Submit a Referral
Legal

Privacy Policy

How PriMedical collects, uses, and protects personal information and protected health information (PHI).

Privacy Policy & HIPAA Notice of Privacy Practices

PriMedical, Inc.

Effective date: June 1, 2025 Last updated: May 20, 2025

1. Introduction

PriMedical, Inc. ("PriMedical," "we," "our," or "us") is committed to safeguarding the privacy and security of your personal information. This document serves as both our Privacy Policy and our HIPAA Notice of Privacy Practices, outlining how we collect, use, disclose, and protect your information when you interact with our services, including through our website (www.primedicalinc.com), electronic communications (including SMS/text messages), and associated healthcare services. This notice is effective as of the date above and will remain in effect until replaced by a new notice.

Our practices are designed to comply with all applicable data protection laws, including:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Montana Consumer Data Privacy Act (MCDPA)
  • General Data Protection Regulation (GDPR), where applicable
  • SOC 2 Trust Services Criteria (Security, Confidentiality, Privacy)
  • Telephone Consumer Protection Act (TCPA)

2. Information We Collect

We collect information to provide healthcare case management services effectively and comply with regulatory requirements. The information we collect falls into the following categories:

2.1 Personal Identifiers

  • Full name
  • Email address
  • Mailing address
  • Phone number (including mobile number)
  • Social Security Number
  • Claim number
  • Claimant name
  • Employer name
  • Adjuster email address
  • Account usernames and passwords

2.2 Protected Health Information (PHI)

We collect only the minimum necessary PHI required for:

  • Medical history relevant to case management
  • Diagnostic data
  • Treatment and appointment records
  • Treating location information
  • Professional credentials and affiliations
  • Case-specific instructions and notes

2.3 Commercial Information

  • Service history and preferences
  • Communication preferences
  • Payment and billing information (when applicable)

2.4 Internet and Network Activity

  • IP address
  • Device identifiers and characteristics
  • Browser type and version
  • Operating system
  • Access timestamps
  • Pages visited and time spent
  • Click data and navigation patterns
  • Log and audit trail data

2.5 Professional/Employment Information

  • Employer details
  • Job-related injury information
  • Work capacity assessments
  • Vocational rehabilitation data

2.6 Communication Data

  • SMS/text message content and metadata
  • Email communications
  • Phone call records
  • Consent records for communications
  • Opt-in/opt-out preferences

2.7 Geolocation Data

  • General location information (when necessary for service delivery)
  • Treatment facility locations

2.8 Inferences

  • Service recommendations
  • Communication preferences
  • Risk assessments for case management

2.9 Sources of Information

We collect information from:

  • Directly from you through forms, communications, and service interactions
  • Healthcare providers and treatment facilities
  • Insurance companies and claims adjusters
  • Employers and their representatives
  • Public records (when legally permissible)
  • Our website and digital platforms through automated technologies
  • Third-party service providers acting on our behalf

2.10 Website and referral submissions

Referrals and inquiries may be submitted by telephone or email using contact information on our website. Information you provide through these channels is handled according to this policy and applicable healthcare privacy laws. A secure online referral form with encrypted attachment upload may be introduced in a future phase; we will update this policy when that service launches.

3. Cookies and Tracking Technologies

3.1 Public website (privacy-minimal)

Our public marketing website at www.primedicalinc.com is built as a static site with a privacy-minimal approach. We do not deploy third-party marketing, behavioral analytics, or advertising cookies on our public website. We do not use Google Analytics, Microsoft Clarity, heat mapping tools, or similar cross-site tracking technologies on our public website.

The site does not require cookies for basic browsing. If we introduce strictly necessary cookies in the future (for example, security or load balancing), we will update this policy and describe them here.

3.2 Server and infrastructure logs

We may process standard web server and content delivery network log data—including IP address, browser type, operating system, pages requested, and timestamps—for security, abuse prevention, reliability, and operational purposes. This processing is not used for cross-site advertising or behavioral profiling.

3.3 Service systems and PHI

Tracking technologies are not used on pages or workflows that collect or display protected health information (PHI). Separate systems used for case management, referrals, and clinical communications are governed by HIPAA and our business associate agreements.

3.4 Third-party service providers

We use service providers for email delivery, SMS/text messaging, cloud hosting, and IT security as described elsewhere in this policy. Those providers process data under contractual safeguards, not for their own advertising purposes.

