VMACare Privacy Policy
VMACare (“VMACare,” “we,” “our,” or “us”) provides virtual medical assistant and related administrative support services to healthcare organizations and professionals in the United States. We understand the importance of protecting privacy and safeguarding information, particularly protected health information (PHI) and other sensitive data handled in connection with our services.
This Privacy Policy explains how we collect, use, disclose, and protect information when
- You visit or use our websites, portals, or online platforms (collectively, the “Sites”);
- You communicate with us about our virtual medical assistant services.
- We provide services to healthcare providers, health plans, and other clients (collectively, “Clients”) and their patients or members.
This Privacy Policy is intended to align with applicable U.S. federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), as they may be amended from time to time. In situations where HIPAA applies, any conflict between this Privacy Policy and HIPAA is resolved in favor of the relevant HIPAA requirements.
Scope and Relationship to HIPAA
VMACare primarily acts as a “Business Associate” under HIPAA, providing services to “Covered Entities” (such as physicians, group practices, clinics, and health systems) and, in some cases, other Business Associates.
When we handle PHI on behalf of a Client, our use and disclosure of PHI is governed by
- HIPAA and its implementing regulations; and
- Our Business Associate Agreement (BAA) with that Client.
This Privacy Policy describes our general privacy practices, but does not replace any Notice of Privacy Practices issued by a healthcare provider or health plan. Patients should refer to their provider’s or plan’s Notice of Privacy Practices for a full explanation of how that entity uses and discloses their PHI.
Information We Collect
The information we collect depends on who you are and how you interact with VMACare.
Information from Website Visitors and Prospective Clients
The information we collect depends on who you are and how you interact with VMACare.
- Contact Information name, job title, organization, email address, phone number.
- Business Information practice name, specialty, location, approximate patient volume, and other information you choose to provide during inquiries or demos.
- Usage Data IP address, browser type, device identifiers, pages viewed, time spent on pages, and referring URLs collected via cookies and similar technologies.
- Communication Data content of emails, contact form submissions, and other communications you send to us.
Information from Clients and Their Workforce
If your organization becomes a Client, we may collect
- Account and Profile Data administrator names, user names, work email addresses, roles, and authorization settings.
- Service-Related Information details necessary to configure and deliver virtual medical assistant services (e.g., office hours, provider schedules, communication preferences, workflows, and protocols).
Information We Process on Behalf of Clients (PHI and Related Data)
In providing our services, our virtual medical assistants may access, receive, or process information that includes
- Protected Health Information (PHI) as defined by HIPAA, such as patient names, contact details, dates of birth, insurance information, appointment histories, account numbers, and other data used for scheduling, documentation support, billing-related tasks, telehealth coordination, and other administrative services.
- Clinical and Administrative Documentation Support information entered into EHR/EMR systems at the direction of the Client, including encounter notes, histories, orders, referrals, and other records, as permitted by the Client’s policies and our BAA.
VMACare does not control which specific PHI a Client chooses to share with us or make available via its systems. PHI is used and disclosed only as permitted by the applicable BAA and in accordance with HIPAA.
How We Collect Information
We collect information in three primary ways
Directly from You
Automatically Through Our Sites
From Our Clients and Their Systems
How We Use Information
From Our Clients and Their Systems
- We may use personal information (other than PHI) to:
- Provide, operate, and improve our virtual medical assistant services and related offerings;
- Respond to inquiries, schedule demos, and manage Client relationships;
- Configure and customize services according to Client needs;
- Monitor service performance, quality, and security;
- Conduct analytics regarding our Sites and marketing efforts;
- Comply with applicable laws, regulations, and legal obligations;
- Enforce our agreements and protect our rights, security, and property.
Use of PHI on Behalf of Clients
When we handle PHI as a Business Associate, we use and disclose PHI only to
- Perform services for the Client as described in our service agreement and BAA (e.g., scheduling, patient communication, documentation support, certain billing-related functions, telehealth coordination, and other administrative tasks);
- Support quality assurance, training, and auditing of our staff, subject to HIPAA’s minimum necessary standard;
- Fulfill our legal obligations under HIPAA and other applicable laws;
- Cooperate with the Client in responding to audits, investigations, or legal proceedings, as permitted by HIPAA and the BAA;
- De-identify PHI in accordance with HIPAA de-identification standards, if authorized by the Client and applicable law.
We do not use PHI for marketing to patients or for any other purpose prohibited by HIPAA or the BAA.
How We Disclose Information
Disclosures to Clients
- We disclose PHI and other information to the Client as necessary to provide services and support the Client’s operations, as permitted by our BAA and the Client’s instructions.
