Tengrium

Tengrium

Privacy policy

PRIVACY POLICY FOR TENGRIUM HEALTH

Effective Date: August 01, 2025
Last Updated: October 04, 2025

PRE-LAUNCH NOTICE

Tengrium Health is currently in development and preparing to launch comprehensive healthcare services, starting with pilots. This Privacy Policy describes the privacy practices that will govern our platform and services upon launch, as well as our current practices for website visitors and those who join our interest list.

We are sharing this comprehensive Privacy Policy now to demonstrate our commitment to privacy and data protection from the outset. When we launch our full platform of healthcare services, we will operate as a HIPAA-covered healthcare provider with full compliance with all applicable federal and state privacy laws. All healthcare-related provisions of this policy will become effective upon the launch of clinical services.

By joining our interest list or using our website, you agree to the practices described in this Privacy Policy as they apply to our current pre-launch operations.

IMPORTANT NOTICE ABOUT THIS DOCUMENT

HIPAA Compliance Notice: This Privacy Policy explains how Tengrium Health collects, uses, and protects information on our website and technology platform. Upon launch of healthcare services, as a healthcare provider covered by HIPAA, we will also provide you with a separate Notice of Privacy Practices (NPP) that specifically describes how we use and disclose your Protected Health Information (PHI) for treatment, payment, and healthcare operations. Both documents will work together to protect your privacy.

Scope: This Privacy Policy applies to all users of the Tengrium Health platform, website, and services, including subscribers, patients, and website visitors.

1. About Tengrium Health and This Policy

Who We Are

Tengrium Health is a technology-enabled health platform that combines artificial intelligence with human clinical expertise to provide diagnosis, monitoring, and treatment services for various health conditions. Upon launch, we will operate as a Healthcare Provider and Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA) and comply with all applicable federal and Florida state privacy laws.

Important: We are a subscription-based healthcare service. We do NOT sell, fulfill, or distribute medications or prescriptions at this stage. Our services focus on clinical care, monitoring, and treatment recommendations.

Our Commitment to Privacy

Protecting your health information is fundamental to our mission. We maintain comprehensive privacy and security programs that comply with:

HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
HIPAA Security Rule (45 CFR Part 164, Subparts A and C)
HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)
Florida Information Protection Act (Florida Statute § 501.171)
Florida medical records privacy laws (Florida Statute § 456.057)
Florida health privacy statutes
Florida Constitutional right to privacy (Article I, Section 23)

Contact Information

Tengrium Health
16192 Coastal Highway,
Lewes, DE 19958

Email: info@tengriumhealth.com

2. Information We Collect

2.1 Protected Health Information (PHI)

Upon launch of healthcare services, as a HIPAA-covered healthcare provider, we will collect and maintain Protected Health Information necessary to provide our services. PHI includes any health information that can identify you, including:

Medical and Clinical Information:

Medical history, symptoms, and health conditions
Diagnoses and treatment plans
Medications and allergies
Laboratory and test results
Clinical notes and assessments
Care coordination information
Telehealth visit recordings (with your authorization)
Health monitoring data from our platform
Provider communications and consultations

Identifying Information:

Name, date of birth, and contact information
Social Security number (when required)
Medical record number
Insurance information and subscriber identification
Emergency contact information
Demographic information (age, gender, race, ethnicity)

2.2 Account and Subscription Information

To manage your Tengrium Health account and subscription, we collect:

Username and password
Email address and phone number
Subscription plan and billing cycle
Service preferences and settings
Communication preferences
Account activity and usage history

2.3 Payment and Financial Information

We collect payment information necessary to process your subscription fees:

Cardholder name and billing address
Payment card information (processed through PCI DSS-certified payment processors)
Transaction history
Billing and payment records

Important: We do NOT store complete payment card numbers. Payment processing is handled by certified third-party payment processors who maintain strict security standards.

