Privacy Policy

Introduction

Lighthouse Health ("we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

HIPAA Compliance

Lighthouse Health is designed to be HIPAA compliant. We serve as a Business Associate to Federally Qualified Health Centers (FQHCs) and other covered entities. We have implemented administrative, physical, and technical safeguards to protect Protected Health Information (PHI).

All clients receive a signed Business Associate Agreement (BAA) before any PHI is transmitted to our platform. We only collect the minimum necessary PHI to provide our revenue recovery services.

Information We Collect

Operational Data (De-identified PHI)

• Patient identifiers (de-identified when possible)
• Appointment dates and statuses
• Provider identifiers
• Billing and coding data (CPT codes, diagnosis codes)
• Claim denial information
• Insurance carrier information
• Provider credential data

Account Information

• Name and email address
• Organization name and role
• Phone number (optional)
• Account credentials

Usage Data

• Log data (IP address, browser type, pages visited)
• Feature usage analytics
• Performance data

How We Use Your Information

• Provide revenue recovery analytics and AI-powered recommendations
• Track provider performance and identify improvement opportunities
• Analyze no-show patterns and denial trends
• Monitor contract expirations and credentialing deadlines
• Generate reports and dashboards
• Improve our platform and services
• Communicate with you about your account and our services
• Comply with legal obligations

Data Security

We implement industry-standard security measures to protect your information:

• Data encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls
• Regular security audits and penetration testing
• SOC 2 Type II compliance (in progress)
• HIPAA-compliant infrastructure (AWS/Supabase)
• Multi-factor authentication available
• Regular backups and disaster recovery procedures

Data Sharing and Disclosure

We do not sell your data. We may share your information only in the following circumstances:

• Service Providers: We use trusted third-party service providers (hosting, analytics) who are contractually obligated to protect your data
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with advance notice)
• With Your Consent: When you explicitly authorize sharing

Data Retention

We retain your data for as long as your account is active or as needed to provide services. Upon account termination, operational data is retained for 90 days, then securely deleted or de-identified. Billing and legal records are retained for 7 years per federal requirements.

Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Request deletion of your data (subject to legal retention requirements)
• Opt out of marketing communications
• Export your data in a portable format
• File a complaint with a supervisory authority

Cookies and Tracking

We use essential cookies to operate our platform and optional analytics cookies to improve our services. You can disable non-essential cookies in your browser settings without affecting core functionality.

Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. Patient data may include minors' information as part of operational analytics, handled in compliance with HIPAA.

Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email and by posting a notice on our platform. Continued use after changes constitutes acceptance of the updated policy.

Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us: