HIPAA Notice of Privacy Practices

IMPORTANT: PatientSwaps Role Under HIPAA

PatientSwaps is a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), 45 CFR Parts 160 and 164. PatientSwaps does NOT directly provide healthcare services and is NOT a Covered Entity.

PatientSwaps processes Protected Health Information (PHI) solely on behalf of skilled nursing facilities that are Covered Entities under HIPAA. Facilities retain full control over all clinical and operational decisions regarding their residents. PatientSwaps functions as a technology platform providing algorithmic matching and transfer matching software services only.

This Notice applies when facilities or families submit information to PatientSwaps for matching purposes.

1. Overview: PatientSwaps as a HIPAA Business Associate

PatientSwaps, LLC ("Company," "we," "us," or "our") is a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164. We handle Protected Health Information (PHI) on behalf of healthcare facilities that use the PatientSwaps Platform.

This Notice of Privacy Practices describes:

How we use and disclose PHI
The privacy rights of individuals whose information we handle
How we protect PHI from unauthorized access and disclosure
What to do if you believe your privacy rights have been violated

Important: PatientSwaps does NOT determine what PHI is collected, used, or disclosed. Healthcare facilities that use PatientSwaps make those determinations and direct PatientSwaps on how to handle PHI. PatientSwaps acts on behalf of facilities and must comply with facilities' instructions regarding PHI.

2. Definitions

2.1 Protected Health Information (PHI)

PHI is any information in a medical record or health plan that can be used to identify an individual patient, including:

Patient name, date of birth, and address
Patient phone number, fax number, or email address
Medical record number or health plan identification number
Health conditions, diagnoses, and treatment information
Insurance information and payment details
Any other identifier that could identify a patient

2.2 Business Associate

A Business Associate is a vendor or service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity. PatientSwaps is a Business Associate because we process PHI as directed by healthcare facilities.

2.3 Minimum Necessary

Minimum necessary is the principle that PatientSwaps uses only the minimum amount of PHI necessary to accomplish the intended purpose.

3. Uses and Disclosures of PHI

3.1 How PatientSwaps Uses PHI

PatientSwaps uses PHI exclusively for purposes authorized by the facility and as necessary to provide Platform services:

3.2 Permitted Uses

Matching Algorithm Execution: Processing patient information to identify facilities with available beds that match the referring facility's specified criteria (bed type, payer acceptance, geographic proximity, timing)
Transfer Coordination: Sending patient information to destination facilities selected by the referring facility to facilitate transfer discussion and acceptance
Facility Communication: Communicating with healthcare facilities regarding available beds, patient transfer needs, and coordination details
Treatment-Related Activities: Facilitating coordination of care between facilities (with facility direction)
Platform Operations: Maintaining the Platform, resolving technical issues, and troubleshooting problems (limited access)
Audit Logging and Security: Logging all access to PHI to ensure compliance and detect unauthorized access

3.3 Permitted Disclosures

PatientSwaps discloses PHI only as directed by the referring facility:

To Destination Facilities: When the referring facility directs PatientSwaps to contact a specific facility regarding bed availability or patient transfer
To Authorized Users of the Referring Facility: Making PHI available to the facility's staff who have legitimate access needs
For Facility Administrative Functions: Disclosures for billing, operations, and facility management as directed by the facility
As Required by Law: Disclosures required by court order, subpoena, warrant, or other legal process
To Business Associates: Disclosures to PatientSwaps' vendors who have signed Business Associate Agreements and are bound by HIPAA (see Section 8)

3.4 Prohibited Uses and Disclosures

PatientSwaps does NOT use or disclose PHI for:

Marketing or promotional purposes
Research (without explicit facility authorization and IRB approval)
Business decisions unrelated to providing Platform services
Sale of PHI (under HIPAA §164.502(a)(5))
Psychotherapy notes (which receive heightened protection)
Substance abuse treatment information (which receives heightened protection)
Any purpose other than those authorized by the facility

4. Patient Privacy Rights

4.1 Right to Access PHI (45 C.F.R. § 164.524)

You have the right to access and obtain a copy of your PHI that PatientSwaps maintains.

How to Exercise This Right: Contact the healthcare facility that referred you or the destination facility involved in your transfer. The facility will request the information from PatientSwaps. PatientSwaps will provide a copy to the facility within 30 days.

Exceptions: You may be denied access to:

Psychotherapy notes
Information compiled for civil, criminal, or administrative proceedings
Information exempted under other federal law (e.g., substance abuse treatment information)

4.2 Right to Amendment (45 C.F.R. § 164.526)

You have the right to request that inaccurate or incomplete PHI be corrected.

