Privacy Policy

1. INTRODUCTION AND SCOPE

This Privacy Policy (“Policy”) describes how HCCS Health (“Company,” “we,” “us,” or “our”), a healthcare consulting firm located in Minneapolis, Minnesota, collects, uses, discloses, and protects personal information obtained through our website at https://hccs.health/ and in connection with our consulting services.

Important Service Limitations: HCCS Health provides consulting, advisory, analytics, and operational support services to healthcare organizations only. We do not provide medical care, medical advice, diagnosis, or treatment, and we do not establish provider-patient relationships through this website or our services. Our services are limited to business consulting, regulatory compliance guidance, revenue cycle management advisory, pharmacy consulting, 340B Drug Program optimization, data analytics, and operational insights for healthcare organizations.

Professional Use Only: This website is intended for business and professional use by healthcare organizations, industry stakeholders, and business professionals. It is not directed toward consumers or patients seeking medical services.

Protected Health Information Restrictions: Visitors are expressly instructed not to submit protected health information (PHI), sensitive patient data, or any individually identifiable health information through website forms, scheduling tools, or general inquiries unless explicitly requested under a separate written agreement with appropriate HIPAA safeguards. Any confidential or compliance-sensitive data related to our consulting services is governed by separate contractual confidentiality obligations and business associate agreements, not by public website submissions.

This Policy applies to all personal information collected through our website, email communications, phone calls, and other interactions with our services. By accessing our website or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service.

2. INFORMATION WE COLLECT

We collect several categories of personal information to provide our healthcare consulting services and maintain our business operations. The specific types of information we collect include:

Contact and Professional Information:

• Full name, job title, and professional credentials

• Business email address and phone numbers

• Company or organization name and address

• Professional licensing information where relevant to our services

• Business contact preferences and communication history

Inquiry and Service Information:

• Information submitted through contact forms or consultation requests

• Details about your organization’s consulting needs and objectives

• Service-related communications and correspondence

• Meeting notes and consultation records (stored separately under confidentiality agreements)

• Scheduling information and appointment preferences

Website Usage and Technical Information:

• Internet Protocol (IP) address and general geographic location

• Browser type, version, and operating system information

• Device identifiers and mobile device information

• Website pages visited, time spent on pages, and navigation patterns

• Referral sources and search terms used to find our website

• Date and time stamps of website visits and interactions

Cookies and Tracking Data:

• Essential cookies required for website functionality

• Analytics cookies to understand website performance and user behavior

• Marketing cookies for LinkedIn Insight Tag and similar tracking technologies

• Session identifiers and user preference settings

Business and Operational Information:

• Information about your organization’s size, structure, and service needs

• General business challenges and consulting objectives

• Industry-specific information relevant to our healthcare consulting services

• Publicly available business information obtained from professional networks

Communication Records:

• Email correspondence and attachments (excluding PHI)

• Phone call logs and voicemail messages

• Video conference recordings where explicitly consented

• Newsletter subscriptions and marketing communication preferences

We do not collect sensitive personal information such as Social Security numbers, financial account information, medical records, or protected health information through our website or general business communications. Any such information required for specific consulting engagements is handled under separate contractual agreements with appropriate security and confidentiality protections.

3. HOW WE USE YOUR INFORMATION

We use the personal information we collect for legitimate business purposes related to providing healthcare consulting services and maintaining our professional relationships. Our specific uses include:

Service Delivery and Client Relations:

• Responding to inquiries about our consulting services and capabilities

• Scheduling and conducting initial consultations and service discussions

• Providing customized healthcare consulting, compliance guidance, and advisory services

• Delivering revenue cycle management, pharmacy consulting, and 340B program optimization services

• Maintaining ongoing client relationships and service continuity

• Following up on service delivery and client satisfaction

Business Operations and Administration:

• Managing our client database and professional contact records

• Processing service agreements and maintaining contractual relationships

• Conducting internal business analytics to improve service delivery

• Maintaining accurate records for business continuity and quality assurance

• Complying with legal and regulatory requirements applicable to our business

• Protecting our legal rights and interests in business relationships

Website Functionality and Improvement:

• Ensuring proper website functionality and user experience optimization

• Analyzing website traffic patterns and user behavior to improve content and navigation

• Troubleshooting technical issues and maintaining website security

• Customizing website content based on user preferences and professional interests

• Monitoring website performance and implementing improvements

Marketing and Business Development:

• Sending professional newsletters and industry updates (with explicit consent)

• Sharing relevant healthcare industry insights and regulatory updates

• Promoting our consulting services to qualified healthcare organizations

• Participating in professional networking and industry events

• Developing new service offerings based on market needs and client feedback

Legal and Compliance Purposes:

• Complying with applicable federal and state privacy laws and regulations

• Responding to legal process, court orders, or government requests

• Protecting against fraud, security threats, and unauthorized access

• Enforcing our Terms of Service and other legal agreements

• Maintaining records required by professional licensing and business regulations

Data Analytics and Research:

• Conducting aggregated and anonymized research on healthcare industry trends

• Analyzing service delivery patterns to improve consulting methodologies

• Benchmarking performance metrics for quality improvement initiatives

• Developing industry insights and thought leadership content (using only aggregated, non-identifiable data)

We do not use personal information for automated decision-making that would significantly affect individuals, nor do we engage in profiling activities beyond basic business analytics for service improvement. All uses of personal information are limited to legitimate business purposes directly related to our healthcare consulting services and are conducted in accordance with applicable privacy laws and professional standards.

4. DATA SHARING AND THIRD-PARTY DISCLOSURES

We maintain strict controls over the sharing of personal information and do not sell, rent, or trade personal information to third parties for their marketing purposes. Our data sharing practices are limited to the following specific categories and circumstances:

Service Providers and Vendors:

We may share personal information with trusted third-party service providers who assist us in operating our business and delivering our services, including:

• Website Hosting and Technical Services: Cloud hosting providers, domain registrars, and technical support vendors who maintain our website infrastructure and ensure reliable service delivery

• Analytics and Performance Monitoring: Web analytics services, performance monitoring tools, and user experience platforms that help us understand and improve our website functionality

• Scheduling and Communication Platforms: We may use third-party scheduling, communication, and messaging platforms to facilitate consultations, respond to inquiries, and manage communications with users. These platforms may collect limited personal and professional information submitted voluntarily by users and are used solely for business operations and service delivery.