3.5 Managing preferences

Because we do not use non-essential cookies on our public website, no cookie consent banner is required for basic site browsing. You may still control cookies and local storage through your browser settings.

4. How We Use Your Information

4.1 Business Purposes

We use your information for the following business purposes:

  • Healthcare Operations
  • Medical field case management
  • Telephonic case management
  • Vocational rehabilitation services
  • Coordinating care with healthcare providers
  • Quality assurance and improvement
  • Communication and Service Delivery
  • Appointment scheduling and reminders
  • Service updates and notifications
  • Health education and wellness information
  • Emergency communications
  • Customer support
  • Legal and Regulatory Compliance
  • HIPAA compliance and reporting
  • Regulatory audits and investigations
  • Legal proceedings and claims defense
  • Record retention requirements
  • Website and System Operations
  • Website functionality and security
  • System maintenance and improvements
  • User experience enhancement
  • Technical support

4.2 Commercial Purposes

We do not use PHI for commercial purposes. For non-PHI, commercial purposes may include:

  • Service improvement and development
  • Business analytics (anonymized)
  • Marketing our services (with proper consent)

4.3 Automated Decision-Making

We may use automated systems for:

  • Case management workflows
  • Communication scheduling
  • Data validation and verification
  • Fraud detection
  • You have the right to request human review of automated decisions that significantly affect you.

4.4 Retention Periods by Category

PHI:

  • Minimum 6 years from last service date (HIPAA requirement)
  • PII (non-medical):
  • 3-7 years based on business need and legal requirements
  • Communications data:
  • 3 years
  • Website server logs: retained per operational and security requirements (typically up to 12 months unless longer retention is required for security investigations)
  • 26 months
  • Security logs:
  • 7 years

5. Information Sharing and Disclosure

5.1 We Do Not Sell Personal Information

We do not sell, rent, or trade your personal information to third parties for monetary consideration.

5.2 Authorized Disclosures

  • Service Providers and Business Associates
  • We share information with trusted third parties who assist in providing our services, including:
  • Cloud hosting and data storage providers
  • Communication service providers
  • IT support and security vendors
  • Professional consultants (legal, compliance, etc.)

All service providers must sign comprehensive data processing agreements and business associate agreements as required by HIPAA.

  • Healthcare-Related Entities
  • Under HIPAA, we may share PHI with:
  • Healthcare providers for treatment purposes
  • Insurance companies for payment purposes
  • Other covered entities for healthcare operations
  • Business associates for specified functions
  • Legal and Regulatory Requirements
  • We may disclose information when required by law:
  • Court orders and subpoenas
  • Regulatory investigations and audits
  • Law enforcement requests (with proper legal process)
  • Public health authorities
  • Workers' compensation proceedings
  • Emergency Situations
  • We may disclose information in emergencies to:
  • Prevent serious harm to individuals
  • Protect public health and safety
  • Assist in disaster relief efforts

5.3 International Transfers

When we transfer data internationally, we ensure appropriate safeguards through:

  • Adequacy decisions by relevant authorities
  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Certification schemes

6. Data Security and Protection

6.1 Security Measures

We implement comprehensive security measures aligned with SOC 2, HIPAA, and NIST standards:

  • Access Controls
  • Role-based access controls (RBAC)
  • Multi-factor authentication (MFA)• Regular access reviews and deprovisioning
  • Principle of least privilege
  • Data Protection
  • Encryption in transit (TLS 1.3+)
  • Encryption at rest (AES-256)
  • Database encryption and key management
  • Secure data backup and recovery
  • Monitoring and Detection
  • 24/7 security monitoring
  • Intrusion detection systems
  • Automated threat detection
  • Regular vulnerability assessments
  • Physical Security
  • Controlled access to facilities
  • Environmental controls
  • Secure disposal of hardware
  • Visitor management systems
  • Personnel Security
  • Background checks for employees
  • Regular security training
  • Confidentiality agreements
  • Incident response training

6.2 Incident Response

We maintain a comprehensive incident response plan including:

  • Immediate containment procedures
  • Risk assessment protocols
  • Notification procedures (as required by law)
  • Remediation and recovery plans
  • Post-incident analysis and improvement

6.3 Vendor Management

We carefully vet all third-party vendors through:

