Caesar HealthCaesar Health

Privacy Policy

Last Updated: February 16, 2026

Caesar Health, Inc. ("Caesar Health," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our healthcare platform and services (the "Services").

IMPORTANT: This Privacy Policy applies to both Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA") and non-PHI data. As a Business Associate under HIPAA, we maintain strict compliance with all applicable healthcare privacy laws.

Table of Contents

  1. 1. HIPAA Notice and Business Associate Relationship
  2. 2. Information We Collect
  3. 3. How We Use Your Information
  4. 4. How We Disclose Your Information
  5. 5. Data Security Measures
  6. 6. Your Rights and Choices
  7. 7. HIPAA Privacy Rights
  8. 8. Cookies and Tracking Technologies
  9. 9. Third-Party Services and Business Associates
  10. 10. Data Retention and Deletion
  11. 11. California Privacy Rights (CCPA/CPRA)
  12. 12. Children's Privacy
  13. 13. International Data Transfers
  14. 14. SMS Text Message Communications
  15. 15. Voice Call Communications
  16. 16. Communications Data Retention
  17. 17. Communications Data Security
  18. 18. Communications Third-Party Service Providers
  19. 19. Your Rights Regarding Communication Data
  20. 20. Changes to This Privacy Policy
  21. 21. Contact Information

1. HIPAA Notice and Business Associate Relationship

1.1 Business Associate Status

When healthcare providers and covered entities use our Services to create, receive, maintain, or transmit Protected Health Information (PHI), Caesar Health acts as a Business Associate under HIPAA. We enter into a Business Associate Agreement (BAA) with covered entities that governs our use and disclosure of PHI.

1.2 HIPAA Compliance Commitment

We comply with the HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) and the HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

1.3 Uses and Disclosures of PHI

We will only use and disclose PHI as permitted by our BAA with you, which includes:

  • To provide Services to you as the Covered Entity
  • For our proper management and administration
  • To carry out our legal responsibilities
  • As required by law
  • As authorized by you or the patient

We will NOT use or disclose PHI for marketing purposes or sell PHI without your authorization, except as permitted by HIPAA.

2. Information We Collect

2.1 Protected Health Information (PHI)

When you use our Services, we may collect and process PHI on your behalf, including:

  • Patient names, addresses, and contact information
  • Medical record numbers and health plan beneficiary numbers
  • Social Security numbers (when necessary for billing or identification)
  • Medical history, diagnoses, and treatment information
  • Laboratory and test results
  • Prescription and medication information
  • Clinical notes and documentation
  • Insurance and billing information
  • Any other individually identifiable health information

2.2 Account and Business Information

We collect information about healthcare providers and organizations using our platform:

  • Name, email address, phone number
  • Professional credentials and license numbers
  • Organization name and NPI (National Provider Identifier)
  • Billing and payment information
  • Job title and role within your organization

2.3 Technical and Usage Information

We automatically collect certain technical information when you use our Services:

  • IP addresses and device identifiers
  • Browser type and version
  • Operating system and device information
  • Log data (access times, pages viewed, features used)
  • Performance and diagnostic data
  • Location data (general geographic location based on IP address)

2.4 Communications

We collect information from your communications with us, including support requests, feedback, and correspondence.

3. How We Use Your Information

3.1 Use of PHI

We use PHI solely to provide Services to you as authorized by our BAA:

  • Processing and storing medical records and clinical documentation
  • Facilitating care coordination and communication
  • Enabling AI-powered features like clinical documentation assistance
  • Generating analytics and reports as requested by you
  • Ensuring data integrity and security
  • Complying with legal and regulatory requirements

Important: We use de-identified data (data stripped of all identifiers) to improve our Services, develop new features, and conduct research. De-identified data cannot reasonably be used to identify individuals and is not subject to HIPAA restrictions.