• Customer Relationship Management: We may use customer relationship management (CRM) systems and related client management tools to organize inquiries, manage client relationships, and support business operations. Personal information stored in these systems is used only for legitimate business purposes and is subject to appropriate security and confidentiality protections.

• Email and Marketing Services: We may use third-party email communication and marketing platforms to send informational messages, updates, and marketing communications to users who have opted to receive such communications. Users may opt out of marketing communications at any time by following unsubscribe instructions or contacting us directly.

All service providers are required to maintain equivalent data protection standards through written contractual agreements that include:

• Strict confidentiality obligations and data protection requirements

• Limitations on use of personal information to only the specific services provided

• Requirements to implement appropriate technical and organizational security measures

• Obligations to notify us of any data security incidents or breaches

• Prohibition on further sharing or selling of personal information

• Compliance with applicable privacy laws and regulations

Professional and Legal Obligations:

We may disclose personal information when required or permitted by law, including:

• Legal Process: In response to valid subpoenas, court orders, search warrants, or other legal process issued by courts or government agencies with proper jurisdiction

• Government Requests: To comply with lawful requests from government agencies, regulatory bodies, or law enforcement authorities

• Legal Protection: To protect our legal rights, property, or safety, or the rights, property, or safety of our clients, employees, or the public

• Regulatory Compliance: To meet reporting requirements or compliance obligations under healthcare regulations, professional licensing requirements, or business regulations

Business Transfers:

In the event of a merger, acquisition, sale of assets, bankruptcy, or other business transfer, personal information may be transferred to the acquiring entity, provided that:

• The acquiring entity agrees to honor the commitments made in this Privacy Policy

• Affected individuals are notified of the transfer and any changes to privacy practices

• The transfer complies with applicable privacy laws and regulations

Client-Authorized Disclosures:

We may share information when explicitly authorized by clients through:

• Written consent for specific business purposes

• Contractual agreements that specify information sharing requirements

• Professional collaboration arrangements with client-approved third parties

Aggregated and De-identified Information:

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify specific individuals for:

• Industry research and benchmarking studies

• Professional presentations and thought leadership content

• Healthcare industry trend analysis and reporting

No Sale of Personal Information:

We do not sell personal information to third parties for monetary consideration or other valuable consideration. We do not engage in data brokering activities or provide personal information to third parties for their independent marketing purposes.

All data sharing arrangements are governed by written agreements that ensure appropriate protection of personal information and compliance with applicable privacy laws, including the Minnesota Consumer Data Privacy Act and Federal Trade Commission consumer protection requirements.

5. COOKIES AND TRACKING TECHNOLOGIES

Our website uses cookies and similar tracking technologies to enhance user experience, analyze website performance, and support our business operations. We provide detailed information about these technologies to ensure transparency and enable informed choices about your privacy preferences.

Types of Cookies and Tracking Technologies:

Essential Cookies:

These cookies are necessary for basic website functionality and cannot be disabled without affecting core website operations:

• Session management cookies that maintain your connection during website visits

• Security cookies that protect against unauthorized access and fraudulent activity

• Load balancing cookies that ensure optimal website performance and reliability

• Preference cookies that remember your language and accessibility settings

Analytics Cookies:

We use analytics cookies to understand how visitors interact with our website and to improve user experience:

• Google Analytics: We may use web analytics services to collect information about how visitors interact with our website, including pages viewed, time spent on the site, and general usage patterns. These analytics tools help us improve website functionality and user experience. Data collected through analytics services is typically aggregated and anonymized where possible.

• Website Performance Monitoring: Tools that track page load times, error rates, and technical performance metrics

• User Behavior Analytics: Technologies that analyze navigation patterns, popular content, and user engagement metrics

• Conversion Tracking: Measurement tools that help us understand which content and features are most valuable to visitors

Marketing and Advertising Cookies:

We use limited marketing cookies for professional networking and business development purposes:

• LinkedIn Insight Tag: This tracking technology allows us to measure the effectiveness of our LinkedIn advertising campaigns and understand how professionals in the healthcare industry interact with our content

• Remarketing Pixels: We may use remarketing or advertising technologies provided by third-party platforms to deliver relevant advertisements and measure the effectiveness of marketing campaigns. These technologies may use cookies or similar tracking mechanisms to display ads based on prior visits to our website. Users can manage or disable advertising cookies through their browser or device settings.

Third-Party Cookies:

Our website may include cookies from third-party services that we use for business operations:

• Our website may include cookies and similar technologies from third-party service providers that support website functionality, analytics, marketing, scheduling, communication, or customer support features. The use of these cookies is governed by the privacy policies of the respective third-party providers.
  
  
  

• Social media plugins and sharing tools (if applicable)

• Customer support chat widgets (if applicable)

• Scheduling and appointment booking tools (if applicable)

• We reserve the right to update or modify the third-party tools, service providers, and technologies used in connection with our website and business operations from time to time. Any such changes will be reflected in updates to this Privacy Policy, where required by applicable law.

Cookie Management and Your Choices:

Browser Controls:

You can manage cookies through your web browser settings:

• Most browsers allow you to view, delete, and block cookies

• You can set your browser to notify you when cookies are being placed

• You can configure your browser to automatically reject certain types of cookies

• Browser help sections provide specific instructions for cookie management

Opt-Out Mechanisms:

For specific tracking technologies, you can opt out through:

• LinkedIn Insight Tag: Visit LinkedIn’s privacy settings to manage advertising preferences and opt out of interest-based advertising

• Google Analytics: Use the Google Analytics Opt-out Browser Add-on to prevent data collection

• Universal Opt-Out: We honor universal opt-out signals where technically feasible and legally required

Impact of Cookie Restrictions:

Disabling certain cookies may affect website functionality:

• Essential cookies cannot be disabled without impacting core website features

• Analytics cookies help us improve website performance and user experience

• Marketing cookies support our ability to reach relevant professional audiences

• Some interactive features may not function properly with cookies disabled

Cookie Retention Periods:

Different types of cookies have varying retention periods:

• Session cookies are automatically deleted when you close your browser

• Persistent cookies remain on your device for specified periods, typically ranging from 30 days to 2 years

• Analytics cookies are generally retained for 2 years to enable meaningful trend analysis

• Marketing cookies typically expire after 90 days to 1 year depending on the specific platform

Data Protection for Cookies:

All cookie data is subject to the same security and privacy protections as other personal information:

• Cookie data is transmitted using secure protocols where technically feasible

• We limit access to cookie data to authorized personnel with legitimate business needs

• Third-party cookie providers are required to maintain appropriate data protection standards

• We regularly review and update our cookie practices to ensure compliance with privacy laws

For questions about our cookie practices or to request assistance with cookie management, please contact us at hello@hccs.health.

