires us to retain audit logs for a minimum of 6 years from the date of creation or the date they were last in effect, whichever is later. Your access logs will be retained for this period.
8. Cookies & Tracking
We use only a single session cookie (httpOnly, Secure, SameSite=Lax) required for authentication. We do not use analytics trackers, advertising cookies, or third-party tracking pixels.
9. Changes to This Notice
We may update this Privacy Notice to reflect changes to our practices or applicable law. The “Last updated” date at the top of this page will reflect any changes. Continued use of the platform after changes constitutes acceptance of the updated Notice.
10. Contact Us
If you have questions about this Privacy Notice or wish to exercise your HIPAA rights, please contact your practitioner or reach out to the platform administrator. You may also file a complaint with the HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.