  • Security assessments and audits
  • Contractual security requirements
  • Regular monitoring and reviews
  • Business associate agreements (for PHI)

7. Your Privacy Rights

7.1 General Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Access Rights
  • Request copies of personal information we hold about you
  • Information about how your data is processed
  • Details about data sharing and recipients
  • Correction Rights
  • Request correction of inaccurate information
  • Request completion of incomplete data
  • Update your contact preferences
  • Deletion Rights
  • Request deletion of personal information
  • Subject to legal retention requirements
  • Some information may be exempt from deletion
  • Objection and Restriction
  • Object to certain types of processing
  • Request restriction of processing in specific circumstances
  • Withdraw consent where processing is based on consent
  • Data Portability
  • Receive your data in a structured, machine-readable format
  • Request transfer to another organization (where technically feasible)
  • Non-Discrimination
  • You will not face discrimination for exercising your privacy rights
  • We will not deny services, charge different prices, or provide different service levels

7.2 HIPAA-Specific Rights

  • Access to Medical Records
  • Inspect and copy your PHI
  • Request electronic copies where available
  • Direct us to transmit copies to third parties
  • Amendment Rights
  • Request amendments to your medical records
  • Add statements of disagreement if amendments are denied
  • Accounting of Disclosures
  • Receive a list of certain disclosures of your PHI
  • Covers the 6 years prior to your request (with some exceptions)
  • Restriction Requests
  • Request restrictions on uses and disclosures
  • We are not required to agree to all requests
  • Restrictions on disclosures to health plans (under certain conditions)
  • Confidential Communications
  • Request communications through alternative means
  • Specify alternative locations for receiving PHI
  • Complaint Rights
  • File complaints with us about our privacy practices
  • File complaints with the U.S. Department of Health and Human Services
  • No retaliation for filing complaints
  • Paper Copy Rights
  • Receive a paper copy of this notice upon request

7.3 State-Specific Rights

  • California (CCPA/CPRA): Right to know what personal information is collected; right to know whether personal information is sold or shared; right to say no to the sale/sharing of personal information; right to limit use of sensitive personal information; right to correct inaccurate information; right to delete personal information (with exceptions); right to non-discrimination.
  • Virginia (VCDPA): Right to access, correct, delete, and obtain a copy of personal data; right to opt out of sales, targeted advertising, and profiling; right to appeal our decision regarding your request.
  • Colorado (CPA): Right to access, correct, delete, and obtain a copy of personal data; right to opt out of sales, targeted advertising, and profiling; right to appeal our decision regarding your request.
  • Connecticut (CTDPA): Right to access, correct, delete, and obtain a copy of personal data; right to opt out of sales, targeted advertising, and profiling; right to appeal our decision regarding your request.
  • Utah (UCPA): Right to access, delete, and obtain a copy of personal data; right to opt out of sales and targeted advertising.
  • Montana (MCDPA): Right to access, correct, delete, and obtain a copy of personal data; right to opt out of sales, targeted advertising, and profiling.

7.4 How to Exercise Your Rights

Submit Requests Through:

  • Email:
  • privacy@primedicalinc.com
  • Phone:
  • 888-370-0883
  • Mail: PriMedical, Inc.,
  • Privacy Officer,
  • 5727 NW 7th Street, Suite #84,
  • Miami, FL 33126
  • Email or mail to the Privacy Officer (see contact information below)
  • Request Processing:
  • We will respond within legally required timeframes (typically 30-45 days)
  • We may extend the response period once for an additional 30-45 days
  • We will verify your identity before processing requests
  • Authorized agents may submit requests with proper documentation
  • Verification Procedures:
  • For access/deletion requests: Government-issued ID and matching personal information
  • For authorized agents: Signed power of attorney or notarized permission
  • Additional verification may be required for sensitive requests
  • Fees:
  • Generally, we do not charge fees for processing requests
  • Reasonable fees may apply for excessive or repetitive requests
  • We will notify you of any fees before processing
  • Appeals Process:
  • For states that require appeal processes, you may appeal our decision by:
  • Contacting our Privacy Officer within 30 days
  • Providing specific reasons for your appeal
  • We will respond within 30-60 days with our final decision

8. SMS/Text Messaging

8.1 Consent and Enrollment

By providing your mobile phone number and opting in, you consent to receive automated and manual SMS/text messages from PriMedical for:

