Circle Innovation Lab, Inc. ("Company" or "We") provides certain services (the "Services") to physicians, medical practices, and other healthcare providers ("Customers" or "Covered Entities"). The Services are intended for use by healthcare providers and their authorized personnel only.
This Privacy Policy describes how the Company collects, uses, maintains, protects, and discloses information in connection with our website circlehealth.co (the "Website") and the Services. This Privacy Policy applies to information we collect on this Website, in electronic communications between you and the Company, and through our provision of the Services, including our electronic medical record (EMR) system, chart uploads, audio uploads, audio recordings, and related tools.
This Privacy Policy does not apply to information collected by any third party, including through any application or content that may link to or be accessible from the Website.
The Company operates as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). In this capacity, the Company processes protected health information ("PHI") and other personal information on behalf of and at the direction of Covered Entities pursuant to Business Associate Agreements ("BAAs").
The Company does not maintain a direct treatment relationship with patients. All patient data processed by the Company is received from, and governed by the agreements with, the applicable Covered Entity. When we act as a Business Associate, we may be subject to HIPAA rules that govern our use and disclosure of PHI and that may be more restrictive than otherwise provided in this Privacy Policy.
Our Customers are responsible for maintaining their own privacy policies governing the collection, use, and disclosure of personal information, and for obtaining the necessary authorizations and consents from patients before any personal information or PHI is made available to the Company for use in accordance with this Privacy Policy and the applicable BAA.
In the event of a conflict between this Privacy Policy and the terms of a Business Associate Agreement with a Customer, the Business Associate Agreement will control with respect to the PHI governed by that agreement.
As a service provider to our Customers, the Company collects and processes data related to our Customers and their patients on the Customers' behalf. In this role, the Company processes data upon instruction from the Customer, consistent with our service agreement and BAA with that Customer.
Some of the personal information received by the Company in connection with the Services is provided by healthcare providers that are subject to HIPAA. When we receive PHI, we do so as a Business Associate under an agreement that, among other things, prohibits us from using or disclosing the PHI in ways that are not permissible by the Covered Entity itself, and requires us to implement measures to safeguard the confidentiality, integrity, and availability of the PHI.
The Company does not use PHI for its own independent purposes, including marketing, sale of data, or training of AI models using identifiable patient data. The Company does not sell PHI as that term is defined under any applicable law.
In connection with providing the Services, we receive and process the following categories of information from Covered Entities under BAAs:
This information may include data concerning individuals of all ages, including minors. The Covered Entity is responsible for obtaining any required authorizations and consents prior to making such information available to the Company.
We collect the following information from Customer personnel and other authorized users of the Services:
We collect names, email addresses, and other business contact information about individuals whom we consider to be prospective Customers or business partners. We may use third-party service providers to collect, store, and process this information in order to contact prospective Customers about our Services. This information is used and disclosed in the same manner as other personal information described in this Privacy Policy.
As you navigate the Website or use the Services, we may automatically collect certain technical information, including:
We collect this information through server logs, cookies, and analytics tools. You may refuse to accept cookies by adjusting your browser settings, though doing so may affect your ability to use certain features of the Website.
We do not engage in behavioral tracking or interest-based advertising. At this time, the Services do not respond to "Do Not Track" signals or similar mechanisms.
For PHI processed on behalf of Covered Entities, our use is limited to the purposes permitted under HIPAA and the applicable BAA.
We engage third-party service providers to perform functions and provide services on our behalf. These service providers may have access to personal information only as necessary to perform their functions and are bound by contractual obligations to maintain confidentiality.
Where service providers process PHI on our behalf, we maintain Business Associate Agreements with those sub-processors as required by the HIPAA Omnibus Rule. We do not authorize our service providers to use or disclose personal information except as necessary to perform services on our behalf or to comply with legal requirements.
The Company is not in the business of selling personal information. We may disclose personal information in the following circumstances:
We may disclose aggregated or de-identified information that does not identify any individual without restriction.
For PHI processed on behalf of Covered Entities, disclosure is limited to what is permitted under HIPAA and the applicable BAA.
All personal information is stored and processed in the United States.
This Privacy Policy does not apply to any unsolicited information you provide to the Company through the Services or through any other means. This includes, but is not limited to, ideas for new products or modifications to existing products, feedback, and other unsolicited submissions (collectively, "Unsolicited Information"). All Unsolicited Information shall be deemed to be non-confidential and the Company shall be free to reproduce, use, disclose, and distribute such Unsolicited Information without limitation or attribution. Nothing in this section limits the Company's obligations with respect to PHI received under a BAA.
