Privacy Policy & Data Protection

At Tynet EHR, we are committed to protecting the privacy and security of Protected Health Information (PHI) and personal data. This policy outlines how we collect, use, disclose, and safeguard information in compliance with HIPAA and other regulations.

Last Updated: March 15, 2026 | Effective Date: April 1, 2026

Table of Contents

1. Overview & Scope
2. Information We Collect
3. HIPAA Compliance
4. How We Use Information
5. Information Sharing
6. Data Security
7. Data Retention
8. Your Rights
9. Business Associate
10. Contact Us

1. Overview & Scope

This Privacy Policy applies to all information collected through our services.

1.1 Purpose

Tynet EHR ("we," "our," or "us") provides electronic health record (EHR) software and services to home health, hospice, and healthcare providers. This Privacy Policy describes how we collect, use, disclose, and protect Protected Health Information (PHI) and other personal information in compliance with the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and other applicable laws.

1.2 Scope

This policy applies to:

  • All Tynet EHR software platforms and mobile applications
  • Our website and online services
  • All data processing activities as a Business Associate under HIPAA
  • All users, including healthcare providers, patients, and visitors

Important Note

As a Business Associate under HIPAA, we are contractually obligated to protect PHI and comply with all applicable privacy and security regulations. We do not use or disclose PHI except as permitted or required by our Business Associate Agreement or as required by law.

2. Information We Collect

Types of information collected through our services.

2.1 Protected Health Information (PHI)

When healthcare providers use our services to manage patient care, we process PHI on their behalf. This includes:

Category Examples Purpose
Demographic Information Name, address, date of birth, SSN, insurance information Patient identification and billing
Clinical Information Medical history, diagnoses, treatment plans, medications Clinical care and documentation
Assessment Data OASIS-E, HOPE assessments, functional status Care planning and regulatory compliance
Billing Information CMS-1500 forms, claims data, payment information Reimbursement processing
Visit Information EVV data, visit notes, clinician documentation Care delivery verification

2.2 Business Information

We collect information from healthcare organizations and their staff, including:

  • Organization Data: Agency name, NPI numbers, tax IDs, addresses
  • Staff Information: Employee names, credentials, contact information
  • Usage Data: System logs, access patterns, feature usage
  • Technical Data: IP addresses, device information, browser type

Data Minimization

We follow the principle of data minimization, collecting only the information necessary to provide our services and fulfill our contractual obligations. We do not collect PHI directly from patients unless specifically authorized by the healthcare provider.

3. HIPAA Compliance

Our commitment to healthcare privacy regulations.

3.1 Business Associate Agreement (BAA)

As a Business Associate under HIPAA, we enter into BAAs with all covered entities (healthcare providers) who use our services. Our BAA:

  • Defines permitted uses and disclosures of PHI
  • Outlines security safeguards and breach notification procedures
  • Specifies termination conditions and data return/destruction requirements
  • Requires compliance with HIPAA Privacy, Security, and Breach Notification Rules

3.2 Security Rule Compliance

We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule:

Administrative Safeguards

Security policies, training, risk assessments

Physical Safeguards

Data center security, access controls

Technical Safeguards

Encryption, authentication, audit controls

3.3 Breach Notification

In the event of a breach of unsecured PHI, we comply with HIPAA Breach Notification Rule requirements:

  1. Conduct risk assessment to determine breach probability
  2. Notify affected covered entities within 60 days of discovery
  3. Provide necessary information for covered entities to notify affected individuals
  4. Report breaches affecting 500+ individuals to HHS and media when required

4. How We Use Information

Purposes for processing information.

4.1 Service Provision

We use information to provide and maintain our services, including:

  • Processing and storing clinical documentation
  • Facilitating electronic visit verification (EVV)
  • Generating CMS-1500 and other billing forms
  • Providing OASIS-E and HOPE assessment tools
  • Enabling care coordination and communication

4.2 Compliance & Operations

We use information for legal and operational purposes:

  • Complying with healthcare regulations (HIPAA, HITECH, state laws)
  • Processing payments and invoices
  • Providing customer support and training
  • Improving and optimizing our services
  • Ensuring system security and preventing fraud

4.3 De-identified Data

We may create and use de-identified data for:

  • Research and development to improve our services
  • Generating industry benchmarks and analytics
  • Training machine learning models (with appropriate safeguards)
  • Publishing aggregate industry trends

Analytics & Improvement

We use de-identified, aggregated data to analyze usage patterns, improve our services, and develop new features. This data does not contain any identifiable PHI and cannot be linked back to individual patients or providers.

5. Information Sharing

When and how we share information.

