Privacy Policy

Expected Health Privacy Policy

Version 1.0 • Effective Date: June 23 2025

Expected Health, Inc. (“Expected,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy explains what data we collect, how we use it, whom we share it with, and the choices you have.

By accessing expectedhealthcare.com (“Site”) or the Expected Health Referral Management Platform (collectively, “Platform”), you agree to the practices described here. Capitalized terms not defined here have the meanings in our Terms of Service (“ToS”) or HIPAA Business Associate Agreement (“BAA”).

 

 

1 Information We Collect

Category

Examples

Source

Account Data

Name, email, phone, clinic name, NPI, role, credentials

You / your organization

Patient Data (PHI)

Demographics, referral details, images, test results, insurance info, medical records

Clinics, providers, patients, law-firm reps

Appointment & Transaction Data

Service type, requested date/time, clinic selected, fees paid, refund requests

Generated during use

Legal-Support Data

HIPAA authorizations, subpoenas, court orders, attorney contact info

Law-firm reps

Usage & Device Data

IP, browser, device ID, pages viewed, clicks, referring URL, session recordings

Cookies, pixels, FullStory, Amplitude, Google Analytics

AI/LLM Interaction Data

Prompts, chat logs, AI-generated summaries

You / automated systems

We do not knowingly collect data from children under 18; see § 11.

 

 

2 How We Use Information

  1. Provide Services – create referrals, route records, obtain prior authorizations, coordinate transportation, and deliver results.

  2. User Support & Security – respond to inquiries, verify identity, detect fraud, audit logs, and maintain HIPAA compliance.

  3. Product Improvement & Analytics – analyze feature usage, perform A/B tests, and iterate on UI (using de-identified or pseudonymized data where feasible).

  4. Academic & Commercial Research – create de-identified and aggregated datasets for statistical analysis, publications, product development, and commercial partnerships (per BAA § 3(d)).

  5. Marketing (limited) – send product-update emails or invite you to webinars; no PHI is used for advertising.

  6. Legal & Regulatory – comply with subpoenas, court orders, law-enforcement requests, state privacy statutes, and government audits.

We do not sell PHI or personal information.

 

 

3 When We Share Information

Recipient

Purpose

Clinics & Practitioners

Complete referrals, fulfill record requests, return results

Law-Firm Representatives

Provide records under valid authorization/subpoena

Transportation & Ancillary Services (e.g., Uber Health)

Coordinate rides or home-health visits when authorized

Payers / Prior-Auth Vendors

Eligibility checks, prior authorizations

Subprocessors (cloud hosting, email/SMS, analytics, LLM providers, fax gateways)

Operate or enhance the Platform (full list available on request; PHI only shared under a HIPAA-compliant BAA)

Government or Regulators

HIPAA, CCPA/CPRA, or other legal obligations

Corporate Transactions

Merger, acquisition, or asset sale (subject to same privacy commitments)

De-identified, aggregated data may be shared without restriction.

 

 

4 Cookies, Tracking and Advertising

We and our service providers use cookies, pixels, software-development kits (SDKs), session-recording tools, and similar technologies (“Cookies”) to:

  • keep you signed in and remember preferences;

  • measure Platform performance and diagnose errors;

  • understand feature usage via analytics partners (e.g., FullStory, Amplitude, Google Analytics); and

  • deliver and measure advertising on public, non-authenticated pages of the Site.

4.1 Types of Cookies

Type

Purpose

Strictly Necessary

Security, authentication, load balancing

Performance & Analytics

Aggregate usage statistics, A/B testing

Advertising

Show ads, prevent repeat ads, measure clicks, and build non-PHI interest segments

No PHI or referral-workflow data is shared with advertising networks. Ad tags are rendered only on public pages that do not display Protected Health Information.

4.2 Third-Party Ad Networks

We may partner with ad networks such as Google AdSense, Thrive, or other IAB/NAI-certified vendors (“Ad Partners”). Ad Partners may set or read Cookies and collect device ID, browser type, IP address, pages visited, and time spent—but never PHI—to:

  • show contextual or interest-based ads;

  • cap ad frequency; and

  • measure ad effectiveness.

4.3 Your Choices

  • Cookie Banner — On your first visit you can accept or reject non-essential Cookies.

  • Browser Controls — Most browsers let you delete or block cookies (may degrade some features).

  • Advertising Opt-Out — To opt out of interest-based ads from NAI members, visit https://optout.networkadvertising.org. Google users can visit https://adssettings.google.com. Opt-outs are device- and browser-specific.

  • Do Not Track — Because no industry standard exists, the Platform does not currently respond to DNT signals.

 

 

5 Your Privacy Rights

  • HIPAA Access & Amendment – To obtain or amend your medical records, contact your clinic/provider or email [email protected].

  • California, Virginia, Colorado, Texas – You may request: access, deletion, correction, or to opt-out of “sharing” for targeted advertising (we do not currently engage in such sharing). Submit requests at [email protected].

  • Verification & Response Time – We will verify your identity and respond within 45 days of receipt (or within 90 days for complex requests, with notice of any extension).

You may opt-out of non-transactional emails at any time via the ‘unsubscribe’ link.

 

 

6 Data Retention

  • PHI is retained only as long as required for the Services and pursuant to HIPAA and state record-retention laws.

  • De-identified data may be kept indefinitely.

  • Upon account closure, data is deleted or anonymized within 60 days, except where legal retention applies.

 

 

7 Security

We apply layered administrative, technical, and physical safeguards designed to protect your information, including but not limited to:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)

  • Role-based access controls and stringent password policies and handling

No system is 100% secure; you transmit data at your own risk.

 

 

8 International Data Transfers

The Platform is hosted in the United States. Users outside the U.S. should not transmit PHI unless permitted by local law. By using the Platform, you consent to U.S. data processing.

 

 

9 Third-Party Links

Our Site may link to third-party sites or services. We are not responsible for the privacy practices of those sites. Review their policies before providing information.

 

 

10 Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be posted on this page and, if significant, emailed to account holders. Continued use after the effective date constitutes acceptance.

 

 

11 Children’s Privacy

The Platform is not directed to anyone under 18. If we are notified that we have collected personal data from a minor without verifiable parental consent, we will delete it promptly.

 

 

12 Contact Us

Questions or privacy requests?

Expected Health, Inc. – Privacy Office
5900 Balcones Dr STE 100, Austin, TX 78731
[email protected]

 

 

 

End of Privacy Policy