6. DATA RETENTION AND DELETION

We maintain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and protect our legitimate business interests. Our data retention practices are designed to balance operational needs with privacy protection and regulatory compliance requirements.

Specific Retention Periods:

Business Contact Information:

• Retention Period: 7 years from the date of last business contact or service engagement

• Rationale: This extended retention period supports ongoing professional relationships, enables follow-up on consulting services, and meets business record-keeping requirements for healthcare consulting firms

• Automatic Deletion: Contact information is automatically flagged for deletion after 7 years of inactivity, with final deletion occurring within 90 days of the retention deadline

Website Analytics Data:

• Retention Period: 2 years from the date of collection

• Rationale: This timeframe allows for meaningful trend analysis, seasonal pattern recognition, and website performance optimization while limiting long-term storage of behavioral data

• Automatic Deletion: Analytics data is automatically purged from our systems every 2 years, with aggregated and anonymized insights retained for business intelligence purposes

Inquiry and Communication Data:

• Retention Period: 3 years from the date of initial inquiry or last communication

• Rationale: This period accommodates the typical business development cycle for healthcare consulting services and allows for appropriate follow-up on potential service opportunities

• Automatic Deletion: Inquiry records are automatically reviewed and deleted 3 years after the last communication, unless the inquiry has resulted in an active business relationship

Service-Related Information:

• Retention Period: 7 years from completion of consulting services or termination of business relationship

• Rationale: Healthcare consulting services often involve regulatory compliance matters that may require extended record retention for audit purposes and professional liability protection

• Contractual Retention: Service-related information governed by specific client agreements may have different retention requirements as specified in those contracts

Legal and Compliance Records:

• Retention Period: As required by applicable law, typically 7-10 years depending on the specific legal or regulatory requirement

• Rationale: Certain business records must be retained to comply with federal and state regulations applicable to healthcare consulting firms

• Legal Hold: Information subject to litigation, government investigation, or regulatory inquiry is retained until the matter is resolved and any appeal periods have expired

Deletion Procedures and Safeguards:

Automated Deletion Systems:

• We maintain automated systems that identify personal information eligible for deletion based on predetermined retention schedules

• Automated deletion processes include multiple verification steps to prevent accidental deletion of information that should be retained

• All automated deletions are logged and monitored to ensure proper execution and compliance with retention policies

Manual Review Process:

• Before automated deletion occurs, designated personnel conduct manual reviews to identify any legal, regulatory, or business reasons to extend retention

• Manual reviews consider ongoing business relationships, pending legal matters, and regulatory compliance requirements

• Any decision to extend retention beyond standard periods is documented with specific justification and review dates

Secure Deletion Standards:

• Personal information is deleted using industry-standard secure deletion methods that prevent recovery of deleted data

• Physical media containing personal information is destroyed using certified destruction methods when equipment is retired or replaced

• Cloud-based data is deleted according to our service providers’ certified deletion procedures, with verification of complete removal

Backup and Archive Management:

• Personal information in backup systems is subject to the same retention and deletion requirements as primary data

• Backup systems are regularly purged to ensure deleted information does not persist in archived copies

• Long-term archives containing personal information are reviewed annually and purged according to retention schedules

Client-Requested Deletion:

• Individuals may request deletion of their personal information before the standard retention period expires, subject to legal and contractual limitations

• Deletion requests are processed within 30 days of verification, except where retention is required by law or legitimate business interests

• We provide confirmation of deletion completion to individuals who request it

Exceptions to Deletion:

Personal information may be retained beyond standard periods when:

• Required by federal or state law, regulation, or court order

• Necessary for ongoing legal proceedings or regulatory investigations

• Essential for protecting legal rights or defending against legal claims

• Needed to complete transactions or fulfill contractual obligations

• Required for legitimate business purposes such as fraud prevention or security incident investigation

For questions about our data retention practices or to request information about specific retention periods, please contact us at hello@hccs.health.

7. HIPAA AND PROTECTED HEALTH INFORMATION DISCLAIMERS

HIPAA Covered Entity Status:

HCCS Health is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) as defined in 45 CFR Parts 160 and 164. We do not provide medical care, treatment, or direct healthcare services to patients. Our role is limited to providing business consulting, advisory services, and operational support to healthcare organizations that are themselves covered entities or business associates under HIPAA.

Business Associate Relationships:

When we provide consulting services to HIPAA-covered entities that involve access to protected health information (PHI), we enter into appropriate business associate agreements that establish specific safeguards, use limitations, and security requirements for any PHI we may encounter during the course of our consulting services. These arrangements are governed by separate contractual agreements and are not covered by this general Privacy Policy.

Prohibition on PHI Submission Through Website:

DO NOT SUBMIT PROTECTED HEALTH INFORMATION THROUGH OUR WEBSITE. Visitors are expressly prohibited from submitting any protected health information, individually identifiable health information, or sensitive patient data through:

• Website contact forms or inquiry submissions

• Email communications to general business addresses

• Scheduling tools or appointment booking systems

• General business correspondence or phone calls

• Any other public-facing communication channels

Protected health information includes, but is not limited to:

• Patient names, addresses, phone numbers, or other identifying information

• Medical record numbers, account numbers, or other patient identifiers

• Diagnosis codes, treatment information, or medical history

• Insurance information or payment details related to patient care

• Any information that could be used to identify a specific patient or their health condition

Authorized PHI Handling:

If our consulting services require access to protected health information, such access will only occur:

• Under a separate, written business associate agreement that complies with HIPAA requirements

• Through secure, encrypted communication channels specifically designated for PHI transmission

• With explicit written authorization and specific instructions from the covered entity client

• In accordance with the minimum necessary standard and specific use limitations

• Subject to additional security safeguards and access controls beyond those described in this Privacy Policy

Inadvertent PHI Disclosure:

If protected health information is inadvertently submitted through our website or general communication channels:

• We will immediately notify the sender of the inappropriate submission

• The information will be securely deleted from our systems within 24 hours

• We will not use, disclose, or retain any inadvertently received PHI

• We will document the incident and provide notification to the covered entity if the PHI relates to their patients

• We may be required to report the incident as a potential breach under applicable law

Security Limitations for General Communications:

Our general website and email communications are not configured with the enhanced security safeguards required for PHI transmission under HIPAA. These channels use standard business-grade security measures that are appropriate for general business information but do not meet the heightened requirements for protected health information.