Disclosures to Service Providers and Subcontractors
We may share personal information, including PHI where appropriate, with carefully selected service providers and subcontractors who assist us in delivering our services (e.g., secure hosting, communication tools, quality assurance).
When such providers handle PHI on our behalf, they are treated as Subcontractor Business Associates under HIPAA and are required to
- Sign written agreements with privacy and security obligations at least as stringent as those in our BAAs;
- Implement appropriate safeguards to protect PHI and other personal information.
Legal and Regulatory Disclosures
We may disclose information, including PHI where permitted or required by law
- To comply with applicable laws, regulations, court orders, or lawful requests from government authorities;
- To respond to subpoenas, warrants, or other legal processes, in coordination with the Client when required;
- To protect the rights, property, or safety of VMACare, our Clients, or others, consistent with applicable law.
Business Transfers
If VMACare is involved in a merger, acquisition, financing, reorganization, or sale of assets, information (including PHI handled as a Business Associate) may be transferred as permitted by law and subject to applicable contractual and HIPAA obligations.
We do not sell PHI or personal information for monetary consideration.
Data Security
We employ administrative, technical, and physical safeguards designed to protect PHI and other personal information from unauthorized access, use, or disclosure. These safeguards may include
- Role-based access controls and least-privilege principles;
- Secure authentication and session management;
- Encryption of data in transit and at rest where appropriate;
- Network and system monitoring, logging, and access audits;
- Workforce training on privacy, security, and HIPAA compliance;
- Policies and procedures addressing incident response and breach notification.
No system can be guaranteed 100% secure. However, VMACare is committed to continuously evaluating and enhancing its safeguards in line with applicable legal, regulatory, and industry standards.
Data Retention
We retain information
- For as long as necessary to provide services to our Clients;
- As required by applicable law, regulation, and contractual obligations; and
- For the period necessary to protect our legitimate business interests (such as recordkeeping, dispute resolution, and compliance).
Retention periods for PHI are typically governed by our agreements with Clients and relevant laws. When information is no longer required, we dispose of it securely and in accordance with our data retention and destruction policies.
Patient Rights Regarding PHI
Under HIPAA, individuals generally have certain rights regarding their PHI, such as
- The right to request access to their PHI;
- The right to request amendments to their PHI;
- The right to request restrictions on certain uses and disclosures;
- The right to request an accounting of certain disclosures
Because VMACare acts as a Business Associate, we typically do not respond directly to patient requests regarding PHI. Instead
- Patients should contact their healthcare provider or health plan (the Covered Entity) directly to exercise their HIPAA rights.
- We support our Clients in responding to such requests in accordance with the BAA and applicable law.
Your Choices and Rights for Non‑PHI Personal Information
For information collected from website visitors and prospective Clients that is not PHI, you may
- Request to update or correct certain information you have provided to us;
- Opt out of non-essential marketing communications by using the unsubscribe link in an email or contacting us directly.
Depending on your state of residence, you may have additional rights under state privacy laws (e.g., certain rights for California residents). If you believe such laws apply to you and wish to exercise any rights, you may contact us using the information in the Contact Us section below. We will review and respond in accordance with applicable law.
Cookies and Online Tracking
We may use cookies, pixels, and similar technologies to
- Analyze traffic and usage patterns on our Sites;
- Improve functionality and user experience;
- Support basic marketing and outreach activities to healthcare organizations.
You can typically manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Sites.
We do not use cookies or tracking technologies to access PHI stored in Client systems.
International Access and Data Transfers
Although VMACare’s services are focused on Clients in the United States, our workforce, infrastructure, or service providers may be located within or outside the United States.
When personal information or PHI is accessed or processed from outside the United States
- We require the same or stronger privacy and security safeguards as apply within the United States;
- Subcontractors handling PHI are bound by Business Associate–level obligations, as described above.
- Such activities remain subject to HIPAA and our contractual obligations to Clients.
Children’s Privacy
Our Sites and services are not directed to, nor intended for, children under the age of 13. We do not knowingly collect personal information directly from children through our marketing websites. Any PHI regarding minors is handled solely as a Business Associate on behalf of Clients in accordance with HIPAA and our BAAs.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in
- Our business practices;
- Our services or technology;
- Applicable laws and regulations; or
- Industry standards.
When we make material changes, we will update the “Effective Date” at the top of this page and, where required by law, provide additional notice. Your continued use of our Sites or services after an updated Privacy Policy is posted indicates your acceptance of the changes, subject to any additional consent requirements under applicable law.