2.4 Technical and Usage Data

When you use our platform, we automatically collect:

IP address and geolocation information (city/state level)
Device information (type, operating system, browser)
Platform usage patterns and interactions
Session duration and frequency
Feature utilization data
Performance and error logs
Cookies and similar tracking technologies

2.5 Communications

We maintain records of communications with you:

Customer service interactions
Support tickets and inquiries
Email correspondence
Chat messages within our platform
Phone call logs
Survey responses and feedback

3. How We Use Your Information

3.1 Treatment, Payment, and Healthcare Operations (HIPAA-Permitted Uses)

Upon launch of healthcare services, under HIPAA, we may use and disclose your PHI without your authorization for:

Treatment:

Providing diagnosis, monitoring, and treatment services
Coordinating care with other healthcare providers
Consulting with specialists about your care
Delivering telehealth services
Managing your treatment plan
Providing clinical decision support

Payment:

Processing your subscription payments
Billing activities and collections
Determining service eligibility
Managing your account and subscription

Healthcare Operations:

Quality assessment and improvement
Training healthcare professionals and staff
Compliance and audit activities
Business planning and development
Customer service and support
Evaluating provider and platform performance
Accreditation and credentialing activities
Legal and regulatory compliance

3.2 Artificial Intelligence and Machine Learning

Blind AI Training:

Tengrium Health uses artificial intelligence and machine learning to improve diagnostic accuracy, enhance treatment recommendations, and advance healthcare delivery. To develop and train our AI models, we use our proprietary blind model training and data analysis of health information that protects and verifiably upholds all privacy and data protections regarding your health data as required by federal privacy law.

Our Blind AI Training and Data Analysis Process:

We follow the HIPAA Safe Harbor method (45 CFR § 164.514(b)(2)), which requires removal of 18 specific identifiers before data can be used for AI training:

Names
Geographic subdivisions smaller than state (including street address, city, county, and ZIP codes, except the first three digits of ZIP codes for populations over 20,000)
All dates (except year) directly related to an individual, including dates of service, and all ages over 89
Telephone and fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate and license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web URLs
IP addresses
Biometric identifiers (including fingerprints and voiceprints)
Full-face photographs
Any other unique identifying numbers or characteristics
Any other information that could reasonably be used to identify you

Important Privacy Protections:

De-identified data is not PHI: Once properly de-identified, information no longer identifies you and cannot reasonably be used to identify you, we further disallow de-identified data to be exposed outside of your health data vault unless it is to your authorized PCP provider or other healthcare provider with your permission for the sole purposes of treatment and health evaluation as part of the Tengrium Health program
Your identifiable health information is never used: We do not use your identifiable PHI to train AI models without proper de-identification
Internal use only: We do not share your data with external parties for AI training

Benefits of Our AI Approach:

Our AI systems are designed to:

Improve diagnostic accuracy across diverse patient populations
Identify patterns that may predict health outcomes
Personalize treatment recommendations
Enhance early detection of health conditions
Support clinical decision-making
Improve platform functionality and user experience

3.3 Service Delivery and Platform Operations

We use your information to:

Operate and maintain the Tengrium Health platform
Provide customer support and respond to inquiries
Send service-related communications and updates
Manage your subscription and account
Improve platform performance and user experience
Develop new features and services
Conduct research and analytics (using de-identified data)
Ensure platform security and prevent fraud

3.4 Legal and Regulatory Compliance

We may use or disclose your information when:

Required by federal, state, or local law
Responding to court orders, warrants, or subpoenas (with proper notice to you as required by Florida law)
Cooperating with law enforcement for permitted purposes
Reporting to public health authorities
Complying with health oversight activities
Preventing serious threats to health or safety
Fulfilling workers' compensation requirements (limited to workplace-related conditions)

3.5 Communications and Marketing

Service Communications (No Authorization Required):

Account updates and service notifications
Appointment reminders and health alerts
Platform updates and maintenance notices
Billing and subscription information
Security and privacy notifications

Marketing Communications (Authorization or Opt-Out Required):

We do NOT use your health information for marketing purposes without your specific written authorization
Per Florida law (§ 456.057), we are prohibited from using patient information for solicitation or marketing without specific written release
You may receive general health and wellness information, from which you can opt out at any time
We do not sell your information to third parties for their marketing purposes

4. Information Sharing and Disclosure

4.1 Our Data Sharing Policy

We do NOT:

Sell your health information to third parties
Share your PHI with external parties except as described in this policy and permitted by law
Use third-party services for data processing beyond those described below