Client Responsibilities:

Healthcare organizations that engage our consulting services are responsible for:

• Ensuring that any PHI shared with us is authorized under their HIPAA compliance policies

• Executing appropriate business associate agreements before sharing any PHI

• Using only authorized, secure communication channels for PHI transmission

• Training their staff on proper procedures for sharing information with business associates

• Monitoring and auditing PHI disclosures to ensure compliance with HIPAA requirements

Compliance-Sensitive Information:

While we do not handle PHI through general website communications, we recognize that our consulting services often involve compliance-sensitive operational data related to:

• 340B Drug Program operations and compliance

• Revenue cycle management processes and metrics

• Regulatory compliance assessments and findings

• Pharmacy operations and inventory management

• Quality improvement initiatives and outcomes

Such compliance-sensitive business information is handled under separate confidentiality agreements with appropriate security measures, but these arrangements are distinct from HIPAA business associate requirements and do not involve protected health information.

Questions About HIPAA Compliance:

For questions about HIPAA compliance, business associate agreements, or appropriate procedures for sharing information in connection with our consulting services, please contact us at hello@hccs.health. We will work with your organization to establish appropriate safeguards and communication protocols that comply with HIPAA requirements and protect sensitive information.

8. YOUR PRIVACY RIGHTS

Under applicable privacy laws, including the Minnesota Consumer Data Privacy Act and Federal Trade Commission consumer protection regulations, you have specific rights regarding your personal information. We are committed to honoring these rights and providing accessible mechanisms for exercising them.

Right to Access:

You have the right to request access to the personal information we maintain about you, including:

• Confirmation of whether we process your personal information

• Categories of personal information we have collected about you

• Specific pieces of personal information in our possession

• Sources from which we collected your personal information

• Business purposes for collecting and using your personal information

• Categories of third parties with whom we share your personal information

• Length of time we intend to retain your personal information

Right to Correction:

You have the right to request correction of inaccurate personal information we maintain about you, including:

• Factual errors in contact information, professional details, or other personal data

• Outdated information that no longer accurately reflects your current circumstances

• Incomplete information that should be supplemented for accuracy

• We will make reasonable efforts to verify the accuracy of requested corrections before implementation

Right to Deletion:

You have the right to request deletion of your personal information, subject to certain limitations:

• We will delete personal information that is no longer necessary for the purposes for which it was collected

• Deletion requests will be honored unless retention is required by law or necessary for legitimate business purposes

• We may retain certain information for legal compliance, fraud prevention, or to complete transactions

• Deletion may not be possible if the information is necessary to protect our legal rights or defend against legal claims

Right to Opt-Out:

You have the right to opt out of certain uses and disclosures of your personal information:

• Marketing Communications: You may opt out of receiving promotional emails, newsletters, and marketing communications at any time

• Targeted Advertising: You may opt out of targeted advertising and profiling activities where applicable

• Data Sales: While we do not sell personal information, you have the right to opt out of any future sales should our practices change

• Universal Opt-Out Signals: We honor universal opt-out mechanisms where technically feasible and legally required

Right to Data Portability:

Upon request, we will provide your personal information in a portable, machine-readable format when:

• The information was provided by you to us

• We process the information based on your consent or for contract performance

• Processing is carried out by automated means

• The request does not adversely affect the rights and freedoms of others

How to Exercise Your Rights:

Submission Methods:

You may submit privacy rights requests through the following methods:

• Email: Send detailed requests to hello@hccs.health with “Privacy Rights Request” in the subject line

Required Information:

To process your request efficiently, please provide:

• Your full name and contact information

• Specific description of the right you wish to exercise

• Sufficient detail to locate your personal information in our systems

• Preferred method for receiving our response

• Any relevant dates, reference numbers, or other identifying information

Identity Verification Process:

To protect your privacy and prevent unauthorized access to your personal information, we require identity verification before processing rights requests:

• We may request government-issued identification or other verification documents

• For business contacts, we may verify your identity through your professional email address or business credentials

• Additional verification may be required for sensitive requests or when we have reason to doubt the requestor’s identity

• We will not process requests from unauthorized third parties without proper legal authorization

Response Timeframes:

We are committed to responding to privacy rights requests promptly:

• Initial Response: We will acknowledge receipt of your request within 5 business days

• Complete Response: We will provide a complete response within 30 days of receiving a verifiable request

• Extensions: In complex cases, we may extend our response time by an additional 30 days with advance notice and explanation

• Urgent Requests: We will prioritize requests involving potential security issues or legal compliance matters

No Discrimination:

We will not discriminate against you for exercising your privacy rights:

• We will not deny goods or services for exercising privacy rights

• We will not charge different prices or rates for exercising privacy rights

• We will not provide different levels or quality of services for exercising privacy rights

• We will not suggest that you may receive different treatment for exercising privacy rights

Limitations on Rights:

Certain limitations may apply to privacy rights requests:

• Legal Requirements: We may be unable to delete information required by law to be retained

• Legitimate Business Interests: We may retain information necessary for fraud prevention, security, or legal compliance

• Third-Party Rights: We may be unable to provide information that would compromise the privacy rights of others

• Technical Limitations: Some requests may be limited by technical constraints or system capabilities

Appeals Process:

If you are unsatisfied with our response to your privacy rights request:

• You may submit an appeal by contacting hello@hccs.health with “Privacy Rights Appeal” in the subject line

• We will review appeals within 30 days and provide a written response

• You may have additional rights to file complaints with relevant regulatory authorities

• We will provide information about external complaint mechanisms upon request

For questions about your privacy rights or assistance with submitting requests, please contact our privacy team at hello@hccs.health.

9. DATA SECURITY

We implement comprehensive administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. Our security measures are designed to provide reasonable protection appropriate to the sensitivity of the information we handle and the nature of our healthcare consulting business.

