Caesar HealthCaesar Health

Privacy Policy

Last Updated: October 24, 2025

Caesar Health, Inc. ("Caesar Health," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our healthcare platform and services (the "Services").

IMPORTANT: This Privacy Policy applies to both Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA") and non-PHI data. As a Business Associate under HIPAA, we maintain strict compliance with all applicable healthcare privacy laws.

Table of Contents

  1. 1. HIPAA Notice and Business Associate Relationship
  2. 2. Information We Collect
  3. 3. How We Use Your Information
  4. 4. How We Disclose Your Information
  5. 5. Data Security Measures
  6. 6. Your Rights and Choices
  7. 7. HIPAA Privacy Rights
  8. 8. Cookies and Tracking Technologies
  9. 9. Third-Party Services and Business Associates
  10. 10. Data Retention and Deletion
  11. 11. California Privacy Rights (CCPA/CPRA)
  12. 12. Children's Privacy
  13. 13. International Data Transfers
  14. 14. Changes to This Privacy Policy
  15. 15. Contact Information

1. HIPAA Notice and Business Associate Relationship

1.1 Business Associate Status

When healthcare providers and covered entities use our Services to create, receive, maintain, or transmit Protected Health Information (PHI), Caesar Health acts as a Business Associate under HIPAA. We enter into a Business Associate Agreement (BAA) with covered entities that governs our use and disclosure of PHI.

1.2 HIPAA Compliance Commitment

We comply with the HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) and the HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

1.3 Uses and Disclosures of PHI

We will only use and disclose PHI as permitted by our BAA with you, which includes:

  • To provide Services to you as the Covered Entity
  • For our proper management and administration
  • To carry out our legal responsibilities
  • As required by law
  • As authorized by you or the patient

We will NOT use or disclose PHI for marketing purposes or sell PHI without your authorization, except as permitted by HIPAA.

2. Information We Collect

2.1 Protected Health Information (PHI)

When you use our Services, we may collect and process PHI on your behalf, including:

  • Patient names, addresses, and contact information
  • Medical record numbers and health plan beneficiary numbers
  • Social Security numbers (when necessary for billing or identification)
  • Medical history, diagnoses, and treatment information
  • Laboratory and test results
  • Prescription and medication information
  • Clinical notes and documentation
  • Insurance and billing information
  • Any other individually identifiable health information

2.2 Account and Business Information

We collect information about healthcare providers and organizations using our platform:

  • Name, email address, phone number
  • Professional credentials and license numbers
  • Organization name and NPI (National Provider Identifier)
  • Billing and payment information
  • Job title and role within your organization

2.3 Technical and Usage Information

We automatically collect certain technical information when you use our Services:

  • IP addresses and device identifiers
  • Browser type and version
  • Operating system and device information
  • Log data (access times, pages viewed, features used)
  • Performance and diagnostic data
  • Location data (general geographic location based on IP address)

2.4 Communications

We collect information from your communications with us, including support requests, feedback, and correspondence.

3. How We Use Your Information

3.1 Use of PHI

We use PHI solely to provide Services to you as authorized by our BAA:

  • Processing and storing medical records and clinical documentation
  • Facilitating care coordination and communication
  • Enabling AI-powered features like clinical documentation assistance
  • Generating analytics and reports as requested by you
  • Ensuring data integrity and security
  • Complying with legal and regulatory requirements

Important: We use de-identified data (data stripped of all identifiers) to improve our Services, develop new features, and conduct research. De-identified data cannot reasonably be used to identify individuals and is not subject to HIPAA restrictions.