3.2 Use of Non-PHI Information

We use non-PHI information for:

  • Providing, maintaining, and improving our Services
  • Processing payments and managing subscriptions
  • Communicating with you about your account and our Services
  • Providing customer support
  • Detecting, preventing, and addressing security issues and fraud
  • Conducting analytics to understand how our Services are used
  • Complying with legal obligations
  • Marketing our Services (with your consent where required)

4. How We Disclose Your Information

4.1 Disclosure of PHI

We will only disclose PHI as permitted or required by our BAA, HIPAA, and applicable law:

  • To You: The Covered Entity that is our client
  • To Business Associates: Third-party service providers who assist in providing our Services (e.g., cloud hosting, data backup) under written BAAs
  • As Required by Law: When required by federal, state, or local law
  • For Public Health Activities: When required to report diseases or vital events
  • To Prevent Serious Harm: When necessary to prevent or lessen a serious and imminent threat
  • For Law Enforcement: In response to valid legal process (court orders, warrants, subpoenas)

We will notify you of any requests for PHI disclosure unless prohibited by law or unless the request includes a qualified protective order.

4.2 Disclosure of Non-PHI Information

We may disclose non-PHI information:

  • Service Providers: Third parties that provide services on our behalf (payment processing, analytics, customer support)
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Legal Compliance: To comply with laws, regulations, or legal processes
  • Protection of Rights: To protect our rights, privacy, safety, or property
  • With Consent: With your consent or at your direction

4.3 No Sale of Personal Information

We do not sell your personal information or PHI to third parties. We do not share personal information with third parties for their direct marketing purposes.

5. Data Security Measures

We implement comprehensive administrative, physical, and technical safeguards to protect PHI and personal information as required by HIPAA and industry best practices:

5.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access controls and multi-factor authentication
  • Audit Controls: Logging and monitoring of system access and activities
  • Automatic Logoff: Session timeouts for inactive users
  • Integrity Controls: Mechanisms to ensure data is not improperly altered or destroyed

5.2 Physical Safeguards

  • Secure data centers with restricted access
  • Environmental controls and disaster recovery measures
  • Secure disposal of physical media containing PHI

5.3 Administrative Safeguards

  • Security risk assessments and management
  • Workforce training on HIPAA and data security
  • Incident response and breach notification procedures
  • Business Associate Agreements with all vendors handling PHI
  • Regular security audits and penetration testing
  • Contingency planning and disaster recovery

5.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and no later than 60 days from discovery of the breach, in accordance with 45 CFR §164.410.

6. Your Rights and Choices

6.1 Account Information

You may access, update, or correct your account information at any time through your account settings or by contacting us.

6.2 Marketing Communications

You may opt out of receiving promotional emails by following the unsubscribe instructions in those emails. You cannot opt out of service-related communications (e.g., account verification, technical notices).

6.3 Cookies and Tracking

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our Services.

6.4 Do Not Track

Our Services do not respond to Do Not Track (DNT) signals. We adhere to the standards described in this Privacy Policy.

7. HIPAA Privacy Rights

As a Business Associate, we support your ability to fulfill patients' HIPAA privacy rights:

7.1 Right of Access

We will provide you (the Covered Entity) with access to PHI to enable you to fulfill patients' requests for access to their health information within HIPAA's required timeframes.

7.2 Right to Amend

We will make amendments to PHI as directed by you to enable you to fulfill patients' rights to request amendments to their health information.

7.3 Right to an Accounting of Disclosures

We will provide you with information about disclosures of PHI to enable you to fulfill patients' requests for an accounting of disclosures.

7.4 Right to Request Restrictions

We will comply with your instructions regarding restrictions on uses and disclosures of PHI as agreed in our BAA.

7.5 Right to Confidential Communications

We will assist you in accommodating reasonable requests for confidential communications of PHI.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

  • Essential Cookies: Necessary for the Services to function (authentication, security)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with our Services
  • Performance Cookies: Measure and improve the performance of our Services

8.2 Third-Party Analytics

We may use third-party analytics services (e.g., Google Analytics) to analyze usage patterns. These services use cookies and similar technologies. We configure these services to respect HIPAA requirements and do not allow them to process PHI.

8.3 Managing Cookies

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent.