How to Exercise This Right: Submit a written request to the healthcare facility involved in your care, specifying what information you believe is inaccurate and what correction you request. PatientSwaps will update the information if the facility verifies the inaccuracy.

Timeline: The facility has 60 days to review and respond to your request (with one 30-day extension possible).

4.3 Right to an Accounting of Disclosures (45 C.F.R. § 164.528)

You have the right to receive an accounting of all disclosures of your PHI made by PatientSwaps.

What This Includes: A list of all instances where your PHI was disclosed to other facilities or individuals, including:

The date of disclosure
The name and address of the entity that received the PHI
A description of the information disclosed
The reason for the disclosure

How to Request: Contact the healthcare facility in your care. PatientSwaps will provide an accounting within 60 days. The accounting covers the past 6 years from the request date (or shorter if you specify).

Exceptions: The accounting does not need to include disclosures made for treatment, payment, or operations; disclosures to the individual themselves; or disclosures authorized by the individual.

4.4 Right to Request Restrictions (45 C.F.R. § 164.522)

You have the right to request that PatientSwaps restrict its use or disclosure of your PHI.

Example Restrictions: You may request that PatientSwaps not disclose your information to specific facilities or individuals, or restrict use to specific purposes.

Important Limitation: PatientSwaps and the healthcare facility are not required to agree to your requested restriction. However, if the facility agrees, PatientSwaps must comply.

How to Request: Submit a written request to the referring facility specifying what restriction you want.

4.5 Right to Request Confidential Communication (45 C.F.R. § 164.522)

You have the right to request that PatientSwaps communicate with you in a certain way or at a certain location.

Examples: You may request that PatientSwaps send information only to your email or mailing address, or use only phone communication.

How to Request: Contact the healthcare facility and specify your preferred communication method.

4.6 Right to Notification of Breach (45 C.F.R. § 164.404)

If your PHI is accessed, used, or disclosed without authorization, PatientSwaps must notify you within 60 days.

Notification Contents: The notification will include:

A description of the breach and what information was involved
How the breach occurred
Steps you should take to protect yourself
What PatientSwaps is doing to investigate and prevent future breaches
Contact information for questions

If more than 500 individuals' information is breached, PatientSwaps must also notify the media and the U.S. Department of Health and Human Services (HHS).

5. The Business Associate Agreement

5.1 What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a legal contract between PatientSwaps and each healthcare facility that details:

What PHI PatientSwaps may access
How PatientSwaps may use and disclose PHI
The security measures PatientSwaps must implement
The facility's right to audit and assess PatientSwaps' compliance
What happens if PatientSwaps violates HIPAA

5.2 PatientSwaps' BAA Obligations

Under the BAA, PatientSwaps agrees to:

Use PHI only for purposes authorized by the facility
Not disclose PHI except as authorized by the facility or required by law
Implement administrative, physical, and technical safeguards to protect PHI
Provide the facility with access to PHI upon request
Report any unauthorized access, use, or disclosure (breaches) immediately
Provide the facility with all information needed to fulfill the facility's HIPAA obligations
Delete or return all PHI when the facility requests or when the contract ends
Ensure all Sub-Business Associates (vendors) sign Business Associate Agreements

6. PatientSwaps' Privacy and Security Safeguards

6.1 Administrative Safeguards

PatientSwaps implements administrative controls to protect PHI:

Access Controls: Only authorized personnel with a documented business need can access PHI. Access is controlled through user authentication and role-based permissions
Security Training: All PatientSwaps personnel who handle PHI receive HIPAA compliance training annually
Incident Response Plan: PatientSwaps maintains procedures for detecting, reporting, and responding to unauthorized access or breaches
Workforce Security: PatientSwaps implements background checks for employees with PHI access and maintains separation of duties to prevent unauthorized access
Information Access Management: Access to PHI is limited to the minimum necessary to perform job functions

6.2 Physical Safeguards

PatientSwaps protects the physical security of systems that contain PHI:

Facility Access Controls: PatientSwaps' data centers use controlled access with authentication requirements
Workstation Security: All computers with access to PHI are password-protected and require multi-factor authentication
Media Controls: Devices used to store PHI are encrypted and are physically secured
Device Removal: Hardware containing PHI is destroyed securely and is never discarded with PHI intact

6.3 Technical Safeguards

PatientSwaps implements technical controls to protect PHI:

Encryption at Rest: All PHI stored on PatientSwaps servers is encrypted using AES-256 encryption
Encryption in Transit: All data transmitted to or from PatientSwaps is encrypted using TLS 1.3 or higher
Access Controls: Unique user IDs and strong password requirements control access to systems containing PHI
Audit Controls: PatientSwaps logs all access to PHI, including who accessed the data, when, and what actions were performed
Integrity Controls: PatientSwaps uses checksums and other methods to detect if PHI has been altered or deleted
Transmission Security: Data sent to external locations is encrypted and uses secure transmission protocols

7. De-Identification and Use of De-Identified Information

7.1 De-Identification Standard

PatientSwaps may remove all HIPAA identifiers from PHI to create de-identified data. De-identified data is not considered PHI and is not subject to HIPAA restrictions.

