Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how LumaChart ("we," "us," or "our") collects, uses, discloses, and safeguards information when you use our electronic medical records platform, patient portals, scheduling tools, text messaging services, and related products and services (collectively, the "Services"). LumaChart provides cloud-based clinical software designed for personal injury medical practices.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, please do not use the Services.

We may update this Policy from time to time. Material changes will be communicated through the Services or by other appropriate means. Your continued use of the Services after changes are posted constitutes acceptance of those changes.

2. Information We Collect

2.1 Personal Information

"Personal Information" means information that identifies, relates to, or could reasonably be linked to an identifiable individual. This includes but is not limited to:

• Name, email address, phone number, and mailing address
• Login credentials and account information
• Professional credentials and license information (for clinical users)
• Payment and billing information
• Communications you send to us or through our Services

2.2 Protected Health Information (PHI)

"Protected Health Information" or "PHI" is individually identifiable health information protected by the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). PHI we process on behalf of healthcare providers includes:

• Patient demographics, medical history, and clinical records
• Encounter notes, diagnoses, and treatment plans
• Insurance and claims information
• Imaging and diagnostic reports
• Referral and case management information

Our use of PHI is governed by HIPAA, our Business Associate Agreements with covered entities, and applicable state laws — not by this Policy. Please refer to your healthcare provider's Notice of Privacy Practices for information about how your PHI is used and disclosed.

2.3 Usage Data

We automatically collect technical information when you access the Services, including IP address, browser type and version, operating system, device identifiers, pages viewed, access times, and referring URLs. This information helps us maintain security, improve performance, and analyze usage patterns.

3. How We Collect Information

• Directly from you: When you create an account, submit forms, schedule appointments, communicate with us, or otherwise provide information through the Services.
• From healthcare providers: When providers use our platform to manage patient records, create encounters, or process billing on your behalf.
• Automatically: Through server logs, session cookies, and similar technologies necessary for the operation and security of the Services.
• From third parties: From integrated services such as clearinghouses, insurance payors, or other authorized data sources connected to the Services.

4. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Services
• Process and manage patient encounters, billing, and claims
• Authenticate users and maintain account security
• Send appointment reminders, scheduling notifications, and clinical communications
• Send text messages, emails, and other communications you or your provider have consented to receive (see Section 8)
• Process payments, generate invoices, and manage billing
• Generate audit logs as required by HIPAA and other regulations
• Comply with legal obligations, respond to lawful requests, and enforce our agreements
• Improve and develop new features for the Services
• Detect, prevent, and address fraud, abuse, or security incidents

5. HIPAA Compliance & Business Associate Obligations

LumaChart acts as a "Business Associate" under HIPAA when processing PHI on behalf of healthcare provider customers ("Covered Entities"). Our obligations with respect to PHI are governed by:

• The HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
• Business Associate Agreements executed with each Covered Entity
• Applicable state health information privacy laws

We implement administrative, physical, and technical safeguards to protect PHI in accordance with the HIPAA Security Rule, including access controls, encryption, audit logging, and workforce training.

If you are a patient and wish to exercise your rights regarding your PHI (access, amendment, restriction, or accounting of disclosures), please contact your healthcare provider directly. We will assist providers in responding to such requests as required by HIPAA.

6. Disclosure of Information

We may disclose information in the following circumstances:

• To healthcare providers: PHI is disclosed to and used by the Covered Entity providers who use our platform to deliver care.
• To service providers: We may share information with trusted third-party vendors who assist us in operating the Services (e.g., hosting, payment processing, SMS delivery), subject to contractual obligations to protect that information.
• To legal representatives: Case information may be shared with authorized attorneys through the attorney portal, as directed by the healthcare provider and in accordance with applicable law and patient authorization.
• For legal compliance: We may disclose information as required by law, regulation, court order, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to applicable privacy obligations.

6.1 We Do Not Sell Personal Information

LumaChart does not sell, rent, or trade your Personal Information or PHI to third parties for their marketing purposes.