9. Third-Party Services and Business Associates

We use carefully vetted third-party service providers to help us provide our Services. All third parties that may access PHI are required to:

  • Execute a Business Associate Agreement with us
  • Implement appropriate safeguards to protect PHI
  • Use PHI only as permitted by the BAA
  • Report any security incidents or breaches

9.1 Key Service Providers

  • Cloud Hosting: Amazon Web Services (AWS) for secure cloud infrastructure, data storage, and processing
  • Payment Processing: Stripe, Inc. for payment processing (does not handle PHI)
  • SMS/MMS Messaging: Twilio for SMS and MMS communication services
  • Voice Telephony: Telnyx for voice call telephony services
  • Real-Time Audio: LiveKit for real-time audio infrastructure
  • Voice AI & Transcription: RetellAI for voice AI and transcription services
  • Data Backup: Encrypted backup and disaster recovery services
  • Analytics: De-identified analytics services (no PHI processed)

All third-party providers that handle PHI are required to sign Business Associate Agreements (BAAs) to ensure HIPAA compliance. For detailed information about communication-specific vendors, see Section 18.

9.2 Integration Partners

Our Services may integrate with third-party EMR systems and healthcare applications. Data shared with these systems is controlled by you and subject to the privacy policies of those third parties.

10. Data Retention and Deletion

10.1 Retention Periods

We retain PHI and personal information for as long as necessary to:

  • Provide Services to you
  • Comply with legal and regulatory requirements (typically 6-7 years for healthcare records)
  • Resolve disputes and enforce our agreements
  • Meet audit and compliance requirements

10.2 Data Deletion

Upon termination of our BAA or your account:

  • We will return or destroy PHI as directed by you and as specified in our BAA
  • We use secure deletion methods that make data unrecoverable
  • We retain certain information as required by law or for legitimate business purposes
  • De-identified data may be retained indefinitely for research and improvement purposes

10.3 Backups

PHI in backup systems will be deleted in accordance with our backup retention schedule, typically within 90 days of the deletion request.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

11.1 Your California Privacy Rights

  • Right to Know: Request information about the personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information)
  • Right to Limit: Limit the use of sensitive personal information
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

11.2 Categories of Information

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email, IP address)
  • Professional information (credentials, NPI)
  • Commercial information (payment records, subscription details)
  • Internet activity (usage data, log files)
  • Health information (PHI, governed by HIPAA)

11.3 Exercising Your Rights

To exercise your California privacy rights, contact us at privacy@caesarhealth.com. We will verify your identity before processing your request and respond within 45 days.

11.4 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We will require written authorization from you and verification of the agent's identity.

12. Children's Privacy

Our Services are not directed to children under 18, and we do not knowingly collect personal information from children for marketing purposes. However, our Services may be used by healthcare providers to manage health information for pediatric patients as part of treatment, payment, and healthcare operations.

When PHI of minors is processed through our Services:

  • It is handled in accordance with HIPAA requirements
  • Parental consent is the responsibility of the Covered Entity
  • We implement the same security safeguards for all PHI regardless of patient age

If you believe we have inadvertently collected personal information from a child for non-healthcare purposes, please contact us immediately at privacy@caesarhealth.com.

13. International Data Transfers

Our Services are provided from the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States.

By using our Services, you consent to the transfer of your information to the United States and other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

For PHI, we ensure that:

  • All data transfers comply with HIPAA requirements
  • Appropriate safeguards are in place to protect PHI during international transfers
  • Business Associate Agreements cover all entities that may access PHI

Communications Privacy Notice

The following sections (14–19) describe how Caesar Health collects, uses, stores, and protects information related to SMS text messages and voice calls processed through our healthcare communication platform.

14. SMS Text Message Communications

14.1 Information We Collect via SMS

When you communicate with healthcare providers through our SMS platform, we collect:

  • Contact Information: Mobile phone number, carrier information
  • Message Content: Text message content, including health-related information
  • Message Metadata: Date, time, delivery status, and read receipts
  • Consent Records: Opt-in/opt-out status, consent timestamps, and consent source
  • Conversation History: Complete conversation threads between you and your healthcare provider

14.2 How We Use SMS Information

We use SMS information to:

  • Deliver appointment reminders, confirmations, and scheduling communications
  • Send prescription refill notifications and medication reminders
  • Provide healthcare provider updates and clinical communications
  • Process and respond to your healthcare-related inquiries
  • Maintain records for regulatory compliance (HIPAA, TCPA)
  • Improve our communication services and patient experience