The Company does not knowingly collect personal information directly from children under the age of 13 through the Website. The Website and Services are intended for use by healthcare providers and their authorized personnel, not by patients or members of the public.
To the extent the Company processes health information about minors (individuals under eighteen (18) years of age), it does so solely as a Business Associate acting on behalf of Covered Entities. The Covered Entity is responsible for obtaining any required parental or guardian consent under applicable law, including the Children's Online Privacy Protection Act ("COPPA") and HIPAA, before making such information available to the Company.
The Website may contain links to other websites not operated or controlled by the Company. This Privacy Policy applies only to the Website and the Services and does not apply to any third-party websites. The inclusion of a link on the Website does not imply endorsement of the linked site by the Company. We encourage you to review the privacy policies of any third-party websites you visit.
The Company takes reasonable steps to protect personal information and PHI from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. We maintain administrative, technical, and physical safeguards, including:
We require our service providers to maintain comparable safeguards.
The Company does not use identifiable patient data to train AI models. Audio recordings and transcripts are processed in accordance with the applicable BAA and are subject to the same security controls as all other PHI.
The safety and security of information also depends on our Customers. Where we have provided access credentials, Customers and their authorized personnel are responsible for maintaining the confidentiality of those credentials.
No method of transmission over the internet or electronic storage is completely secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security. Customers and their authorized personnel are encouraged not to transmit PHI to the Company via unencrypted email unless prior arrangements have been made to ensure that the transmission is encrypted.
Your access to and use of the Website and the Services is also subject to the Company's Terms of Use https://circlehealth.co/terms-of-use.
We retain personal information as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.
For PHI processed on behalf of Covered Entities, retention and disposition are governed by the applicable BAA. Upon termination of a BAA, the Company will return or destroy PHI as required by the agreement, except to the extent retention is required by applicable law.
All retained personal information and PHI remains subject to the terms of this Privacy Policy and, where applicable, the governing BAA.
In the event of a breach of unsecured PHI, the Company will notify the affected Covered Entity without unreasonable delay and in accordance with the HIPAA Breach Notification Rule and the applicable BAA. The Covered Entity is responsible for providing notification to affected individuals and to the Secretary of the U.S. Department of Health and Human Services as required by HIPAA.
If you are a patient of a Covered Entity for whom the Company provides Services, your rights under HIPAA to access, amend, and receive an accounting of disclosures of your PHI must be exercised through that Covered Entity. The Company supports Covered Entities in fulfilling such requests in its capacity as a Business Associate. In the event there is a conflict between this Privacy Policy and the applicable BAA regarding the handling of such requests, the BAA will control.
Customer personnel and other authorized users of the Services may contact us at support@circlehealth.co to request access to, correction of, or deletion of personal information they have provided to the Company, subject to applicable legal, regulatory, and contractual retention requirements.
This section provides additional disclosures required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").
Protected health information that the Company collects, receives, maintains, or transmits as a Business Associate on behalf of Covered Entities is exempt from the CCPA pursuant to California Civil Code Section 1798.145(c)(1). This section applies only to personal information that is not PHI, including information collected from Customer personnel, Website visitors, prospective customers, employees, and other individuals whose personal information is not governed by HIPAA.
We do not sell personal information as that term is defined under the CCPA. We do not share personal information for cross-context behavioral advertising purposes.
We use and disclose sensitive personal information (as that term is defined under the CCPA) only for purposes permitted under CCPA Section 1798.121, including to provide the services requested and to fulfill our employment-related obligations.
If you are a California resident whose personal information is not exempt as PHI under Section 1798.145(c)(1), you have the following rights:
You may submit a request to exercise your California privacy rights by contacting us at:
We will verify your identity before processing your request. If you submit a request on behalf of another person as an authorized agent, we may require proof that you have been authorized to act on their behalf.
We will respond to verifiable consumer requests within forty-five (45) days of receipt. If we require more time (up to an additional forty-five (45) days), we will inform you of the reason and extension period in writing.
We do not disclose personal information to third parties for their direct marketing purposes.
The Company reserves the right to update or modify this Privacy Policy at any time. We will post any changes on this page and update the "Last modified" date at the top. If we make material changes to how we treat personal information, we will notify affected Customers through reasonable means. Your continued use of the Website or Services after changes are posted constitutes acceptance of the revised Privacy Policy.
To ask questions or comment about this Privacy Policy and our privacy practices, contact us at: