1. Overview and Scope
PatientSwaps, LLC ("Company," "we," "us," or "our") respects the privacy of all users of the PatientSwaps Platform and is committed to protecting personal information and Protected Health Information (PHI) in accordance with applicable federal and state privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Colorado Privacy Act (CPA), and the California Consumer Privacy Act (CCPA).
This Privacy Policy describes the types of information we collect, how we use it, our security practices, and the rights you have regarding your information. This policy applies to all facilities, authorized users, and individuals whose information is processed through the PatientSwaps Platform.
HIPAA Notice: For facilities covered by HIPAA, PatientSwaps acts as a Business Associate on your behalf. Your use of PatientSwaps is governed by our Business Associate Agreement (BAA). This Privacy Policy supplements but does not replace your BAA. For specific HIPAA rights, see our HIPAA Notice of Privacy Practices at /hipaa.
2. Information We Collect
2.1 Information Categories
We collect information in two primary categories: Protected Health Information (PHI) and Non-Protected Information.
2.2 Protected Health Information (PHI)
PHI is information that can identify a specific patient and relates to healthcare treatment, payment, or operations. We collect PHI only as necessary to provide Platform services on behalf of facilities. PHI includes:
- Patient names, dates of birth, and ages
- Patient contact information (addresses, phone numbers, email)
- Medical record numbers and patient account identifiers
- Health conditions, diagnoses, and clinical needs (transfer referral only)
- Insurance information and payer status
- Transfer history and discharge location preferences
- Physician and care coordinator contact information associated with patient care
When PHI is Collected: PHI is collected when a facility submits a matching algorithm query that includes patient information to identify appropriate transfer options. We do not proactively collect PHI. Facilities determine what information to share with the Platform.
2.3 Facility and Operational Data (Non-PHI)
We collect operational and facility information that does not identify patients or protected individuals:
- Facility name, location, and contact information
- Facility license numbers and regulatory identifiers
- Bed inventory, bed types, and availability status
- Payer acceptance (Medicare, Medicaid, private insurance profiles)
- Facility staff names and professional titles (administrative and clinical leadership)
- Facility occupancy rates and utilization metrics (de-identified)
- Network participation and facility profile information
2.4 User Account Information
When facility staff create PatientSwaps user accounts, we collect:
- User name, email address, and phone number
- Job title and organizational role
- Username and hashed password
- Multi-factor authentication credentials (phone number for SMS, authenticator app data)
- Account creation date and last login timestamp
2.5 Technical and Usage Data
We automatically collect information about how users interact with the Platform:
- IP address and device information (browser type, operating system, device type)
- Timestamps of login, query execution, and logout events
- Matching algorithm queries executed (number and general parameters, but not patient identifiers)
- Pages and features accessed within the Platform
- Error messages and debugging information
- Cookies and similar tracking technologies (see Section 6)
3. How We Use Information
3.1 PHI Uses (HIPAA-Authorized Only)
We use PHI exclusively to provide the Platform services on behalf of facilities that authorize PHI sharing. Permitted uses include:
- Matching Algorithm Execution: Processing patient information to execute matching queries and identify facilities with appropriate bed availability
- Transfer Coordination: Sharing transfer information between facilities as directed by the referring facility
- Facility Communication: Sending transfer-related information to destination facilities on behalf of the referring facility
- Audit Logging: Maintaining secure logs of all PHI access and modifications for security and compliance purposes
- Technical Support: Reviewing PHI data in limited circumstances to troubleshoot technical issues or resolve facility support requests (authorized staff only)
- Compliance and Risk Management: Ensuring HIPAA compliance, monitoring for unauthorized access, and investigating suspected breaches
No Secondary Uses: We do not use PHI for marketing, research, analytics, or any purpose other than providing the Platform services, unless the facility provides explicit additional authorization.
3.2 Facility and Operational Data Uses
Non-PHI facility and operational data is used to:
- Operate and maintain the Platform and network infrastructure
- Provide facility-requested analytics, reporting, and occupancy insights
- Generate network-wide utilization metrics and benchmarking reports (de-identified)
- Improve the matching algorithm and platform performance
- Send facility-requested communications about Platform updates, new features, and educational content
- Monitor network health and identify system optimization opportunities
- Conduct research and quality improvement activities (de-identified only)
3.3 User Account Information Uses
User account information is used to:
- Authenticate users and maintain secure access control
- Log user activities and track query execution for audit purposes
- Enforce billing and subscription management
- Send account notifications, password reset requests, and system maintenance alerts
- Enforce terms of service and prevent unauthorized access
3.4 Technical and Usage Data Uses
Technical data is used to:
- Detect, prevent, and respond to technical issues and security incidents
- Maintain system performance and availability
- Analyze user engagement and platform usage patterns (aggregated, not individual-level)
- Improve user experience and feature design
- Comply with legal obligations and enforce agreements
4. HIPAA Compliance and Business Associate Status
4.1 Business Associate Agreement
For facilities covered by HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164), PatientSwaps is a Business Associate of the facility and maintains a Business Associate Agreement (BAA) with each facility client. The BAA is incorporated by reference and governs the handling of PHI.
4.2 Permitted Disclosures
Under our BAA, PatientSwaps may disclose PHI to destination facilities as instructed by the referring facility. All disclosures are:
- Limited to the minimum necessary information to achieve the intended transfer coordination purpose
- Documented in audit logs maintained by the facility
- Subject to the same use restrictions as the original collection
- Made only to recipients authorized under the facility's Business Associate Agreement or equivalent authorization
4.3 Sub-Business Associates
PatientSwaps may use Sub-Business Associates (vendors and service providers) to support Platform operations. All Sub-Business Associates execute Business Associate Agreements with PatientSwaps or the facility and are subject to the same HIPAA restrictions.
Current Sub-Business Associates (as of March 2026):
| Service Provider |
Service Type |
PHI Access |
BAA Status |
| Google Workspace (Gmail, Sheets, Drive, Apps Script) |
Email, cloud storage, automation |
Yes — PHI for email coordination |
BAA executed |
| Jotform |
Form processing and data collection |
Yes — PHI intake forms |
HIPAA Gold, BAA executed |
| Paubox |
Encrypted email transmission |
Yes — Outbound PHI email |
BAA executed |
| Airtable |
De-identified database |
No — De-identified only |
Not required |
| Make.com |
Workflow automation |
No — De-identified IDs only |
Not required |
| Stripe |
Payment processing |
No — Limited to subscription ID |
Exempt |
Note on De-Identification: Airtable and Make.com do not maintain BAAs because they receive only de-identified data. Under HIPAA (45 CFR § 164.514(b)), de-identified data is not Protected Health Information and is not subject to HIPAA requirements. Data provided to these platforms includes facility names, swap IDs, bed counts, and dates — but never resident names, contact information, diagnoses, or other individual identifiers. De-identification controls are verified through quarterly audits.
We maintain a current list of all Sub-Business Associates. You may request this list by contacting privacy@patientswaps.com.
5. Data Storage, Security, and De-Identification
5.1 Data Storage Location
All PatientSwaps data, including PHI, is stored on servers located in the United States. We do not transfer PHI outside the United States without explicit facility authorization and compliance with HIPAA transfer requirements.