4.2 Business Associates

Upon launch of healthcare services, we may share PHI with your healthcare providers or other Business Associates who perform services on our behalf. Under HIPAA, Business Associates are required to:

Protect your PHI according to HIPAA standards
Sign Business Associate Agreements (BAAs) with us
Use your information only as authorized
Implement appropriate security safeguards
Report any breaches to us immediately

Types of Business Associates:

Telehealth technology platforms
Cloud infrastructure providers (data stored only in U.S., U.S. territories, or Canada per Florida law)
IT support and cybersecurity services
Legal and compliance consultants
Billing and payment processors
Analytics platforms (with BAAs for authenticated areas)

4.3 Healthcare Providers

Upon launch of healthcare services, we may share your PHI with other healthcare providers involved in your care:

Specialists for consultations and referrals
Your primary care physician (with your authorization)
Emergency medical personnel when necessary
Other providers coordinating your treatment

4.4 Public Health and Legal Requirements

We may disclose PHI without your authorization when required or permitted by law:

Public Health Activities:

Disease reporting to public health authorities
FDA reporting for adverse events
Notification of persons exposed to communicable diseases

Health Oversight:

Audits and investigations by health oversight agencies
Licensure and accreditation activities

Legal Proceedings:

In response to court orders or valid subpoenas
Florida Requirement: We will provide proper notice to you when legally permitted before responding to subpoenas for your records

Law Enforcement:

As required by law or court order
To identify or locate suspects, fugitives, or missing persons (limited information only)
About victims of crime in certain situations
When we believe a crime occurred on our premises

Serious Threats:

To prevent or lessen serious threat to health or safety
To persons reasonably able to prevent or lessen the threat

Abuse, Neglect, or Domestic Violence:

Reporting to appropriate authorities as required by law
When we believe disclosure is necessary to prevent serious harm

4.5 With Your Authorization

Any uses or disclosures of your PHI not described in this policy will require your written authorization, including:

Uses for marketing purposes
Sale of PHI (we do not engage in this practice)
Most uses of psychotherapy notes (if applicable)
Other purposes not permitted by HIPAA

You may revoke your authorization at any time in writing, except to the extent we have already taken action in reliance on it.

4.6 Minimum Necessary Standard

When using or disclosing PHI for payment or healthcare operations purposes, we limit the information to the minimum necessary to accomplish the intended purpose, as required by HIPAA and Florida law.

5. Your Privacy Rights Under HIPAA

Upon launch of healthcare services, as our patient, you will have important rights regarding your health information:

5.1 Right to Access Your Health Information

You have the right to inspect and obtain copies of your PHI in our records.

Timeframe: We will respond to your request within 30 days (with possible 30-day extension if needed)
Format: We will provide information in the format you request if readily producible (electronic or paper)
Electronic Delivery: For electronic records, we can provide via secure email, patient portal, USB drive, or other method you prefer
Fees: We may charge a reasonable, cost-based fee for copies (maximum $6.50 for electronic copies of electronically maintained records)
Direct Transmission: You may direct us to send copies to another person you designate

How to Request Access: Contact our Privacy Official at [contact information] or submit a written request to [address].

5.2 Right to Request Amendment

You may request that we amend PHI in your records if you believe it is incorrect or incomplete.

Timeframe: We will respond within 60 days (with possible 30-day extension)
Process: If we accept your request, we will make the amendment and inform relevant parties
Denial Rights: If we deny your request, you may submit a statement of disagreement that will become part of your record
Permitted Denials: We may deny if the information was not created by us, is not in our records, or is accurate and complete

How to Request Amendment: Submit a written request to our Privacy Official at [contact information] specifying what information you want amended and why.

5.3 Right to Accounting of Disclosures

You have the right to receive a list of certain disclosures we made of your PHI.

Timeframe Covered: Disclosures made in the six years prior to your request (or shorter period)
Exclusions: Does not include disclosures for treatment, payment, healthcare operations, disclosures to you, or those you authorized
First Request Free: The first accounting in a 12-month period is free; subsequent requests may incur reasonable fees
Response Time: We will respond within 60 days (with possible 30-day extension)

How to Request Accounting: Contact our Privacy Official at [contact information].