  • Appointment reminders and confirmations
  • Service updates and notifications
  • Health education and wellness tips• Emergency communications
  • Account and case management updates

8.2 Message Frequency and Charges

  • Message frequency varies based on your service usage and preferences
  • Message and data rates may apply per your mobile carrier's plan
  • We do not charge additional fees for SMS services

8.3 Opt-Out and Help

To opt out:

  • Reply "STOP" to any message
  • For help:
  • Reply "HELP" or contact us at 888-370-0883
  • To manage preferences:
  • Contact us directly

8.4 TCPA Compliance

  • We maintain records of all SMS consents and opt-outs
  • We honor opt-out requests immediately
  • We do not share your mobile number for marketing by third parties
  • We comply with all applicable TCPA requirements

9. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16 without verified parental or guardian consent. If we become aware that we have collected information from a child under 16 without proper consent, we will take steps to delete that information promptly. For California residents: We do not sell or share personal information of consumers we know are under 16 years of age.

10. International Data Transfers

When we transfer personal information internationally, we ensure appropriate safeguards are in place:

  • Adequacy Decisions:
  • We transfer data to countries with adequacy decisions from relevant authorities.
  • Standard Contractual Clauses:
  • We use approved standard contractual clauses for transfers to countries without adequacy decisions.
  • Additional Safeguards:
  • We implement supplementary measures when necessary to ensure adequate protection.
  • Your Rights:
  • You may request information about international transfers affecting your data and the safeguards in place.

11. Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction. We will provide notice of any such transfer and any choices you may have regarding your information. For PHI transfers, we will ensure HIPAA compliance and may require your authorization depending on the circumstances.

12. Changes to This Privacy Policy

We may update this privacy policy to reflect legal, technological, or operational changes.

When we make updates:

  • Notice of Changes:
  • We will post the updated policy on our website
  • We will update the "Last Updated" date
  • For material changes, we will provide additional notice via email or SMS
  • We will not materially change our privacy practices without providing a revised notice
  • HIPAA Notice Updates:
  • For PHI-related practices, we will provide notice as required by HIPAA
  • We reserve the right to change our privacy practices and apply changes to PHI we already have
  • Current notice is always available on our website and in our offices

13. Complaints and Enforcement

13.1 Filing Complaints

You may file complaints about our privacy practices with:

  • PriMedical Privacy Officer:
  • Email:
  • privacy@primedicalinc.com
  • Phone:
  • 888-370-0883
  • Mail: PriMedical, Inc.,
  • Privacy Officer,
  • 5727 NW 7th Street, Suite #84
  • Miami, FL 33126
  • Regulatory Authorities:
  • HIPAA:
  • U.S. Department of Health and Human Services, Office for Civil Rights
  • California:
  • California Attorney General's Office
  • Other states:
  • Respective state attorneys general or designated privacy authorities

13.2 No Retaliation

We will not retaliate against you for filing a complaint or exercising your privacy rights.

14. Contact Information

PriMedical, Inc. 5727 NW 7th Street, Suite #84,

15. Definitions

Business Associate:

A person or entity that performs certain functions or activities on behalf of a covered entity that involves access to PHI.

Covered Entity:

  • Health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically.
  • Personal Information:

Information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household.

Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium by a covered entity or business associate.

Sensitive Personal Information:

  • Personal information that reveals specific characteristics or activities as defined by applicable state laws.

16. SOC 2 Compliance Statement

This Privacy Policy supports our compliance with SOC 2 Trust Services Criteria by:

  • Aligning with Privacy and Confidentiality principles
  • Documenting consent mechanisms for data usage
  • Enabling auditability through logging and access rights
  • Defining secure retention and deletion protocols• Establishing incident response procedures
  • Maintaining vendor management standards

17. Effective Date and Acknowledgment

This Privacy Policy and HIPAA Notice of Privacy Practices is effective as of June 1, 2025. By using our services, you acknowledge that you have read and understand this policy. For services involving PHI, this notice describes how medical information about you may be used and disclosed and how you can get access to this information.

  • Please review this policy carefully. If you have any questions, please contact David Mejia
  • dmejia@primedicalinc.com
  • .
  • This document was last updated on May 20, 2025, and is subject to the terms and conditions outlined above.

This policy was last updated on May 20, 2025. PriMedical does not sell personal information. California residents: see Section 7.3 for CPRA rights.