De-Identification Process: PatientSwaps removes the following 18 identifiers under 45 C.F.R. § 164.502(b):

Names
Postal address elements (except state and ZIP code)
Phone numbers
Email addresses
Social security numbers
Medical record numbers
Health plan identification numbers
Account numbers
Dates (except year)
Device serial numbers and URLs
License plates
Biometric records
Photographs
Any unique identifier assigned to an individual

7.2 Use of De-Identified Data

Once data is de-identified, PatientSwaps may use it for:

Network-wide occupancy analytics and trend reporting
Benchmarking and comparative facility analysis
Algorithm optimization and machine learning model development
Quality improvement research
Service development and platform enhancement
Sharing with researchers, consultants, and other third parties

De-identified data may be used and disclosed without individual authorization because it no longer identifies any person.

8. Sub-Business Associates and Vendor Management

8.1 What are Sub-Business Associates?

Sub-Business Associates are vendors and service providers that PatientSwaps engages to help operate the Platform or support PatientSwaps' operations. These vendors may access PHI as needed to provide their services.

8.2 PatientSwaps' Responsibility

PatientSwaps is responsible for ensuring that all Sub-Business Associates:

Execute Business Associate Agreements (BAAs) that bind them to HIPAA
Implement appropriate safeguards to protect PHI
Report any breaches or security incidents
Allow access for audits and assessments

8.3 Current Sub-Business Associates (as of March 19, 2026)

Vendor	Service	PHI Access	BAA Status
Google Workspace (Gmail, Sheets, Drive, Apps Script)	Email, cloud storage, workflow automation	Yes	BAA Executed
Jotform	Intake form collection and data processing	Yes	HIPAA Gold, BAA Executed
Paubox	Encrypted email transmission	Yes	BAA Executed
Cloudflare	Hosting and content delivery	Limited (encryption only)	Data Processing Agreement
Stripe	Payment processing	No (limited to subscription ID)	Exempt

Right to Information: You may request the full list of PatientSwaps' Sub-Business Associates by contacting privacy@patientswaps.com. PatientSwaps will provide this list within 30 days.

9. Breach Notification and Incident Response

9.1 What Constitutes a Breach?

A breach is the unauthorized access, use, or disclosure of PHI that compromises the security or privacy of the information. Not all unauthorized access is a breach—an incident is a breach only if it creates a significant risk that PHI has been compromised.

9.2 Breach Notification Requirements

When a breach occurs, PatientSwaps will:

Immediately investigate the incident to determine the scope and severity
Notify the healthcare facility within 24 hours (or as soon as practicable) of discovery
Provide the facility with all information needed to make a risk assessment and determine if individuals must be notified
Implement remedial actions to prevent recurrence
Maintain detailed documentation of the incident, investigation, and response

9.3 Individual Notification (45 C.F.R. § 164.404)

If a breach affects your PHI, you will be notified within 60 days by the healthcare facility involved in your care. The notification will include:

A description of the breach (what happened, when, and what information was involved)
Steps you should take to protect yourself
What PatientSwaps is doing to investigate and prevent future breaches
Contact information for questions

9.4 Media and HHS Notification

If a breach involves more than 500 individuals, the healthcare facility will:

Notify prominent media in the area where individuals reside
Notify the U.S. Department of Health and Human Services (HHS)

9.5 Your Right to Know About Breaches

You have the right to be notified if your PHI is breached. You cannot waive this right, and PatientSwaps cannot delay notification to limit liability.

10. Minimum Necessary Standard

10.1 What is Minimum Necessary?

The minimum necessary standard requires that PatientSwaps use, disclose, and request only the amount of PHI needed to accomplish a specific, legitimate purpose.

