Privacy Policy

SFCA Organization ("SFCA," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, services, platforms, and any related applications (collectively, the "Services"). Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Services.

We may modify this Privacy Policy at any time. Material changes will be communicated via email or through our website. Your continued use of the Services after any such changes constitutes your acceptance of the revised policy.

1. Scope and Applicability

This Privacy Policy applies to all individuals who interact with SFCA’s Services, including but not limited to healthcare professionals, revenue cycle management contractors, billing companies, practice administrators, and any other users. If you are a healthcare provider or organization subject to HIPAA, additional terms regarding Protected Health Information (PHI) may apply as described in Section 5.

For purposes of this Privacy Policy, "Personal Information" means any information relating to an identified or identifiable individual, including but not limited to name, contact details, professional credentials, payment information, and technical data collected automatically.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: When you register, we collect your name, email address, professional credentials, organization name, and billing details.
• Profile Information: You may provide additional information such as practice address, NPI number, CAQH ID, and licensure details.
• Payment Information: Credit card numbers, bank account information, and billing addresses are processed through our secure payment processors; we do not store full payment card data on our servers.
• Communications: When you contact us for support or inquiries, we collect the content of your messages and any attachments you provide.
• Training and Assessment Data: If you participate in our training programs, we may collect course progress, assessment results, and feedback.

2.2 Information Collected Automatically

• Usage Data: IP address, browser type, operating system, pages viewed, time spent, and referring URLs.
• Device Information: Device type, unique device identifiers, and mobile network information.
• Cookies and Tracking Technologies: We use cookies and similar technologies to enhance user experience, analyze trends, and administer the website. You may control cookies through your browser settings.

2.3 Protected Health Information (PHI)

To the extent that you use our Services to create, receive, maintain, or transmit Protected Health Information (as defined by HIPAA), we act as a Business Associate and will handle such information in accordance with our Business Associate Agreement and applicable HIPAA requirements. PHI is subject to additional safeguards as described in Section 5.

3. How We Use Information

We use the information we collect for various purposes, including to:

• Provide, maintain, and improve our Services;
• Process transactions and send related information (e.g., confirmations, invoices);
• Manage your account and provide customer support;
• Communicate with you about updates, security alerts, and administrative messages;
• Personalize your experience and deliver content relevant to your interests;
• Monitor and analyze usage patterns to enhance our Services;
• Comply with legal obligations and enforce our Terms & Conditions;
• Protect against fraud, unauthorized transactions, and other liabilities;
• Fulfill any other purpose disclosed at the time you provide the information or with your consent.

4. Sharing and Disclosure

We do not sell, rent, or trade your Personal Information to third parties for their marketing purposes. We may share information in the following circumstances:

• Service Providers: With trusted third-party vendors who assist us in operating our Services, conducting business, or serving you (e.g., payment processors, cloud hosting, analytics providers), provided they agree to keep your information confidential and use it only for the purposes we specify.
• Business Associates: With entities that require access to PHI to perform functions on our behalf, subject to a written Business Associate Agreement that complies with HIPAA.
• Compliance and Protection: When required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of SFCA, our users, or others (including fraud prevention and enforcement of our Terms).
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction, with notice provided via email or prominent website notice.
• With Your Consent: We may share information for any other purpose disclosed to you and with your consent.

5. HIPAA and Protected Health Information

For clients who are Covered Entities or Business Associates under HIPAA, SFCA enters into a Business Associate Agreement (BAA) that governs our use and disclosure of Protected Health Information (PHI). We implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI in accordance with the HIPAA Security Rule. In the event of a breach of unsecured PHI, we will notify affected individuals and the Secretary of HHS as required by 45 CFR § 164.410. Our use of PHI is limited to the permitted purposes described in the BAA and this Privacy Policy.

6. Data Security

We take the security of your information seriously. SFCA implements industry-standard measures to protect against unauthorized access, alteration, disclosure, or destruction of Personal Information, including:

• Encryption of data in transit using TLS protocols;
• Encrypted storage of sensitive data;
• Multi-factor authentication options for account access;
• Regular security assessments and penetration testing;
• Access controls and role-based permissions;
• Audit logging and monitoring of systems;
• Disaster recovery and business continuity plans.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

7. Data Retention

We retain Personal Information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (e.g., for regulatory, tax, or legal purposes). When you cancel your account, we will retain your information for up to thirty (30) days to allow for data retrieval, after which it may be securely deleted or anonymized. PHI is retained and disposed of in accordance with HIPAA requirements and our BAA.

8. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your Personal Information:

• Access and Portability: You may request a copy of the Personal Information we hold about you in a structured, commonly used format.
• Correction: You may request that we correct inaccurate or incomplete information.
• Deletion: You may request deletion of your Personal Information, subject to certain legal exceptions.
• Opt-Out: You may opt out of receiving marketing communications by following the unsubscribe link in our emails or contacting us directly. Please note that transactional and account-related messages are not subject to opt-out.
• Cookie Preferences: Most browsers allow you to refuse or delete cookies. However, doing so may affect certain features of our Services.

To exercise your rights, please contact us using the information in Section 12. We will respond to your request within a reasonable timeframe and in accordance with applicable law.

9. International Data Transfers

SFCA primarily operates in the United States. Your Personal Information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities. By using our Services, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence. We take appropriate safeguards to ensure that such transfers comply with applicable legal requirements.

10. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect Personal Information from children. If we become aware that we have inadvertently collected information from a child, we will take reasonable steps to delete it promptly. If you believe we might have any information from or about a child, please contact us.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The "Last Updated" date at the top indicates when the policy was last revised. Material changes will be communicated by email or through a prominent notice on our website at least thirty (30) days before they become effective. Your continued use of the Services after such changes constitutes acceptance of the revised Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below. We are committed to addressing your inquiries promptly.

For matters related to HIPAA or protected health information, you may also contact our Privacy Officer at the same email and phone numbers.