Administrative Safeguards:

Access Controls and Authorization:

• Personal information access is limited to authorized employees and contractors who have a legitimate business need to access such information

• All personnel with access to personal information undergo background checks and sign confidentiality agreements

• We maintain detailed access logs and regularly review access permissions to ensure they remain appropriate

• Access privileges are immediately revoked when employees or contractors no longer require access or terminate their relationship with our company

Security Policies and Procedures:

• We maintain comprehensive written information security policies that are regularly reviewed and updated

• All personnel receive mandatory security awareness training upon hire and annually thereafter

• We conduct regular security assessments and vulnerability testing to identify and address potential weaknesses

• Incident response procedures are in place to address security breaches and unauthorized access attempts

Vendor Management:

• All third-party service providers with access to personal information must demonstrate adequate security measures

• We require contractual commitments to data protection and security from all vendors and service providers

• Regular security assessments are conducted for critical vendors and service providers

• We maintain an approved vendor list and conduct due diligence before engaging new service providers

Technical Safeguards:

Encryption and Data Protection:

• Personal information is encrypted during transmission using industry-standard protocols (TLS 1.2 or higher)

• Sensitive personal information stored in our systems is encrypted using advanced encryption standards

• We use secure communication channels for all business communications involving personal information

• Database encryption and access controls protect stored personal information from unauthorized access

Network and System Security:

• Firewalls and intrusion detection systems protect our network infrastructure from unauthorized access

• Regular security updates and patches are applied to all systems and software

• Anti-malware and endpoint protection software is deployed across all devices with access to personal information

• Network segmentation isolates systems containing personal information from general business networks

Authentication and Access Management:

• Multi-factor authentication is required for access to systems containing personal information

• Strong password policies are enforced for all user accounts with access to personal information

• Regular password changes are required and password reuse is prohibited

• Automated account lockout procedures prevent unauthorized access attempts

Physical Safeguards:

Facility Security:

• Our offices are secured with controlled access systems and surveillance monitoring

• Personal information in physical form is stored in locked cabinets and secure areas

• Visitor access to areas containing personal information is restricted and monitored

• Clean desk policies ensure that personal information is not left unsecured

Device and Media Controls:

• All devices with access to personal information are encrypted and password-protected

• Secure disposal procedures are used for all media and devices that have contained personal information

• Mobile devices and laptops with access to personal information are subject to additional security controls

• Regular inventory and tracking of all devices with access to personal information

Data Backup and Recovery:

• Regular backups of personal information are performed and stored securely

• Backup systems are subject to the same security controls as primary systems

• Disaster recovery procedures ensure continuity of data protection in emergency situations

• Backup restoration procedures include verification of data integrity and security

Security Monitoring and Incident Response:

Continuous Monitoring:

• We maintain 24/7 monitoring of our systems for security threats and unauthorized access attempts

• Automated alerts notify security personnel of potential security incidents

• Regular security audits and penetration testing assess the effectiveness of our security measures

• Security logs are maintained and regularly reviewed for suspicious activity

Incident Response Procedures:

• Comprehensive incident response plans address various types of security incidents

• Designated incident response team members are trained and available to respond to security incidents

• All security incidents are documented, investigated, and reported as required by applicable law

• Post-incident reviews identify lessons learned and opportunities for security improvements

Breach Notification:

• We maintain procedures for assessing and responding to potential data breaches

• Affected individuals will be notified of security breaches as required by applicable law

• Regulatory authorities will be notified of breaches as required by applicable law

• We will cooperate with law enforcement and regulatory investigations of security incidents

Security Limitations and Disclaimers:

No Absolute Security Guarantee:

While we implement reasonable security measures designed to protect personal information, no security system is completely impenetrable. We cannot guarantee absolute security of personal information against all possible threats, including:

• Advanced persistent threats and sophisticated cyber attacks

• Insider threats and unauthorized access by personnel

• Natural disasters and other force majeure events

• Third-party security breaches affecting our service providers

Internet Transmission Risks:

Transmission of information over the internet and electronic storage systems involves inherent security risks:

• Email communications may be intercepted or accessed by unauthorized parties

• Wireless networks may be subject to eavesdropping and unauthorized access

• Public computers and networks may compromise the security of personal information

• Users are responsible for maintaining the security of their own devices and accounts

User Responsibilities:

Users can help protect their personal information by:

• Using strong, unique passwords for all accounts

• Keeping software and security systems up to date

• Being cautious about sharing personal information over unsecured channels

• Reporting suspected security incidents or unauthorized access immediately

For questions about our security practices or to report potential security incidents, please contact us immediately at hello@hccs.health.

10. CHILDREN’S PRIVACY

Our website and services are designed exclusively for business and professional use by healthcare organizations, industry stakeholders, and business professionals. We do not knowingly collect, use, or disclose personal information from individuals under the age of 18 years.

Age Restrictions and Service Limitations:

• Our healthcare consulting services are intended solely for business professionals, healthcare administrators, and organizational decision-makers who are 18 years of age or older

• Our website content, including industry insights, regulatory guidance, and service information, is designed for professional audiences with expertise in healthcare operations and management

• We do not offer services, products, or content that would be of interest to or appropriate for individuals under 18 years of age

• All business communications and professional relationships are conducted with adult professionals in healthcare organizations

No Knowing Collection from Minors:

We do not knowingly collect personal information from children under 18 through any of our business channels:

• Website contact forms and inquiry submissions are intended for business professionals only

• Professional consultations and service discussions are conducted exclusively with adult decision-makers

• Marketing communications and industry updates are directed to professional audiences

• Business networking and relationship-building activities involve only adult professionals

Inadvertent Collection Procedures:

In the unlikely event that we discover we have inadvertently collected personal information from an individual under 18 years of age:

• We will immediately cease any further collection, use, or disclosure of such information

• The information will be securely deleted from our systems within 24 hours of discovery

• We will not use the information for any business purposes or retain it in any form

• We will implement additional safeguards to prevent similar inadvertent collection in the future

Parental Rights and Notifications:

If a parent or guardian believes that their child under 18 has provided personal information to us:

• Please contact us immediately at hello@hccs.health with details about the potential collection

• We will investigate the matter promptly and provide a response within 24 hours

• If we confirm that we have collected information from a minor, we will delete it immediately and provide confirmation of deletion

• We will work with parents and guardians to ensure that no further collection occurs

Professional Context Verification:

Our business practices include verification measures to ensure we are communicating with appropriate professional contacts:

• We verify business email addresses and professional credentials when establishing new client relationships

• Professional consultations require identification of the healthcare organization and the individual’s role within that organization

• Service agreements and contracts are executed only with authorized adult representatives of healthcare organizations