5.1 Permitted Disclosures

We may disclose PHI as permitted by our Business Associate Agreement and applicable law:

  • To Healthcare Providers: For treatment, payment, and healthcare operations
  • To Business Associates: Third parties who provide services on our behalf (with BAAs)
  • As Required by Law: To comply with legal obligations or court orders
  • For Public Health: As required by public health authorities
  • For Research: With appropriate approvals and safeguards

5.2 Third-Party Service Providers

We engage third-party service providers who may process information on our behalf:

Service Provider Purpose Data Protection
Cloud Hosting Providers Data storage and infrastructure SOC 2 Type II, HIPAA compliant
Payment Processors Billing and payment processing PCI DSS compliant
Analytics Providers Service improvement and analytics De-identified data only
Support Services Customer support and maintenance Strict access controls

5.3 No Sale of PHI

We do not sell, rent, or trade PHI to third parties for marketing or any other purposes. We do not use PHI for marketing without explicit authorization from the individual.

6. Data Security

How we protect information.

6.1 Security Measures

We implement comprehensive security measures to protect information:

Encryption

AES-256 encryption at rest and in transit

Authentication

MFA, strong password policies

Audit Controls

Complete audit trails, regular reviews

Network Security

Firewalls, intrusion detection, DDoS protection

6.2 Access Controls

We implement strict access controls:

  • Role-Based Access: Users can only access information necessary for their role
  • Minimum Necessary: Access limited to minimum necessary to perform job functions
  • Regular Reviews: Quarterly access reviews and certifications
  • Training: Annual security and privacy training for all staff

6.3 Security Certifications

Our security program includes regular assessments and certifications:

  • Annual HIPAA security risk assessments
  • SOC 2 Type II examinations
  • Penetration testing and vulnerability scanning
  • Third-party security audits

7. Data Retention

How long we retain information.

7.1 Retention Periods

We retain information in accordance with legal requirements and business needs:

Data Type Retention Period Legal Basis
Clinical Records (PHI) 6 years from last activity or as required by state law HIPAA, state medical record laws
Billing Records 7 years from service date IRS requirements, CMS regulations
OASIS-E Assessments 5 years from assessment date CMS requirements
EVV Visit Data 6 years from visit date State Medicaid requirements
Audit Logs 7 years from creation HIPAA Security Rule

7.2 Data Disposal

When retention periods expire, we securely dispose of information using methods that prevent reconstruction:

  • Electronic Data: Secure deletion following NIST SP 800-88 guidelines
  • Physical Media: Destruction or degaussing by certified providers
  • Backup Media: Secure destruction with certificate of destruction

7.3 Termination of Service

Upon termination of service, we provide options for data return or destruction as specified in our Business Associate Agreement.

8. Your Rights

Rights regarding your information.

8.1 Patient Rights Under HIPAA

As a Business Associate, we support covered entities in fulfilling patient rights under HIPAA:

  • Right to Access: Patients may request access to their PHI
  • Right to Amend: Patients may request amendments to their PHI
  • Right to Accounting: Patients may request an accounting of disclosures
  • Right to Restrictions: Patients may request restrictions on certain uses/disclosures
  • Right to Confidential Communications: Patients may request alternative communication methods
  • Right to Complain: Patients may file complaints about privacy practices

How to Exercise Rights

Patients should contact their healthcare provider (the covered entity) to exercise their HIPAA rights. As a Business Associate, we will assist covered entities in fulfilling these requests as required by our Business Associate Agreement.

8.2 Organization Rights

Healthcare organizations using our services have the right to:

  • Access their organization's data and PHI they have submitted
  • Request corrections to their organization's information
  • Export their data in standard formats (HL7, CSV, PDF)
  • Receive breach notifications as required by law
  • Review our security and privacy practices

9. Business Associate Responsibilities

Our role under HIPAA.

9.1 Business Associate Agreement

Our BAA includes the following key provisions:

  • Permitted uses and disclosures of PHI
  • Appropriate safeguards to prevent misuse
  • Reporting of security incidents and breaches
  • Requirements for subcontractors (who must also sign BAAs)
  • Return or destruction of PHI upon termination
  • Access to books and records for HHS compliance reviews

9.2 Subcontractors

We ensure that all subcontractors who handle PHI:

  • Sign Business Associate Agreements
  • Implement appropriate security safeguards
  • Comply with HIPAA requirements
  • Undergo security assessments

9.3 Compliance Monitoring

We continuously monitor and improve our compliance program through:

  • Annual HIPAA training for all employees
  • Regular security risk assessments
  • Internal and external audits
  • Incident response testing and drills
  • Policy review and updates

Contact Our Privacy Team

For privacy-related questions, concerns, or to exercise your rights.

Email

privacy@tynetehr.com

For general privacy inquiries

Phone

1-800-PRIVACY

Mon-Fri 9am-5pm EST

Data Requests

requests@tynetehr.com

For data access or deletion requests

Security Officer

security@tynetehr.com

For security concerns

Download Privacy Documents

Access our complete privacy documentation and compliance certificates.

Full Privacy Policy

PDF Version (Updated March 2026)

Business Associate Agreement

Template for Healthcare Providers

Security Whitepaper

Technical Security Overview