10.2 How PatientSwaps Applies Minimum Necessary

For Matching Queries: PatientSwaps requests from the referring facility only the PHI necessary to execute the matching algorithm (e.g., bed type needed, payer type, timing requirements, geography). PatientSwaps does not request unnecessary clinical details or personal information
For Disclosures: When PatientSwaps discloses information to a destination facility, PatientSwaps discloses only the information the destination facility needs to assess the patient and make an acceptance decision
For Technical Support: When providing technical support, authorized PatientSwaps staff access the minimum necessary information to troubleshoot the specific problem
For Audit Logs: Audit logs retain all access records but limit the details stored to what is necessary for security and compliance purposes

10.3 Role-Based Access Controls

Role	PHI Access	Scope
Platform Administrator (hello@careswaps.com)	Full PHI access	Client support, compliance, and breach response
Google Apps Script Automation	Limited PHI access	Resident name, contact information (for personalized email notifications via Gmail only)
Make.com Workflows	De-identified data only	Swap IDs, facility names, dates, operational status flags (no resident names or contact information)
Jotform Integration	PHI collection	Intake form responses collected directly from families (stored in HIPAA-compliant environment, not exported to non-BAA services)
Stripe Payment Processing	No PHI	Payment method and transaction amounts only
Airtable	De-identified data only	Facility names, swap IDs, bed counts, operational status (no resident-identifiable information)

All access is logged and restricted to authorized job functions.

11. Patient Rights Enforcement and Contact Information

11.1 How to Verify Your Identity

When you request access to your PHI or exercise other HIPAA rights, PatientSwaps may require verification of your identity. Acceptable forms of verification include:

Photo identification
Signature and date
Information that can reasonably identify you (such as date of birth or patient ID)

11.2 Timeline for Responding to Requests

Access Requests: PatientSwaps will provide a copy of your PHI within 30 days of your request (with one 30-day extension possible)
Amendment Requests: 60 days to review and respond (with one 30-day extension possible)
Accounting of Disclosures: 60 days to compile and deliver
Restriction Requests: Decision within 30 days

11.3 Contact Information for Privacy-Related Questions

PatientSwaps Privacy Officer & Security Officer:

Name: Michael Ford, Founder
Email: privacy@patientswaps.com
Phone: (970) 306-7131
Mailing Address: PatientSwaps, LLC, Denver, Colorado

Healthcare Facility Privacy Officer: Contact the healthcare facility involved in your care for assistance with HIPAA requests.

12. Complaint Procedures

12.1 Right to File a Complaint

You have the right to file a complaint if you believe PatientSwaps or the healthcare facility has violated your HIPAA privacy or security rights. Filing a complaint will not change your access to the PatientSwaps Platform or cause PatientSwaps to retaliate against you.

12.2 How to File a Complaint with PatientSwaps

To file a complaint with PatientSwaps, contact:

Email: privacy@patientswaps.com
Mail: PatientSwaps Privacy Officer, Denver, Colorado

Complaints must be submitted in writing (email or letter). PatientSwaps will investigate all complaints and respond within 30 days with information about the investigation and any corrective actions taken.

12.3 How to File a Complaint with the U.S. Department of Health and Human Services

You may also file a complaint with the HHS Office for Civil Rights, which enforces HIPAA:

Website: www.hhs.gov/ocr/privacy/hipaa/complaints
Email: ocrmail@hhs.gov
Phone: 1-800-368-1019
Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201

There is no time limit for filing complaints with HHS, and you do not need to file a complaint with PatientSwaps first.

12.4 No Retaliation

PatientSwaps will not take any retaliatory action against you for filing a complaint or for asserting your HIPAA rights.

13. Changes to This Notice

13.1 Right to Revise

PatientSwaps reserves the right to revise this Notice of Privacy Practices at any time. Changes will be effective immediately upon posting.

13.2 Notification of Changes

Any significant changes will be communicated to healthcare facilities in advance. You may request the current version of this Notice at any time by contacting privacy@patientswaps.com.

13.3 Version Control

PatientSwaps maintains a version history of this Notice with effective dates at patientswaps.com/hipaa.

14. HIPAA Privacy Rule Summary

14.1 Key HIPAA Requirements

PatientSwaps complies with the following HIPAA requirements:

Privacy Rule (45 C.F.R. Part 164, Subpart E): Controls use and disclosure of PHI
Security Rule (45 C.F.R. Part 164, Subpart C): Requires administrative, physical, and technical safeguards for PHI stored or transmitted electronically
Breach Notification Rule (45 C.F.R. Part 164, Subpart D): Requires notification to affected individuals, media, and HHS of breaches affecting 500+ individuals
Enforcement Rule (45 C.F.R. Part 160): Authorizes HHS to investigate complaints and impose civil and criminal penalties

14.2 Penalties for HIPAA Violations

Violations of HIPAA are subject to:

Civil penalties of $100–$50,000 per violation (adjusted for inflation annually)
Criminal penalties of up to 10 years in prison and $250,000+ in fines for criminal HIPAA violations
Exclusion from Medicare and Medicaid programs