• We maintain records of professional credentials and organizational affiliations for our business contacts

Educational and Training Content:

While our website may contain educational content about healthcare regulations, compliance requirements, and industry best practices:

• This content is designed for professional education and training purposes for adult healthcare professionals

• The content assumes professional knowledge and experience in healthcare operations and management

• We do not provide educational content intended for students under 18 or general consumer education

• Any educational materials are provided in the context of professional development for healthcare industry professionals

Third-Party Services and Links:

Our website may include links to third-party professional resources, industry publications, or business tools:

• We are not responsible for the privacy practices of third-party websites or services

• Users should review the privacy policies of any third-party sites they visit

• We do not endorse or control the content or privacy practices of linked websites

• Third-party services used in connection with our business are selected based on their professional focus and appropriate audience

Compliance with Children’s Privacy Laws:

Our practices are designed to comply with applicable children’s privacy laws and regulations:

• We do not engage in activities that would trigger requirements under the Children’s Online Privacy Protection Act (COPPA)

• Our business model and service offerings are inherently focused on adult professional audiences

• We maintain documentation of our age-appropriate service design and professional focus

• We regularly review our practices to ensure continued compliance with children’s privacy requirements

For questions about our children’s privacy practices or to report concerns about potential collection of information from minors, please contact us immediately at hello@hccs.health.

11. MARKETING COMMUNICATIONS

We maintain strict standards for marketing communications to ensure compliance with applicable privacy laws and professional communication standards. Our marketing practices are designed to provide valuable professional content while respecting individual privacy preferences and communication choices.

Types of Marketing Communications:

We may send marketing communications including:

• Professional newsletters featuring healthcare industry insights and regulatory updates

• Announcements about new consulting services or service enhancements

• Invitations to industry webinars, conferences, or professional development events

• Thought leadership content including white papers, case studies, and best practice guides

• Updates about healthcare compliance requirements and regulatory changes affecting our clients

• Information about 340B Drug Program developments, revenue cycle management trends, and pharmacy consulting insights

Explicit Consent Requirements:

We require explicit, affirmative consent before sending marketing communications:

• Separate Consent: Marketing communication consent is obtained separately from service-related communications and is not bundled with other consents

• Clear Disclosure: We clearly explain what types of marketing communications you will receive and how frequently they will be sent

• Opt-In Process: You must actively choose to receive marketing communications through a clear opt-in process

• Consent Documentation: We maintain records of when and how marketing consent was obtained

• Consent Verification: We may periodically verify continued interest in receiving marketing communications

Opt-Out Mechanisms and Unsubscribe Options:

Every marketing communication includes clear and accessible opt-out mechanisms:

• Unsubscribe Links: All marketing emails include prominent unsubscribe links that allow immediate removal from marketing lists

• Email Instructions: Clear instructions are provided for opting out of marketing communications via email

• Phone Opt-Out: You may call hello@hccs.health to request removal from marketing communications

• Written Requests: You may submit written opt-out requests to our business address

• Immediate Processing: Opt-out requests are processed within 48 hours of receipt

Distinction from Service Communications:

Marketing communications are clearly distinguished from essential service communications:

• Service Communications: Communications necessary for delivering consulting services, responding to inquiries, or fulfilling contractual obligations are not considered marketing and may continue even if you opt out of marketing

• Transactional Messages: Appointment confirmations, service updates, billing communications, and other transactional messages are separate from marketing communications

• Legal Notices: Privacy policy updates, terms of service changes, and other legal notices are not marketing communications

• Clear Identification: All communications clearly identify whether they are marketing or service-related

Professional Standards and Content Quality:

Our marketing communications adhere to professional standards appropriate for healthcare consulting:

• Educational Focus: Marketing content emphasizes educational value and professional insights rather than promotional messaging

• Regulatory Compliance: All marketing content complies with healthcare advertising regulations and professional standards

• Accuracy and Truthfulness: Marketing communications contain only accurate, truthful, and substantiated claims about our services

• Professional Tone: All communications maintain a professional tone appropriate for healthcare industry audiences

Frequency and Volume Controls:

We maintain reasonable limits on marketing communication frequency:

• Frequency Limits: Marketing communications are sent no more than weekly unless specifically requested

• Volume Controls: We monitor total communication volume to avoid overwhelming recipients

• Preference Management: Recipients may request reduced frequency or specific types of content

• Seasonal Adjustments: Communication frequency may be adjusted based on industry events and regulatory deadlines

Data Use for Marketing Purposes:

Personal information used for marketing communications is subject to strict limitations:

• Limited Use: Personal information is used only for the specific marketing purposes for which consent was obtained

• No Profiling: We do not engage in extensive profiling or behavioral targeting for marketing purposes

• Aggregated Analytics: We may use aggregated, anonymized data to improve marketing content and delivery

• Third-Party Restrictions: Personal information is not shared with third parties for their marketing purposes

Marketing Communication Security:

Marketing communications are subject to appropriate security measures:

• Secure Transmission: Marketing emails are transmitted using secure protocols and encryption where appropriate

• List Security: Marketing contact lists are protected with access controls and security measures

• Vendor Requirements: Third-party marketing service providers must maintain appropriate security standards

• Data Minimization: Only necessary personal information is used for marketing communications

Compliance with Anti-Spam Laws:

Our marketing practices comply with applicable anti-spam and electronic communication laws:

• Email Marketing Compliance: All marketing emails include accurate sender identification and provide clear, functional mechanisms for recipients to opt-out of future communications

• State Law Compliance: Marketing practices comply with applicable state laws regarding electronic communications

• Professional Standards: Marketing communications adhere to professional association guidelines for healthcare industry communications

Record Keeping and Consent Management:

We maintain comprehensive records of marketing communication consents and preferences:

• Consent Records: Documentation of when, how, and what consent was obtained for marketing communications

• Preference Tracking: Records of individual communication preferences and opt-out requests

• Audit Trail: Complete audit trail of all marketing communication activities and consent management

• Regular Review: Periodic review of consent records to ensure accuracy and compliance

For questions about marketing communications, to update your preferences, or to opt out of marketing communications, please contact us at hello@hccs.health.

12. POLICY UPDATES AND CHANGES

We reserve the right to modify this Privacy Policy to reflect changes in our business practices, legal requirements, or industry standards. Our policy update procedures are designed to ensure transparency and provide appropriate notice of material changes that may affect your privacy rights.

