Privacy Policy

Who We Are

The Health Co-Lab LLC is a healthcare technology and consulting organization that partners with public agencies, providers, and health plans to improve healthcare delivery. Through our consulting engagements and software platforms, including TransitionalRent and LastMile RCM, we handle sensitive information on behalf of our customers, including Protected Health Information (PHI) and Personally Identifiable Information (PII). We take that responsibility seriously, and our internal data management practices are designed to meet the requirements of HIPAA, the California Confidentiality of Medical Information Act (CMIA), and the SOC 2 Trust Services Criteria.

Information We Collect

The information we collect depends on how you interact with us.

Website visitors. When you visit thehealthcolab.com, contact us through our website, or apply for a position, we collect the information you choose to provide, such as your name, email address, organization, and the contents of your message or application.

Customers and platform users. When customers engage us for consulting services or use our software platforms, we may receive and process information on their behalf, including beneficiary and patient data, claims and eligibility records, and program data. This information is governed by our contracts and business associate agreements with those customers, in addition to this policy.

How We Use Information

We use personal information only for legitimate business purposes: to deliver the services our customers engage us to provide, to operate and improve our platforms, to respond to inquiries, to meet our legal and contractual obligations, and to maintain the security of our systems. We collect, use, and retain personal information only for as long as we have a legitimate business purpose or a legal obligation to do so.

Protected Health Information

PHI receives the highest level of protection in our organization. We follow the HIPAA minimum necessary standard, meaning our team members access, use, and disclose only the minimum amount of PHI needed to accomplish a specific, permitted purpose. Access to PHI is role-based, logged, and auditable.

PHI is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent. PHI is never stored on personal devices, removable media, or unapproved cloud services, and real patient data is not used in development or testing environments unless it has been de-identified in accordance with HIPAA standards. In the event of a breach involving PHI, we follow formal breach notification procedures, including notification within the timeframes required by HIPAA.

How We Share Information

We do not sell personal information. We share confidential information outside our organization only under a legal contract or business associate agreement, with the explicit written permission of management or the data owner, or when required by law. Third-party service providers who store or process data on our behalf are assessed against our security and data disposal requirements before we use them, and only providers who meet those requirements are entrusted with sensitive data.

How We Protect Information

We classify all data by sensitivity and apply protections commensurate with each classification. Sensitive data is encrypted at rest and in transit, systems holding it require authentication and prohibit anonymous access, backups are encrypted, and devices that access it must be encrypted, password protected, and configured to lock automatically. Access to sensitive systems is restricted to personnel with a documented business need, and security event logs are retained and reviewed. We verify compliance with these practices through access reviews and internal and external audits.

Data Retention

We retain data only as long as needed for business, legal, or contractual purposes. Data containing PHI is retained for a minimum of seven years in accordance with HIPAA and CMIA requirements. PII is deleted or de-identified as soon as it no longer serves a legitimate business purpose, subject to applicable retention requirements. When a customer contract ends, system access is revoked immediately, customer data remains available to the customer upon written request during the retention period, and data is securely disposed of when the retention period concludes. We review our retention practices at least annually.

Data Disposal

When data reaches the end of its retention period, we dispose of it securely. Electronic media is sanitized following NIST SP 800-88 standards, every sanitization event is documented with a certificate of sanitization, and physical records are shredded or destroyed through secure methods. Damaged devices that cannot be wiped are destroyed through certified e-waste services that provide certificates of destruction.

Your Rights and Choices

Depending on where you live and how you interact with us, you may have rights regarding your personal information, including the right to request access to it, to request correction, or to request deletion. We honor verified deletion requests from consumers and data subjects where we do not have a legitimate business interest or legal obligation to retain the data.

If your health information is held in one of our platforms on behalf of a healthcare customer, your rights under HIPAA are generally exercised through that organization. We support our customers in fulfilling those requests, and we can help you identify the right organization to contact.

Changes to This Policy

We review our data management practices at least annually and may update this policy to reflect changes in our practices or in applicable law. When we make material changes, we will update the date at the top of this page.

Contact Us

If you have questions about this policy or want to exercise your privacy rights, contact us at privacy@thehealthcolab.com. You can also reach us through our contact page.

To report a suspected security or privacy incident, please use our incident submission form.