7. Cookies & Tracking Technologies

The Services use only essential cookies required for authentication, session management, and security (e.g., CSRF tokens, session identifiers). We do not deploy third-party advertising or analytics cookies. We do not engage in cross-site tracking or behavioral advertising.

8. Text Messaging & Electronic Communications

8.1 Consent

LumaChart may enable healthcare providers to send text messages (SMS/MMS), emails, and other electronic communications to patients for purposes such as appointment reminders, scheduling confirmations, intake form requests, billing notifications, and other healthcare-related communications. These communications are initiated by or on behalf of the healthcare provider.

By providing your mobile phone number and consenting to receive text messages from your healthcare provider through LumaChart, you agree to receive such communications. Consent to receive text messages is not a condition of receiving care or purchasing any services.

Opt-in consent is collected through documented clinic workflows. This may include in-clinic registration or intake forms (including tablet/kiosk workflows), digital intake forms sent by the clinic, signed consent packet forms authorizing text communication, and patient-initiated SMS notification enablement in portal/account settings. Clinics are responsible for retaining consent records, honoring STOP requests, and updating communication preferences when requested.

8.2 Message Frequency & Charges

Message frequency varies based on your interactions with your healthcare provider (e.g., appointment scheduling, reminders). Standard message and data rates may apply depending on your mobile carrier plan. LumaChart and your healthcare provider are not responsible for any charges incurred from your mobile carrier.

8.3 Opt-Out

You may opt out of receiving text messages at any time by replying STOP to any message you receive. After opting out, you will receive a confirmation message and no further text messages will be sent unless you re-consent. You may also contact your healthcare provider directly to update your communication preferences.

8.4 Help

For help with text messaging, reply HELP to any message or contact your healthcare provider.

8.5 No Sharing of Opt-In Data

Text messaging opt-in data and consent information will not be shared with or sold to third parties or affiliates for their marketing purposes.

8.6 Message Content

Text messages sent through LumaChart are limited to healthcare operations and administrative purposes on behalf of the healthcare provider. Messages may include appointment reminders, scheduling confirmations, intake form links, consent requests, balance notifications, and other communications related to your care. Marketing messages will not be sent without separate, express consent.

9. Data Security

We implement reasonable and appropriate security measures to protect information from unauthorized access, use, disclosure, alteration, and destruction, including:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls and multi-tenant data isolation
• Comprehensive audit logging of all PHI access and modifications
• Session management controls and automatic timeout
• Regular security assessments and vulnerability management

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

10. Data Retention

We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. PHI is retained in accordance with HIPAA requirements and the applicable healthcare provider's record retention policies. When information is no longer needed, it is securely deleted or de-identified.

11. Your Rights

11.1 Patient Rights Under HIPAA

If you are a patient, you may have rights under HIPAA to access, amend, restrict, or obtain an accounting of disclosures of your PHI. These requests should be directed to your healthcare provider. LumaChart will support providers in fulfilling these requests.

11.2 State Privacy Rights

Residents of certain states (including California, Virginia, Colorado, Connecticut, and others) may have additional rights regarding their personal information, including the right to know, access, correct, delete, and opt out of certain processing activities. To exercise these rights, please contact us using the information in Section 14. We will process requests in accordance with applicable state law.

11.3 Account Users

Registered users of the Services (clinical staff, administrators, attorney portal users) may access and update their account information through the platform. For account deletion requests, please contact your organization's administrator or reach out to us directly.

12. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect Personal Information from children under 18 through our marketing or public-facing pages. Minor patient PHI processed through the clinical platform is handled in accordance with HIPAA and applicable state law as directed by the healthcare provider.

13. Third-Party Services

The Services may integrate with or contain links to third-party services (e.g., payment processors, communication providers, clearinghouses). These third parties have their own privacy policies, and we are not responsible for their practices. We encourage you to review the privacy policies of any third-party services you interact with.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

If you are a patient with questions about your health information, please contact your healthcare provider directly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will post the updated Policy on this page with a revised "Last Updated" date. Material changes may be communicated through additional notice, such as a prominent notification within the Services. Your continued use of the Services after changes are posted constitutes your acceptance of the revised Policy.