5.2 Encryption and Security Controls
We protect all information using industry-standard security measures:
- Encryption at Rest: All data stored on PatientSwaps servers is encrypted using Advanced Encryption Standard (AES) 256-bit encryption
- Encryption in Transit: All data transmitted to or from the Platform uses Transport Layer Security (TLS) 1.3 or higher
- Access Controls: Access to PHI is restricted to authorized PatientSwaps personnel who have a documented business need to access the data. Multi-factor authentication is required for all administrative access
- Audit Logging: All access to PHI is logged, including who accessed data, when, and what actions were performed. Audit logs are retained for 7 years
- Password Protection: All user accounts are protected by strong password requirements and multi-factor authentication
- Regular Assessments: We conduct regular security assessments, penetration testing, and vulnerability scans to identify and remediate security gaps
5.3 De-Identification Practices
PatientSwaps de-identifies data for purposes that do not require patient-level information. De-identified data is derived by removing or obscuring all identifiers and is used for:
- Network-wide occupancy analytics and trending reports
- Benchmarking and comparative facility utilization studies
- Algorithm optimization and machine learning model training
- Quality improvement and research initiatives
- Service development and platform enhancement
De-Identification Standard: Data is de-identified under the HIPAA de-identification standard, 45 C.F.R. § 164.502(b), by removing all 18 HIPAA identifiers and ensuring that the risk of re-identification is very small.
De-identified data is not subject to HIPAA restrictions and may be used and disclosed by PatientSwaps without facility authorization.
5.4 Data Retention
PatientSwaps retains information only as long as necessary to provide services or as required by law:
- PHI: Retained for 7 years following termination of facility subscription (to comply with CMS documentation requirements)
- Facility Data: Retained indefinitely for historical benchmarking and network analysis, unless facility requests deletion
- User Account Data: Retained for 90 days after user deactivation, then deleted
- Audit Logs: Retained for 7 years
- De-Identified Data: Retained indefinitely for research and analytics
Facilities may request deletion of their data at any time. PatientSwaps will delete requested data within 30 days, except as required by law or unless a legal hold is in place.
6. Cookies and Tracking Technologies
6.1 Cookie Use
The PatientSwaps Platform uses cookies and similar tracking technologies to:
- Maintain user login sessions and authentication
- Remember user preferences and settings
- Track usage patterns and improve platform performance
- Detect and prevent fraud or unauthorized access
6.2 Types of Cookies
- Essential Cookies: Required for platform login and basic functionality (session management, CSRF protection)
- Analytics Cookies: Track page views and feature usage to improve platform experience (Google Analytics, with IP anonymization)
- Security Cookies: Detect suspicious activity and prevent unauthorized access
6.3 Third-Party Analytics
We use Google Analytics to understand how users interact with the Platform. Google Analytics collects anonymized data about page views, feature usage, and user engagement. Google does not use this data to identify individual users and does not have access to PHI or user account information.
6.4 Cookie Management
Users can control cookie settings through their browser. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling essential cookies may prevent you from using the Platform.
7. Third-Party Services and Integrations
7.1 Third-Party Vendors
PatientSwaps uses third-party services to operate the Platform. Each vendor is subject to a Business Associate Agreement (if they process PHI) or a Data Processing Agreement (if they process non-PHI data). Vendors include:
- Cloud Infrastructure: Cloudflare for hosting and content delivery
- Email Services: Google Workspace for email and collaboration
- Payment Processing: Stripe for subscription billing and payment collection
- Form Processing: Jotform for intake form collection
- Encrypted Email: Paubox for transmission of sensitive PHI emails
- Database and Automation: Airtable and Make.com for operational workflows (de-identified data only)
All third-party vendors are prohibited from using data for their own purposes and are bound by confidentiality agreements.
7.2 Facility-Directed Integrations
Facilities may request integration with their existing Electronic Health Records (EHR) or healthcare information systems. PatientSwaps can facilitate these integrations and will execute appropriate data sharing agreements with the facility's vendor.