14.3 SMS Consent and Opt-In Requirements

Prior Express Consent: We require your explicit consent before sending you SMS communications. Consent may be collected through:

  • Voice call (verbal consent)
  • Online web forms or patient portal
  • Paper consent forms
  • Replying to an initial SMS with "START," "YES," "SUBSCRIBE," "OPTIN," "OPT IN," or "OPT-IN"
  • API integration with your healthcare provider's system

Consent Records: We maintain detailed records of your consent, including:

  • Date and time consent was provided
  • Method of consent collection
  • IP address or call recording reference (for audit purposes)
  • Complete consent history for compliance

14.4 SMS Opt-Out Rights

You may opt out of SMS communications at any time by replying with any of the following keywords: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT, OPT OUT, OPTOUT, or OPT-OUT.

Upon receipt of an opt-out request:

  • We will immediately cease sending SMS messages to your number
  • You will receive a confirmation: "You have been unsubscribed and will not receive any more messages. Reply START to resubscribe."
  • Your opt-out status will be recorded with a timestamp
  • You may re-subscribe at any time by replying "START"

Note: Opting out of SMS does not affect other forms of communication from your healthcare provider.

14.5 SMS Help and Support

Reply HELP or INFO to receive assistance. You will receive: "Reply STOP to unsubscribe. For assistance, visit our patient portal or call our office."

14.6 Message Frequency and Timing

  • Message frequency varies based on your healthcare interactions and appointment schedule
  • Messages are sent only during configured business hours (typically 9:00 AM – 5:00 PM local time)
  • We implement rate limiting to prevent message overload

14.7 Message and Data Rates

Standard message and data rates from your wireless carrier may apply. Please contact your carrier for details about your messaging plan. Caesar Health does not charge for SMS communications.

14.8 Carrier Disclaimer

Carriers are not liable for delayed or undelivered messages. Delivery is subject to effective transmission from your network operator and message center.

15. Voice Call Communications

15.1 Information We Collect via Voice Calls

When you interact with our voice communication system, we collect:

  • Call Audio: Voice recordings of telephone conversations (if consent provided)
  • Call Transcripts: Text transcriptions of voice conversations
  • Call Summaries: AI-generated summaries of call content
  • Extracted Information: Names, dates of birth, appointment details, and other information you provide verbally
  • Call Metadata: Call duration, time, phone numbers, call disposition, and status
  • Consent Records: Recording consent status and timestamp

15.2 AI-Assisted Calls Disclosure

Our platform uses artificial intelligence (AI) technology to assist with healthcare communications. When you call our system, you may interact with an AI-powered assistant that can:

  • Schedule, reschedule, and cancel appointments
  • Answer questions about office hours and locations
  • Collect preliminary patient information
  • Route calls to appropriate staff members

You will be informed at the beginning of the call that you are interacting with an AI assistant.

15.3 Call Recording Consent

Call Recording Disclosure: At the start of each call, you will hear: "This call may be recorded for quality assurance. If you don't consent to being recorded, please hang up."

  • Consent Method: By remaining on the call, you consent to being recorded
  • Declining Recording: If you do not consent, you may hang up and contact your provider through alternative means
  • Consent Records: We record your consent status and the timestamp for compliance purposes

15.4 Protected Health Information (PHI) Collection via Voice

Before collecting any Protected Health Information (PHI) during a call, we may request your explicit verbal consent. If you decline to provide consent:

  • The call may be terminated
  • Any data collected during the call may be deleted per your request
  • You may contact your healthcare provider through alternative channels

15.5 How We Use Voice Call Information

We use voice call information to:

  • Facilitate appointment scheduling and healthcare coordination
  • Generate clinical documentation and encounter summaries
  • Improve call quality and AI assistant performance
  • Maintain records for regulatory compliance (HIPAA)
  • Train and improve our AI systems (using de-identified data only)
  • Respond to patient inquiries and requests

