Privacy Policy

1. Introduction

Welcome to reachDr, a Remote Therapeutic Monitoring (RTM) billing platform operated by Avatara Consulting ("Company," "we," "us," or "our"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use our platform at reachdr.com (and reachdr.com when available) and related services (collectively, the "Service").

reachDr provides RTM billing software designed for medical practices. Our platform helps healthcare providers track patient interactions, log time spent on RTM activities, monitor device data transmission days, and generate billing claims for applicable CPT codes. We are committed to protecting the privacy and security of all data entrusted to us, including Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA).

By accessing or using reachDr, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. Information We Collect

2.1 Practice and Account Information

When you register for and use reachDr, we collect:

• Practice name, address, phone number, and National Provider Identifier (NPI)
• Provider names, credentials, and contact information
• Account administrator names and email addresses
• Billing contact information
• Login credentials (email and encrypted password)

2.2 Patient Information (Protected Health Information)

To facilitate RTM billing, we store limited patient information as provided by your practice:

• Patient names and dates of birth
• Insurance information (payer name, member ID, group number)
• RTM enrollment status and dates
• Device data transmission records (dates of transmission, not clinical data)
• Time logs documenting RTM interactions
• Billing records and claim history

Important: reachDr does not collect, store, or process clinical data, medical records, diagnoses, treatment plans, or device readings. We only track the metadata necessary for billing purposes (e.g., "Patient X transmitted data on these dates" and "Provider Y spent X minutes on RTM activities").

2.3 Usage and Analytics Data

We automatically collect certain information when you use the Service:

• Log data (IP address, browser type, pages visited, time spent)
• Device information (operating system, device type, screen resolution)
• Feature usage patterns and workflow analytics
• Error logs and performance data

2.4 Communications

We retain records of communications you have with us, including support requests, feedback, and correspondence.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• Providing and maintaining the reachDr platform
• Processing RTM billing workflows and generating claims
• Tracking time logs, device transmission days, and billing thresholds
• Generating reports and analytics for your practice
• Sending alerts and notifications about billing opportunities

3.2 Account Management

• Creating and managing your account
• Authenticating users and maintaining security
• Processing payments and managing subscriptions
• Communicating about your account, billing, and service updates

3.3 Service Improvement

• Analyzing usage patterns to improve features and user experience
• Identifying and fixing bugs, errors, and performance issues
• Developing new features and services
• Conducting aggregated, de-identified research and analytics

3.4 Legal and Compliance

• Complying with legal obligations and regulatory requirements
• Enforcing our Terms of Service and other agreements
• Protecting our rights, property, and safety, and that of our users
• Responding to legal requests and preventing fraud

4. HIPAA Compliance and Business Associate Agreement

4.1 Our Role as a Business Associate

When reachDr processes Protected Health Information (PHI) on behalf of a healthcare practice (a "Covered Entity" under HIPAA), we act as a Business Associate. We are committed to complying with all applicable provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

4.2 Business Associate Agreement (BAA)

Before any PHI is entered into reachDr, healthcare practices must execute a Business Associate Agreement with Avatara Consulting. The BAA establishes the permitted uses and disclosures of PHI, our security obligations, and breach notification procedures. To request a BAA, contact us at support@reachdr.com.

4.3 Security Safeguards

We implement administrative, technical, and physical safeguards to protect PHI, including:

• 256-bit TLS encryption for all data in transit
• AES-256 encryption for data at rest
• Role-based access controls and authentication requirements
• Audit logging of all access to PHI
• Regular security assessments and penetration testing
• Employee training on HIPAA requirements and security practices
• Incident response and breach notification procedures

4.4 Minimum Necessary Standard

We apply the HIPAA minimum necessary standard, collecting and using only the PHI reasonably necessary to accomplish the intended billing purpose.

5. Information Sharing and Disclosure

We do not sell, rent, or trade your information. We may share information only in the following circumstances:

5.1 With Your Authorization

We may share information when you provide explicit consent or direction to do so.

5.2 Service Providers

We engage trusted third-party service providers who assist us in operating our platform. These providers are contractually obligated to protect your information and may only use it as directed by us. Categories include:

• Cloud Hosting: Infrastructure and data storage providers with SOC 2 and HIPAA compliance
• Payment Processing: Secure payment processors for subscription billing
• Analytics: Aggregated usage analytics (no PHI is shared with analytics providers)
• Customer Support: Help desk and communication tools

5.3 Legal Requirements

We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

6. Data Retention and Deletion

6.1 Retention Periods

We retain different categories of data for different periods:

• Active Account Data: Retained while your account is active and for a reasonable period thereafter
• Billing and Claim Records: Retained for a minimum of seven (7) years to comply with healthcare billing regulations and audit requirements
• PHI: Retained in accordance with the BAA and applicable law; typically six (6) years from the date of creation or last effective date
• Usage Analytics: Aggregated and de-identified data may be retained indefinitely

6.2 Account Deletion

You may request deletion of your account by contacting support@reachdr.com. Upon verified request, we will delete or de-identify your data within thirty (30) days, except for data we are required to retain for legal, regulatory, or legitimate business purposes (such as billing records subject to retention requirements).

6.3 Data Export

Prior to account termination, you may request an export of your data in a standard format. Contact support to initiate a data export request.

7. Your Rights and Choices

7.1 Access and Correction

You may access, review, and update your account information at any time through your reachDr dashboard. For corrections to PHI, please contact your designated account administrator or our support team.

7.2 Communication Preferences

You may opt out of non-essential communications (such as marketing emails) by using the unsubscribe link in emails or adjusting your notification settings. Note that you cannot opt out of essential service communications (such as security alerts, billing notices, and Terms updates).

7.3 Data Portability

Upon request, we will provide you with a copy of your data in a structured, commonly used, machine-readable format.

7.4 Complaints

If you believe we have not handled your information in accordance with this Privacy Policy or applicable law, please contact us. You also have the right to lodge a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

8. SMS Communications

reachDr may send you SMS text messages related to your care program, including appointment reminders, check-in notifications, monitoring alerts, and service updates. Message frequency may vary based on your care program and preferences. Standard message and data rates may apply depending on your mobile carrier and plan.

Opting Out: You may opt out of SMS communications at any time by replying STOP to any message. After opting out, you will receive a confirmation message and no further SMS messages will be sent unless you re-enroll.

Help: For assistance with SMS communications, reply HELP to any message or contact support@reachdr.com.

Data Sharing: We do not share your mobile phone number or SMS consent status with third parties for marketing purposes. Your phone number is used solely for delivering care-related communications as described in this Privacy Policy.

9. Cookies and Tracking Technologies

reachDr uses cookies and similar technologies for:

• Essential Cookies: Required for authentication, security, and core functionality
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Help us understand how users interact with our platform

You can control cookies through your browser settings. Disabling essential cookies may impair your ability to use the Service.

10. Security

We take the security of your information seriously. In addition to the safeguards described in Section 4.3, we maintain a comprehensive information security program that includes regular risk assessments, vulnerability management, and incident response procedures. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Children's Privacy

reachDr is intended for use by healthcare professionals and practice staff. We do not knowingly collect personal information directly from individuals under 18 years of age. If you believe a child has provided us with personal information, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new effective date and, where appropriate, by email notification. Your continued use of reachDr after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Avatara Consulting
reachDr Privacy Team
Email: support@reachdr.com
Website: reachdr.com

For HIPAA-related inquiries or to request a Business Associate Agreement, please email support@reachdr.com with "BAA Request" or "HIPAA Inquiry" in the subject line.