5.4 Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI.

Optional Restrictions: We are not required to agree to most restrictions, but if we do, we will comply
Mandatory Restriction: If you pay out-of-pocket in full for a service and request we not disclose information to your health plan, we MUST agree (unless otherwise required by law)
Emergency Exception: Restrictions may not apply if you need emergency treatment

How to Request Restrictions: Submit a written request to our Privacy Official at [contact information] specifying what information you want restricted and to whom.

5.5 Right to Request Confidential Communications

You may request that we communicate with you about your health information in a specific way or at a specific location.

We will accommodate reasonable requests
For example, you may request we contact you at work instead of home, or via email instead of phone
We may require information on how payment will be handled

How to Request Confidential Communications: Contact our Privacy Official at [contact information] with your specific request.

5.6 Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Privacy Policy upon request, even if you agreed to receive it electronically.

How to Request: Contact our Privacy Official at [contact information] or download from our website at [website URL].

5.7 Right to Be Notified of a Breach

You have the right to be notified if a breach of your unsecured PHI occurs.

We will notify you in accordance with federal and Florida law (see Section 11 on Breach Notification).

6. Special Privacy Protections Under Florida Law

Florida law provides additional privacy protections beyond HIPAA:

6.1 Florida Constitutional Privacy Right

The Florida Constitution (Article I, Section 23) provides explicit privacy protection for medical records. We comply with Florida's more stringent requirements, including:

Written Authorization Requirements:

Florida law requires written authorization for certain disclosures that HIPAA permits without authorization
We obtain written authorization before sharing your information with insurance companies and other entities as required by Florida Statute § 456.057

Marketing Prohibition:

Under Florida law, we cannot use your patient information for marketing or solicitation purposes without your specific written authorization

Third-Party Re-disclosure:

Third parties receiving your information are prohibited from further disclosure without your expressed written consent

6.2 HIV/AIDS Information

Florida law (§ 381.004) provides "super-confidential" status for HIV/AIDS test results and related information. We:

Obtain appropriate consent before HIV testing
Maintain strict confidentiality of HIV-related information
Disclose HIV information only as permitted by Florida law
Never use HIV status for insurance or employment decisions

Violation of HIV confidentiality carries criminal penalties under Florida law, including felony charges for malicious disclosure.

6.3 Florida Data Storage Requirements

Per Florida Senate Bill 264 (effective July 1, 2023):

All patient information stored offsite (including cloud storage) must be physically maintained in the continental United States, U.S. territories, or Canada
We do NOT use offshore data storage
All our technology vendors and cloud providers comply with this geographic restriction

6.4 Subpoena Notice

Under Florida law (§ 456.057), when a subpoena is issued for your medical records, we provide proper notice to you or your legal representative before responding, allowing you to object if desired.

7. Data Security and Safeguards

7.1 Our Security Commitment

Tengrium Health implements comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your health information in compliance with the HIPAA Security Rule and Florida law.

Important: While we maintain robust security measures, no system is completely secure. We continuously monitor and update our security practices in accordance with industry standards and regulatory requirements.

7.2 Administrative Safeguards

Security Management:

Regular security risk assessments to identify vulnerabilities
Risk management strategies to reduce risks to appropriate levels
Sanctions policy for workforce members who violate security policies
Regular review of system activity and audit logs

Workforce Security:

Designated Security Official responsible for our security program
Background checks for personnel with access to PHI
Clearance procedures and access authorization
Termination procedures to revoke access immediately

Training and Awareness:

Regular security awareness training for all workforce members
Specialized training for staff handling PHI
Ongoing education about emerging threats
Phishing and social engineering awareness

Contingency Planning:

Data backup procedures with secure offsite storage
Disaster recovery plans
Emergency mode operations procedures
Regular testing of contingency plans

Business Associate Management:

Written Business Associate Agreements with all vendors
Vendor security assessments before engagement
Ongoing monitoring of vendor compliance
Regular vendor audits

7.3 Physical Safeguards

Facility Access Controls:

Limited physical access to facilities containing ePHI
Security personnel and surveillance systems
Visitor logs and escort requirements
Secure server rooms and data centers

Workstation Security:

Policies governing workstation use and location
Privacy screens to prevent unauthorized viewing
Automatic screen locks for inactive workstations
Secured cable management

Device and Media Controls:

Policies for device use, movement, and disposal
Secure data destruction procedures
Media sanitization before reuse or disposal
Accountability procedures for hardware movement

7.4 Technical Safeguards

Access Controls:

Unique user identification for all system users
Authentication mechanisms (passwords, multi-factor authentication)
Automatic logoff after periods of inactivity
Emergency access procedures for critical situations
Role-based access limiting information to minimum necessary

Audit and Monitoring:

Audit logging of all access to ePHI
Regular review of audit logs for suspicious activity
Intrusion detection and prevention systems
Security incident monitoring and response

Data Integrity:

Mechanisms to ensure ePHI is not improperly altered or destroyed
Version control and change management
Data validation procedures
Regular integrity checking

Encryption:

Data in Transit: All PHI transmitted over networks is encrypted using industry-standard protocols (TLS 1.2 or higher)
Data at Rest: PHI stored electronically is encrypted using AES-256 or equivalent encryption
Device Encryption: Mobile devices and laptops with access to PHI are encrypted
Patient Choice: You may request unencrypted communications after being warned of risks

Transmission Security:

Secure communication protocols for all data transmission
Virtual Private Networks (VPNs) for remote access
Secure email systems for PHI communication
Protection against malware and ransomware

7.5 Telehealth Security

Upon launch of telehealth services, our telehealth platform will include specific security measures:

End-to-end encryption for video and audio communications
Secure authentication before each session
Virtual waiting rooms to prevent unauthorized access
Automatic session termination after inactivity
Business Associate Agreements with telehealth technology vendors
Regular security assessments of telehealth platforms

7.6 Incident Response

We maintain comprehensive incident response procedures:

24/7 security monitoring
Rapid response team for security incidents
Forensic investigation capabilities
Breach notification procedures
Mitigation and remediation protocols
Law enforcement coordination when appropriate

8. Telehealth Services and Privacy

Upon launch, Tengrium Health will provide telehealth services through secure, HIPAA-compliant technology platforms.

8.1 Telehealth Platform Security

Our telehealth services will include:

End-to-end encryption for all video and audio communications
Business Associate Agreements with all telehealth technology providers
Secure authentication requiring login credentials for all sessions
Session security with unique meeting IDs and virtual waiting rooms
Automatic termination of sessions after inactivity periods
Access controls preventing unauthorized joining of sessions

8.2 Technology Requirements

Our Responsibilities:

We conduct telehealth visits from private, secure locations
Our providers inform you if others are present during your session
We use only HIPAA-compliant telehealth platforms
We regularly assess technology security and performance

Your Responsibilities:

Join telehealth appointments from private locations when possible
Use secure Wi-Fi networks (not public Wi-Fi when possible)
Ensure your device has updated software and security patches
Inform your provider if others are present with you

Acceptable Telehealth Technologies:

Our secure patient portal video platform
Approved video conferencing systems with Business Associate Agreements
Audio-only telehealth via traditional telephone for appropriate services

Prohibited Technologies:

Public-facing streaming platforms (Facebook Live, TikTok, Twitch, etc.)
Unapproved messaging or video apps
Unsecured communication methods

8.3 Recording Policies

General Policy: Telehealth sessions are NOT recorded by Tengrium Health without your explicit authorization.

If Recording is Necessary:

We will request your specific authorization before any recording begins
You have the right to decline recording without affecting your care
If authorized, recordings are stored securely as part of your medical record
You have the same rights to access recordings as other medical records
Recordings are retained according to our records retention policy

Patient Recording: We request that you do not record sessions. Unauthorized recording may violate state law and our Terms of Service.

8.4 Audio-Only Telehealth

We offer audio-only telehealth services via traditional telephone when appropriate:

Standard HIPAA protections apply to all telehealth communications
Traditional telephone services (landline/mobile) may be used
Audio-only services available for patients without video capability
Same privacy and security standards apply

8.5 Communication Privacy

During Telehealth Sessions:

Providers will verify your identity at the beginning of each session
You may be asked if anyone else is present and can hear the conversation
Providers will inquire about your privacy and comfort level
You can request to reschedule if you cannot find a private location

Between Sessions:

Secure messaging available through patient portal
Email communications encrypted when containing PHI
Phone messages left only with your authorization
Text messaging available only for appointment reminders and non-PHI communications

9. Cookies, Tracking Technologies, and Website Analytics

9.1 How We Use Tracking Technologies

Tengrium Health uses cookies, web beacons, and similar technologies on our website and platform to enhance your experience and improve our services. We implement different practices for authenticated and unauthenticated areas of our website.

9.2 Unauthenticated Public Website Areas

What We Collect: On public areas of our website (before login), we collect:

Pages visited and time spent
Browser type and operating system
General geographic location (city/state level)
Referring website
Device type (desktop, mobile, tablet)

Analytics Tools: We use web analytics services to understand how visitors use our website. These tools help us improve site functionality, content, and user experience.

Business Associate Agreements: For analytics tools that may collect information related to health service inquiries (such as symptom checker pages or appointment scheduling), we execute Business Associate Agreements with vendors to ensure HIPAA compliance.

Your Choices: You can control cookies through your browser settings. Note that disabling certain cookies may limit website functionality.

9.3 Authenticated Patient Portal and Platform

Enhanced Protection: When you log into your patient portal or telehealth platform:

We use analytics configured specifically to protect your health information
All analytics vendors have signed Business Associate Agreements with us
We implement technical controls to prevent transmission of PHI to analytics platforms
IP address anonymization is enabled
Advertising and remarketing features are disabled
Cross-domain tracking is disabled
User-ID tracking is disabled on pages containing PHI

What We Track:

Platform usage patterns to improve functionality
Feature utilization to enhance user experience
Performance metrics to identify technical issues
Error logs for troubleshooting

9.4 Types of Cookies

Strictly Necessary Cookies: Essential for platform operation, including:

Authentication and security
Session management
Load balancing
Security threat detection

Functional Cookies: Enhance platform functionality, including:

Remember your preferences and settings
Language preferences
Accessibility features

Analytics Cookies: Help us improve our services:

Usage patterns and popular features
Performance monitoring
Error detection
User journey analysis (in aggregate)

Marketing Cookies: We do NOT use cookies for:

Targeted health-related advertising
Selling your information to third parties
Behavioral tracking across websites
Third-party advertising networks

9.5 Third-Party Services

Analytics Providers: We use [Analytics Provider Name(s)] for website and platform analytics. These providers:

Have executed Business Associate Agreements with us
Are required to protect your information in accordance with HIPAA
Cannot use your information for their own purposes
Must delete or return data upon request

Payment Processors: Our payment processing uses cookies to:

Secure payment transactions
Prevent fraud
Process subscriptions

Payment processors are PCI DSS certified and have appropriate data protection agreements.

9.6 Your Cookie Choices and Controls

Browser Controls: Most browsers allow you to:

View and delete cookies
Block cookies from specific sites
Block third-party cookies
Receive notifications when cookies are set

Platform Settings: In your Tengrium Health account settings, you can:

Manage communication preferences
Control optional analytics features
Set privacy preferences

Opt-Out Options:

Browser Do Not Track signals (we honor these signals)
Opt out of email marketing communications
Disable non-essential cookies through settings

Mobile Devices: On mobile devices, you can:

Adjust privacy settings in device settings
Limit ad tracking
Manage app permissions

9.7 California and State-Specific Tracking Notices

California Residents: Under California law, we do not respond to "Do Not Track" browser signals differently than described above. We do not sell personal information and do not track you across third-party websites for advertising purposes.

10. Payment Information and Subscription Management

10.1 Subscription-Based Services

Upon launch, Tengrium Health will operate on a subscription basis. We will collect subscription fees directly from subscribers for our healthcare services.