Types of Policy Changes:

Material Changes:

Material changes that significantly affect how we collect, use, or disclose personal information include:

• Expansion of personal information collection to new categories of data

• New uses of personal information beyond the original collection purposes

• Sharing personal information with new categories of third parties

• Changes to data retention periods that extend how long we keep personal information

• Modifications to your privacy rights or how you can exercise those rights

• Changes to our legal basis for processing personal information

Non-Material Changes:

Non-material changes that do not significantly affect privacy practices include:

• Clarifications of existing practices without substantive changes

• Updates to contact information or administrative details

• Corrections of typographical errors or formatting improvements

• Addition of examples or explanatory language that does not change underlying practices

• Updates to reflect changes in applicable law that do not alter our practices

Notification Procedures:

Website Posting:

All policy updates will be posted on our website with clear indication of changes:

• Effective Date: Each updated policy will include a clear effective date

• Change Summary: A summary of material changes will be provided at the beginning of the updated policy

• Version Control: We maintain version control to track policy changes over time

• Archive Access: Previous versions of the policy may be available upon request

Email Notification for Material Changes:

For material changes that significantly affect privacy practices:

• Active Client Notification: We will send email notifications to active clients and business contacts about material changes

• Advance Notice: Email notifications will be sent at least 30 days before material changes take effect

• Change Description: Email notifications will clearly describe the nature and impact of the changes

• Action Required: If any action is required from individuals, this will be clearly explained in the notification

Notification Timeline:

• Immediate Posting: Updated policies are posted on our website immediately upon finalization

• Email Notification: Material change notifications are sent within 5 business days of policy posting

• Effective Date: Material changes typically take effect 30 days after notification to allow for review and response

• Emergency Changes: Changes required by law or for security purposes may take effect immediately with prompt notification

Continued Use and Consent:

Implied Consent:

Continued use of our website and services after the effective date of policy changes constitutes acceptance of the updated policy, except where explicit consent is required by law.

Explicit Consent Requirements:

For certain material changes, we may require explicit consent:

• New Data Uses: Significant new uses of personal information may require explicit consent

• Expanded Sharing: New categories of third-party sharing may require explicit consent

• Legal Requirements: Changes required by new privacy laws may require explicit consent

• Opt-In Requirements: Some changes may require individuals to actively opt in to continue receiving certain services

Right to Object:

Individuals have the right to object to material policy changes:

• Opt-Out Options: You may opt out of new data uses or sharing practices

• Service Limitations: Opting out of certain changes may limit our ability to provide some services

• Account Closure: You may request closure of your account and deletion of personal information if you object to material changes

• Grandfathering: In some cases, we may grandfather existing users under previous policy terms

Change Documentation and Records:

Version History:

We maintain comprehensive records of policy changes:

• Change Log: Detailed log of all policy modifications with dates and descriptions

• Rationale Documentation: Records of the business or legal reasons for policy changes

• Approval Process: Documentation of internal approval processes for policy changes

• Legal Review: Records of legal review and compliance verification for policy changes

Notification Records:

We maintain records of all policy change notifications:

• Email Delivery: Records of email notifications sent and delivery confirmation

• Website Posting: Documentation of when and how policy changes were posted

• Response Tracking: Records of individual responses to policy change notifications

• Compliance Verification: Documentation of compliance with notification requirements

Legal Compliance:

Policy changes are designed to maintain compliance with applicable privacy laws:

• Regulatory Review: All material changes are reviewed for compliance with applicable privacy laws

• Legal Consultation: We consult with legal counsel for significant policy changes

• Regulatory Notification: We provide required notifications to regulatory authorities when applicable

• Industry Standards: Policy changes consider industry best practices and professional standards

Emergency Policy Changes:

In rare circumstances, emergency policy changes may be necessary:

• Security Incidents: Changes required to address security vulnerabilities or data breaches

• Legal Requirements: Immediate changes required by court orders or regulatory directives

• Business Continuity: Changes necessary to maintain essential business operations

• Immediate Notification: Emergency changes will be communicated as quickly as possible through all available channels

For questions about policy changes or to request information about previous policy versions, please contact us at hello@hccs.health.

13. CONTACT INFORMATION FOR PRIVACY MATTERS

We are committed to addressing your privacy questions, concerns, and requests promptly and professionally. Our privacy contact procedures are designed to ensure accessible communication and timely resolution of privacy-related matters.

Primary Privacy Contact:

Email Contact:

• Primary Email: hello@hccs.health

• Subject Line: Please include “Privacy Request” or “Privacy Inquiry” in the subject line for faster processing

• Response Time: We respond to privacy emails within 2 business days for general inquiries and within 24 hours for urgent privacy matters

• Secure Communication: For sensitive privacy matters, we can arrange secure communication channels upon request

Privacy Contact Responsibilities:

Designated Privacy Officer:

William Mayhood, JD

Privacy Team Functions:

Our privacy contact team is responsible for:

• Responding to privacy rights requests and inquiries

• Processing requests for access, correction, deletion, and opt-out

• Investigating privacy complaints and concerns

• Coordinating with legal counsel on complex privacy matters

• Maintaining privacy compliance documentation and records

• Providing privacy guidance to internal staff and management

Types of Privacy Inquiries We Handle:

Privacy Rights Requests:

• Requests to access personal information we maintain about you

• Requests to correct inaccurate or incomplete personal information

• Requests to delete personal information subject to legal limitations

• Requests to opt out of marketing communications or data sharing

• Requests for data portability and information transfer

Privacy Questions and Concerns:

• Questions about our privacy practices and data handling procedures

• Concerns about potential privacy violations or unauthorized access

• Requests for clarification about privacy policy terms and procedures

• Questions about HIPAA compliance and business associate relationships

• Inquiries about data security measures and protection safeguards

Complaint Resolution:

• Formal privacy complaints about our data handling practices

• Concerns about potential data breaches or security incidents

• Disputes about privacy rights or policy interpretation

• Escalation of unresolved privacy matters

• Coordination with regulatory authorities when required

Response Procedures and Timeframes:

Initial Response:

• Acknowledgment: We acknowledge receipt of all privacy inquiries within 2 business days

• Case Number: Each inquiry receives a unique case number for tracking and follow-up

• Expected Timeline: We provide an estimated timeline for complete response based on the complexity of the inquiry

• Additional Information: We may request additional information or clarification to process your inquiry effectively

Complete Response:

• Standard Timeframe: Complete responses are provided within 30 days for most privacy requests