8. Data Subject Rights
8.1 HIPAA Rights (For PHI)
Under HIPAA, individuals whose PHI is processed by PatientSwaps have the following rights:
- Right to Access: Request and receive a copy of PHI in our possession (within 30 days)
- Right to Amendment: Request correction of inaccurate PHI
- Right to Accounting of Disclosures: Request a list of all disclosures of PHI made in the past 2 years
- Right to Restriction: Request that certain uses or disclosures be limited or restricted
- Right to Confidential Communications: Request that communications be sent to an alternative address or through an alternative method
- Right to Complain: Lodge a complaint with PatientSwaps or the HHS Office for Civil Rights regarding privacy practices
These rights are exercised through the referring facility, which is the entity responsible for responding to individual requests under HIPAA. To exercise these rights, contact the facility's privacy officer or medical records department.
8.2 Colorado Privacy Act Rights
Under the Colorado Privacy Act (CPA), Colorado residents have the following rights:
- Right to Know: Request what personal information we collect and how it is used
- Right to Access: Request a copy of personal information we hold about you
- Right to Correction: Request correction of inaccurate information
- Right to Deletion: Request deletion of personal information we have collected (with limited exceptions)
- Right to Opt-Out: Opt out of targeted advertising or sale of personal information
8.3 California Consumer Privacy Act (CCPA) Rights
Under the CCPA, California residents have rights similar to the CPA, including rights to know, access, delete, and opt-out of the sale of personal information.
8.4 Exercising Your Rights
To exercise any of these rights, contact us at privacy@patientswaps.com or submit a request through our web form at patientswaps.com/privacy-request. We will respond to all verified requests within 30 days (45 days for HIPAA access requests).
9. Children's Privacy
The PatientSwaps Platform is designed for use by healthcare facilities and facility staff only. We do not intentionally collect information from children under the age of 13. If we become aware that a child under 13 has provided information through the Platform, we will delete that information promptly. Parents or guardians who believe their child has provided information to PatientSwaps should contact privacy@patientswaps.com immediately.
10. State-Specific Privacy Rights
10.1 Colorado Residents
Colorado residents have the following rights under the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.):
- Right to Know: What personal information is collected and how it is used
- Right to Access: Obtain a copy of personal information
- Right to Deletion: Request deletion, except where legally required to retain
- Right to Correct: Request correction of inaccurate information
- Right to Opt-Out: Opt out of "sale" or "sharing" of personal information
PatientSwaps does not "sell" or "share" (as defined by the CPA) personal information without explicit facility authorization. Facilities may request a full accounting of data handling practices at any time.
10.2 California Residents
California residents have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including rights to know, access, delete, correct, and opt-out of sale of personal information.
10.3 Exercising State-Specific Rights
To exercise privacy rights under Colorado or California law, submit a verified request to privacy@patientswaps.com. We will respond to all verified requests within 30-45 days and will not discriminate against individuals for exercising their privacy rights.
11. Privacy Policy Changes
11.1 Right to Modify
PatientSwaps reserves the right to modify this Privacy Policy at any time. Material changes will be communicated to facilities with 30 days' written notice. Continued use of the Platform following notification of changes constitutes acceptance of the modified policy.
11.2 Version Control
PatientSwaps maintains a version history of this Privacy Policy with effective dates. The current version is always available at patientswaps.com/privacy. Facilities may request prior versions by contacting privacy@patientswaps.com.
12. Governing Law and Compliance
12.1 Legal Framework
This Privacy Policy is governed by federal law including HIPAA (45 CFR Parts 160 and 164) and applicable state law including the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) and Colorado Medicaid Anti-Kickback provisions (C.R.S. § 24-31-809).
12.2 Contact Information
12.2.1 Privacy Officer
For questions or concerns regarding privacy practices, contact PatientSwaps' Privacy Officer:
- Email: privacy@patientswaps.com
- Mailing Address: PatientSwaps, LLC, Denver, Colorado
- Phone: Available upon request
12.3 Regulatory Complaints
If you believe your privacy rights have been violated, you may file a complaint with:
- HHS Office for Civil Rights (HIPAA): ocrmail@hhs.gov or 1-800-368-1019
- Colorado Attorney General: dpa@coag.gov
- California Attorney General: ccpa@oag.ca.gov