3.2 Use of Non-PHI Information

We use non-PHI information for:

  • Providing, maintaining, and improving our Services
  • Processing payments and managing subscriptions
  • Communicating with you about your account and our Services
  • Providing customer support
  • Detecting, preventing, and addressing security issues and fraud
  • Conducting analytics to understand how our Services are used
  • Complying with legal obligations
  • Marketing our Services (with your consent where required)

4. How We Disclose Your Information

4.1 Disclosure of PHI

We will only disclose PHI as permitted or required by our BAA, HIPAA, and applicable law:

  • To You: The Covered Entity that is our client
  • To Business Associates: Third-party service providers who assist in providing our Services (e.g., cloud hosting, data backup) under written BAAs
  • As Required by Law: When required by federal, state, or local law
  • For Public Health Activities: When required to report diseases or vital events
  • To Prevent Serious Harm: When necessary to prevent or lessen a serious and imminent threat
  • For Law Enforcement: In response to valid legal process (court orders, warrants, subpoenas)

We will notify you of any requests for PHI disclosure unless prohibited by law or unless the request includes a qualified protective order.

4.2 Disclosure of Non-PHI Information

We may disclose non-PHI information:

  • Service Providers: Third parties that provide services on our behalf (payment processing, analytics, customer support)
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Legal Compliance: To comply with laws, regulations, or legal processes
  • Protection of Rights: To protect our rights, privacy, safety, or property
  • With Consent: With your consent or at your direction

4.3 No Sale of Personal Information

We do not sell your personal information or PHI to third parties. We do not share personal information with third parties for their direct marketing purposes.

5. Data Security Measures

We implement comprehensive administrative, physical, and technical safeguards to protect PHI and personal information as required by HIPAA and industry best practices:

5.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access controls and multi-factor authentication
  • Audit Controls: Logging and monitoring of system access and activities
  • Automatic Logoff: Session timeouts for inactive users
  • Integrity Controls: Mechanisms to ensure data is not improperly altered or destroyed

5.2 Physical Safeguards

  • Secure data centers with restricted access
  • Environmental controls and disaster recovery measures
  • Secure disposal of physical media containing PHI

5.3 Administrative Safeguards

  • Security risk assessments and management
  • Workforce training on HIPAA and data security
  • Incident response and breach notification procedures
  • Business Associate Agreements with all vendors handling PHI
  • Regular security audits and penetration testing
  • Contingency planning and disaster recovery

5.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and no later than 60 days from discovery of the breach, in accordance with 45 CFR §164.410.

6. Your Rights and Choices

6.1 Account Information

You may access, update, or correct your account information at any time through your account settings or by contacting us.

6.2 Marketing Communications

You may opt out of receiving promotional emails by following the unsubscribe instructions in those emails. You cannot opt out of service-related communications (e.g., account verification, technical notices).

6.3 Cookies and Tracking

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our Services.

6.4 Do Not Track

Our Services do not respond to Do Not Track (DNT) signals. We adhere to the standards described in this Privacy Policy.

7. HIPAA Privacy Rights

As a Business Associate, we support your ability to fulfill patients' HIPAA privacy rights:

7.1 Right of Access

We will provide you (the Covered Entity) with access to PHI to enable you to fulfill patients' requests for access to their health information within HIPAA's required timeframes.

7.2 Right to Amend

We will make amendments to PHI as directed by you to enable you to fulfill patients' rights to request amendments to their health information.

7.3 Right to an Accounting of Disclosures

We will provide you with information about disclosures of PHI to enable you to fulfill patients' requests for an accounting of disclosures.

7.4 Right to Request Restrictions

We will comply with your instructions regarding restrictions on uses and disclosures of PHI as agreed in our BAA.

7.5 Right to Confidential Communications

We will assist you in accommodating reasonable requests for confidential communications of PHI.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

  • Essential Cookies: Necessary for the Services to function (authentication, security)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with our Services
  • Performance Cookies: Measure and improve the performance of our Services

8.2 Third-Party Analytics

We may use third-party analytics services (e.g., Google Analytics) to analyze usage patterns. These services use cookies and similar technologies. We configure these services to respect HIPAA requirements and do not allow them to process PHI.

8.3 Managing Cookies

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent.