16. Communications Data Retention

16.1 SMS Data Retention

Data TypeDefault RetentionMinimum (HIPAA)
Message Content7 years6 years
Message Attachments7 years6 years
Message Metadata7 years6 years
Consent Records7 years6 years

16.2 Voice Call Data Retention

Data TypeDefault RetentionMinimum (HIPAA)Configurable
Call Recordings7 yearsNoneYes
Call Transcripts7 years6 yearsNo
Call Summaries7 years6 yearsNo
Extracted Data7 years6 yearsNo
Call Metadata7 years6 yearsNo
Consent Records7 years7 yearsNo

Note: Healthcare providers may configure shorter retention periods for call recordings (including "do not store" options), but transcripts and clinical data must be retained for the HIPAA minimum of 6 years.

16.3 Deletion Process

  • Soft Delete: Records are first marked as deleted but retained for a grace period (default: 30 days)
  • Hard Delete: After the grace period, records are permanently and irreversibly deleted
  • S3 Objects: Audio recordings and attachments are permanently deleted from cloud storage
  • Audit Trail: All deletion activities are logged for compliance purposes

17. Communications Data Security

17.1 Encryption

  • At Rest: All data is encrypted using AES-256 encryption with AWS KMS-managed keys
  • In Transit: All communications use TLS 1.2 or higher encryption

17.2 Access Controls

  • Role-based access control (RBAC) limits access to communication data
  • Multi-factor authentication required for administrative access
  • All access to Protected Health Information is logged

17.3 Audit Logging

We maintain comprehensive audit logs that record:

  • Who accessed communication data
  • What data was accessed
  • When access occurred
  • IP address of the accessor
  • Action performed (view, export, delete)

Audit logs are retained for 7 years and cannot be modified or deleted.

18. Communications Third-Party Service Providers

We use the following third-party service providers to deliver communication services:

ProviderServiceData Processed
TwilioSMS/MMS messagingPhone numbers, message content
TelnyxVoice telephonyPhone numbers, call audio
LiveKitReal-time audio infrastructureCall audio streams
RetellAIVoice AI and transcriptionCall audio, transcripts
Amazon Web Services (AWS)Cloud infrastructureAll communication data

All third-party providers are required to sign Business Associate Agreements (BAAs) to ensure HIPAA compliance and protect your Protected Health Information.

19. Your Rights Regarding Communication Data

19.1 Right to Access

You may request a copy of your communication records, including SMS conversation history, call recordings (if retained), and call transcripts and summaries. Requests will be fulfilled within 30 days.

19.2 Right to Amendment

You may request corrections to inaccurate information in your communication records. We will review and respond to amendment requests within 60 days.

19.3 Right to Accounting of Disclosures

You may request a list of disclosures of your communication data for the past 6 years, including the date, recipient, and purpose of each disclosure.

19.4 Right to Restrict Communications

You may request restrictions on certain communications. Note that some restrictions may affect your ability to receive important healthcare information.

19.5 Right to Delete

You may request deletion of your communication data, subject to:

  • HIPAA minimum retention requirements (6 years for clinical data)
  • Legal hold requirements
  • Legitimate business needs

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated Privacy Policy on our website
  • Updating the "Last Updated" date at the top of this policy
  • Sending email notification to your registered email address
  • Providing prominent notice through our Services

For material changes affecting PHI, we will provide at least 30 days' notice before the changes take effect. Your continued use of our Services after the effective date constitutes acceptance of the updated Privacy Policy.

21. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Caesar Health, Inc.

Privacy Officer

Email: privacy@caesarhealth.com

Support: support@caesarhealth.com

Legal: legal@caesarhealth.com

For HIPAA-Related Requests:

Email: hipaa@caesarhealth.com

For California Privacy Rights Requests:

Email: privacy@caesarhealth.com

Subject Line: "California Privacy Rights Request"

Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with:

  • Caesar Health: privacy@caesarhealth.com
  • U.S. Department of Health and Human Services: www.hhs.gov/hipaa/filing-a-complaint

You will not be retaliated against for filing a complaint.

This Privacy Policy was last updated on February 16, 2026. By using Caesar Health's Services, you acknowledge that you have read and understood this Privacy Policy, including the Communications Privacy Notice.