• Complex Matters: Complex inquiries may require up to 45 days with advance notice and explanation

• Urgent Requests: Security-related or time-sensitive matters receive priority processing

• Status Updates: We provide status updates for inquiries that require extended processing time

Identity Verification:

To protect your privacy and prevent unauthorized access to personal information:

• Verification Required: We require identity verification before processing privacy rights requests

• Acceptable Documentation: Government-issued ID, professional credentials, or business email verification

• Additional Verification: Complex requests may require additional verification measures

• Third-Party Requests: We do not process requests from unauthorized third parties without proper legal authorization

Escalation Procedures:

Internal Escalation:

If you are not satisfied with our initial response to your privacy inquiry:

• Escalation Request: Contact hello@hccs.health with “Privacy Escalation” in the subject line

• Management Review: Escalated matters are reviewed by senior management within 10 business days

• Legal Consultation: Complex legal matters may be referred to legal counsel for review

• Final Response: Escalated matters receive a final written response within 30 days

External Complaint Options:

You may also file complaints with relevant regulatory authorities:

• State Authorities: Minnesota Attorney General’s Office for state privacy law violations

• Federal Authorities: Federal Trade Commission for federal consumer protection violations

• Industry Regulators: Relevant professional licensing boards for industry-specific concerns

• Legal Counsel: You may consult with private legal counsel regarding privacy matters

Special Procedures for Sensitive Matters:

Security Incidents:

For suspected security breaches or unauthorized access:

• Immediate Reporting: Contact hello@hccs.health immediately with “Security Incident” in the subject line

• Urgent Response: Security incidents receive immediate attention and response within 4 hours

• Investigation: We conduct thorough investigations of all reported security incidents

• Follow-Up: Complete incident reports and remediation plans are provided within 72 hours

HIPAA-Related Inquiries:

For questions about HIPAA compliance and business associate relationships:

• Specialized Handling: HIPAA inquiries are handled by personnel with specific HIPAA training and expertise

• Legal Review: HIPAA matters may require legal review and consultation

• Compliance Documentation: We provide detailed documentation of HIPAA compliance measures when requested

• Business Associate Agreements: Questions about business associate relationships are handled through separate contractual channels

Accessibility and Language Support:

We strive to make privacy communications accessible to all individuals:

• Alternative Formats: Privacy information can be provided in alternative formats upon request

• Language Support: Privacy-related communications are provided in English.

• Disability Accommodations: We provide reasonable accommodations for individuals with disabilities

• Communication Preferences: We accommodate preferences for specific communication methods when possible

For all privacy-related matters, please contact us at hello@hccs.health. We are committed to protecting your privacy and addressing your concerns promptly and professionally.

14. EFFECTIVE DATE AND LEGAL COMPLIANCE

Effective Date:

This Privacy Policy is effective as of January 2026 and applies to all personal information collected, used, and disclosed by HCCS Health from this date forward. This Policy supersedes any previous privacy policies or privacy statements that may have been in effect prior to this date.

Legal Framework and Compliance:

This Privacy Policy is designed to comply with applicable federal and state privacy laws and regulations, including:

Federal Compliance:

• Federal Trade Commission Act, 15 U.S.C. §45: Our privacy practices comply with FTC consumer protection requirements, including prohibitions on deceptive practices and requirements for clear and conspicuous privacy disclosures

• Health Insurance Portability and Accountability Act (HIPAA), 45 CFR Parts 160 and 164: While we are not a covered entity, our business associate relationships and PHI handling procedures comply with applicable HIPAA requirements

• FTC Health Breach Notification Rule, 16 CFR Part 318: Our data security and breach notification procedures comply with applicable FTC requirements for personal health records

Minnesota State Compliance:

• Minnesota Consumer Data Privacy Act (MCDPA): Our privacy practices comply with Minnesota state privacy law requirements, including consumer rights, data protection standards, and disclosure requirements

• Minnesota Health Records Act, Minn. Stat. § 144.291 et seq.: Our handling of health-related business information complies with applicable Minnesota health information protection requirements

• Minnesota Data Breach Notification Law, Minn. Stat. § 325E.61: Our data breach response and notification procedures comply with Minnesota breach notification requirements

Regulatory Oversight:

This Privacy Policy and our privacy practices are subject to oversight by:

• Federal Trade Commission for consumer protection and privacy enforcement

• Minnesota Attorney General’s Office for state privacy law compliance

• Relevant professional licensing boards for healthcare consulting industry standards

• Other applicable regulatory authorities as determined by law

Policy Interpretation and Enforcement:

• Governing Law: This Privacy Policy is governed by the laws of the State of Minnesota and applicable federal law

• Jurisdiction: Any disputes arising under this Privacy Policy are subject to the jurisdiction of Minnesota state and federal courts

• Severability: If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect

• Entire Agreement: This Privacy Policy, together with our Terms of Service, constitutes the complete agreement regarding our privacy practices

Professional Standards:

Our privacy practices also adhere to applicable professional standards and industry best practices for healthcare consulting firms, including:

• Professional association guidelines for healthcare consulting services

• Industry standards for data protection and confidentiality

• Best practices for business associate relationships and HIPAA compliance

• Professional ethics requirements for healthcare consulting professionals

Compliance Monitoring and Updates:

We regularly monitor our compliance with applicable privacy laws and regulations:

• Legal Updates: We track changes in privacy laws and regulations that may affect our practices

• Compliance Reviews: Regular internal reviews ensure ongoing compliance with privacy requirements

• Legal Consultation: We consult with legal counsel on privacy matters and policy updates

• Industry Standards: We monitor industry best practices and professional standards for privacy protection

Contact for Legal and Compliance Matters:

For questions about legal compliance, regulatory requirements, or the legal framework governing this Privacy Policy, please contact us at hello@hccs.health with “Legal Compliance” in the subject line.

Document Control:

• Version: This is Version 1.0 of the HCCS Health Privacy Policy

• Approval: This Policy has been reviewed and approved by HCCS Health management and legal counsel

• Review Schedule: This Policy is subject to annual review and update as necessary to maintain compliance with applicable law

• Distribution: This Policy is publicly available on our website and provided to clients and business partners as appropriate

This Privacy Policy represents our commitment to protecting personal information and maintaining compliance with applicable privacy laws and professional standards. We will continue to monitor legal developments and industry best practices to ensure that our privacy practices remain current and effective.