9. Third-Party Services and Business Associates

We use carefully vetted third-party service providers to help us provide our Services. All third parties that may access PHI are required to:

  • Execute a Business Associate Agreement with us
  • Implement appropriate safeguards to protect PHI
  • Use PHI only as permitted by the BAA
  • Report any security incidents or breaches

9.1 Key Service Providers

  • Cloud Hosting: Secure cloud infrastructure for data storage and processing
  • Payment Processing: Stripe, Inc. for payment processing (does not handle PHI)
  • Communication Services: Email and messaging service providers
  • Data Backup: Encrypted backup and disaster recovery services
  • Analytics: De-identified analytics services (no PHI processed)

9.2 Integration Partners

Our Services may integrate with third-party EMR systems and healthcare applications. Data shared with these systems is controlled by you and subject to the privacy policies of those third parties.

10. Data Retention and Deletion

10.1 Retention Periods

We retain PHI and personal information for as long as necessary to:

  • Provide Services to you
  • Comply with legal and regulatory requirements (typically 6-7 years for healthcare records)
  • Resolve disputes and enforce our agreements
  • Meet audit and compliance requirements

10.2 Data Deletion

Upon termination of our BAA or your account:

  • We will return or destroy PHI as directed by you and as specified in our BAA
  • We use secure deletion methods that make data unrecoverable
  • We retain certain information as required by law or for legitimate business purposes
  • De-identified data may be retained indefinitely for research and improvement purposes

10.3 Backups

PHI in backup systems will be deleted in accordance with our backup retention schedule, typically within 90 days of the deletion request.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

11.1 Your California Privacy Rights

  • Right to Know: Request information about the personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information)
  • Right to Limit: Limit the use of sensitive personal information
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

11.2 Categories of Information

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email, IP address)
  • Professional information (credentials, NPI)
  • Commercial information (payment records, subscription details)
  • Internet activity (usage data, log files)
  • Health information (PHI, governed by HIPAA)

11.3 Exercising Your Rights

To exercise your California privacy rights, contact us at privacy@caesarhealth.com. We will verify your identity before processing your request and respond within 45 days.

11.4 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We will require written authorization from you and verification of the agent's identity.

12. Children's Privacy

Our Services are not directed to children under 18, and we do not knowingly collect personal information from children for marketing purposes. However, our Services may be used by healthcare providers to manage health information for pediatric patients as part of treatment, payment, and healthcare operations.

When PHI of minors is processed through our Services:

  • It is handled in accordance with HIPAA requirements
  • Parental consent is the responsibility of the Covered Entity
  • We implement the same security safeguards for all PHI regardless of patient age

If you believe we have inadvertently collected personal information from a child for non-healthcare purposes, please contact us immediately at privacy@caesarhealth.com.

13. International Data Transfers

Our Services are provided from the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States.

By using our Services, you consent to the transfer of your information to the United States and other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

For PHI, we ensure that:

  • All data transfers comply with HIPAA requirements
  • Appropriate safeguards are in place to protect PHI during international transfers
  • Business Associate Agreements cover all entities that may access PHI

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated Privacy Policy on our website
  • Updating the "Last Updated" date at the top of this policy
  • Sending email notification to your registered email address
  • Providing prominent notice through our Services

For material changes affecting PHI, we will provide at least 30 days' notice before the changes take effect. Your continued use of our Services after the effective date constitutes acceptance of the updated Privacy Policy.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Caesar Health, Inc.

Privacy Officer

Email: privacy@caesarhealth.com

Support: support@caesarhealth.com

Legal: legal@caesarhealth.com

For HIPAA-Related Requests:

Email: hipaa@caesarhealth.com

For California Privacy Rights Requests:

Email: privacy@caesarhealth.com

Subject Line: "California Privacy Rights Request"

Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with:

  • Caesar Health: privacy@caesarhealth.com
  • U.S. Department of Health and Human Services: www.hhs.gov/hipaa/filing-a-complaint

You will not be retaliated against for filing a complaint.

This Privacy Policy was last updated on October 24, 2025. By using Caesar Health's Services, you acknowledge that you have read and understood this Privacy Policy.