Privacy Policy

Oz Health (“we,” “our,” or “us”) is committed to protecting the privacy and security of your personal and health information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our electronic health record platform, patient portal, mobile application, and communication services (collectively, the “Services”).

Oz Health operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We maintain administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI) in accordance with HIPAA and the HITECH Act.

Information provided by your healthcare provider:

• Name, date of birth, contact information (phone, email, address)
• Medical records, diagnoses, medications, lab results, and clinical notes
• Insurance and billing information
• Appointment history

Information you provide directly:

• Patient portal account registration information
• Messages sent through the portal
• Communication preferences (SMS, email, push notification opt-in/opt-out)
• Survey and questionnaire responses

Information collected automatically:

• Device information and browser type
• IP address and general location
• Usage data (pages visited, features used)
• Cookies and similar technologies

• Treatment: To facilitate healthcare services between you and your provider
• Communications: To send appointment reminders, lab result notifications, care-related messages, and account notifications via SMS, email, or push notification
• Operations: To operate, maintain, and improve the Services
• Billing: To process insurance claims and payments
• Security: To detect and prevent unauthorized access and fraud
• Legal compliance: To comply with applicable laws and regulations

When you opt in to SMS or email communications, we may send you transactional messages related to your healthcare. We implement anti-bombardment safeguards to prevent excessive messaging, including daily caps per patient, quiet hours (default 9 PM – 8 AM), and cooldown periods between messages of the same type.

You can opt out at any time by:

• Replying STOP to any SMS message
• Updating preferences in the patient portal
• Contacting your provider's office

We do not share your phone number or email address with third parties for marketing purposes. SMS and email communications are limited to healthcare-related transactional messages.

We do not sell your personal or health information. We may share information only as follows:

• With your healthcare provider: As necessary for treatment, payment, and healthcare operations
• Service providers: With trusted third-party vendors who assist in operating the Services (e.g., cloud hosting, SMS delivery), bound by confidentiality agreements and HIPAA Business Associate Agreements
• Legal requirements: When required by law, court order, or governmental regulation
• With your consent: When you explicitly authorize disclosure

We implement industry-standard security measures including:

• Encryption of data in transit (TLS) and at rest (AES-256)
• Multi-factor authentication
• Role-based access controls
• Audit logging of all access to PHI
• Regular security assessments and penetration testing
• Automatic session timeouts

We retain health records in accordance with applicable federal and state medical record retention laws (typically 7–10 years from last encounter). Communication logs are retained for 30 days for operational purposes and archived for compliance. You may request deletion of non-clinical data by contacting us.

Under HIPAA, you have the right to:

• Access and obtain copies of your health records
• Request corrections to your health information
• Request restrictions on certain uses and disclosures
• Receive an accounting of disclosures
• Receive a copy of this Privacy Policy
• File a complaint if you believe your rights have been violated

California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information (note: we do not sell personal information).

The patient portal is intended for users age 18 and older. Minor patients' health information is managed by their parent or legal guardian through the provider's office.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Services. The “Last updated” date at the top reflects the most recent revision.

For questions about this Privacy Policy or to exercise your rights, contact us at:

Oz Health
Email: privacy@ozhealth.com
Phone: (646) 780-9236