Friender Health

Last Updated

TODO: Confirm final effective date with counsel

Legal review pending final counsel approval. TODO placeholders in this notice must be finalized before launch.

Legal

Healthcare Privacy Notice

This Healthcare Privacy Notice describes how TODO: Insert legal entity name (e.g., Friender Health, Inc.) ("Friender Health," "we," "our," "us") processes healthcare and workforce data in connection with enterprise customer use of the Friender Health platform.

For general website privacy terms and consumer-facing disclosures, see our Privacy Policy.

1. Who This Notice Applies To

This notice applies to healthcare-related platform processing for:

  • Healthcare provider organizations and workforce operators using Friender Health.
  • Authorized workforce users provisioned by those organizations.
  • Data processing performed by Friender Health under customer agreements for staffing, scheduling, credentialing, workflow automation, analytics, and related operations.

2. Roles and Scope

Depending on context and contract, Friender Health generally operates as:

  • Business Associate under HIPAA when processing PHI on behalf of a covered entity or another business associate.
  • Service Provider/Processor where state privacy laws or other privacy frameworks apply.

Our healthcare customers remain responsible for determining lawful purposes and instructions for customer data and for providing required notices to their patients, workforce, and end users.

3. Healthcare and Workforce Data We Process

Customer-configured workflows may include:

  • Staffing and scheduling records, shift coverage status, and operational assignments.
  • Credentialing and compliance records (for example, license/certification status).
  • Workflow communications and system-generated event logs.
  • Role and access metadata needed to authenticate and authorize platform actions.
  • Audit trails for mutating events and compliance reporting.

4. HIPAA Context and Boundaries

Friender Health is not a healthcare provider and does not provide medical treatment. We do not issue a HIPAA Notice of Privacy Practices as a covered entity. When PHI is involved, we process PHI according to applicable law, customer instructions, and contractual terms, including applicable BAAs.

Individuals seeking patient-care records or HIPAA patient-rights execution should contact the relevant healthcare provider organization directly.

5. BAAs and Subprocessors

We enter into BAAs and related contractual protections where required. We require subcontractors and service providers that process customer data on our behalf to agree to appropriate confidentiality, security, and data-protection obligations.

Subprocessor list URL: TODO: Insert subprocessor list URL

6. Security and Compliance Controls

We maintain administrative, technical, and physical safeguards designed to support healthcare data protection requirements, including role-based access controls, encryption in transit, logging, and monitoring. Customer organizations configure user roles and authority boundaries within their environments.

7. Incident and Breach Response

We maintain incident response procedures and investigate suspected security incidents. Where required by law or contract, we notify affected customers and support their regulatory or contractual response obligations, including HIPAA Breach Notification Rule workflows when applicable.

8. AI and Model Processing Commitments

We design customer workflows to process data within contractual and legal boundaries. Unless otherwise agreed in writing, Friender Health does not use customer PHI to train generalized foundation models.

TODO: Confirm exact AI model training and provider-processing language with legal/security before final publication.

9. Data Retention, Return, and Deletion

We retain healthcare customer data according to customer instructions, contractual commitments, legal obligations, and operational requirements. Upon termination or expiration of services, we support data return and/or deletion processes as defined in applicable agreements.

10. Patient and Individual Requests

If you are a patient or individual whose data may be included in a customer's systems, direct privacy or rights requests to your healthcare provider or employer organization first. Friender Health supports customer response workflows as required by contract and law.

11. State Consumer Health Data Disclosures

Certain U.S. state laws, including Washington and Nevada consumer health data requirements, may apply in specific scenarios outside or alongside HIPAA-regulated processing. We implement role-appropriate controls and contract terms based on the data context and applicable law.

12. Changes to This Notice

We may update this Healthcare Privacy Notice to reflect legal, technical, or operational changes. The "Last Updated" date above indicates when this notice was most recently revised.

13. Contact Information

For healthcare privacy questions, contact us at hello@frienderhealth.com.

Privacy Contact: TODO: Confirm privacy contact (or use hello@frienderhealth.com)

Mailing Address: TODO: Insert legal mailing address