What We Do NOT Do:

We do NOT sell, fulfill, or distribute medications or prescriptions
We do NOT bill insurance companies for our subscription services
We are NOT a pharmacy or pharmaceutical distributor

10.2 Payment Information Collection and Security

Information We Collect:

Cardholder name
Billing address
Payment card information (number, expiration, security code)
Transaction history
Subscription status and billing cycle

Payment Card Industry (PCI DSS) Compliance: We are committed to protecting your payment information in accordance with Payment Card Industry Data Security Standards (PCI DSS). Our payment security measures include:

Certified Payment Processors: All payment transactions processed through PCI DSS Level 1 certified payment processors
Encryption: Payment card data encrypted during transmission using TLS 1.2 or higher
Limited Storage: We do NOT store complete payment card numbers or CVV/CVC security codes
Tokenization: Payment card information stored as encrypted tokens
Restricted Access: Payment information accessible only to authorized personnel on need-to-know basis
Secure Networks: Firewall protection and network segmentation for payment systems
Regular Security Assessments: Ongoing security testing and vulnerability scanning of payment systems
Activity Monitoring: Continuous monitoring of payment system access and transactions

Payment Processors: We use [Payment Processor Name], a PCI DSS Level 1 certified payment processor. Your payment information is transmitted directly to the processor through encrypted connections and is not stored on our application servers. [Payment Processor] maintains comprehensive security measures and is independently audited for PCI DSS compliance.

10.3 Separation of Payment and Health Information

Data Segregation:

We maintain payment information separately from your medical records to the extent possible
Payment data is stored in secure, PCI DSS-compliant systems
Access to payment information is restricted and logged
Payment information is not part of your designated health record set unless related to treatment authorization

Combined Data: In some situations, payment information may be associated with your health record:

Subscription type may indicate services received
Billing disputes related to specific services
Required financial assistance documentation

When payment information must be associated with health information, both HIPAA and PCI DSS protections apply.

10.4 Subscription Management

Subscription Information:

Subscription plan type (Basic, Standard, Premium, etc.)
Billing frequency (monthly, annual)
Payment due dates and payment history
Subscription start date and renewal dates
Service access level based on subscription status
Promotional codes or discounts applied

Billing Practices:

Clear disclosure of subscription costs before enrollment
Advance notice of subscription renewals
Detailed billing statements available in your account
Multiple payment methods accepted
Automatic renewal (with ability to disable)
Pro-rated refunds per our Terms of Service

Subscription Changes:

You may upgrade, downgrade, or cancel your subscription at any time
Changes effective per our Terms of Service
Cancellation procedures available through your account or customer service
We do NOT condition treatment on maintaining any specific subscription level (medical necessity determines care)

10.5 Financial Assistance and Payment Plans

If you need financial assistance:

Contact our billing department at [billing contact]
Financial assistance may be available based on eligibility
Payment plans may be offered for certain situations
Inability to pay does NOT affect emergency or urgent care
Financial information collected for assistance programs is protected as PHI

10.6 Payment Data Retention

Retention Periods:

Transaction history: [X years] as required for accounting and tax purposes
Payment card information: Last 4 digits only retained for reference
Billing records: [X years] per legal and business requirements
Subscription history: Duration of relationship plus [X years]

Secure Deletion: When retention periods expire, payment data is securely deleted or destroyed according to PCI DSS requirements.

10.7 Fraudulent Transaction Protection

We implement fraud detection and prevention measures:

Transaction monitoring for unusual patterns
Address verification systems (AVS)
Card security code verification
Velocity checks to detect suspicious activity
Account alerts for unusual transactions

If we suspect fraudulent activity on your account, we will contact you using the information on file.

11. Breach Notification

11.1 Our Commitment

Tengrium Health takes data security seriously and maintains comprehensive programs to prevent unauthorized access to your information. In the unlikely event of a data breach affecting your protected health information, we will notify you promptly in accordance with federal and Florida law.

11.2 What Constitutes a Breach

Under HIPAA, a breach is an impermissible use or disclosure of your PHI that compromises its security or privacy. We conduct risk assessments of all potential breaches to determine if notification is required.

Exceptions: Not all incidents constitute breaches requiring notification, including:

Unintentional access by our workforce acting in good faith
Inadvertent disclosures between authorized persons
Situations where the unauthorized person could not retain the information

11.3 Federal and Florida Notification Timeline

Florida Law is More Stringent: Florida requires notification within 30 days of determining a breach occurred, which is faster than the federal HIPAA requirement of 60 days. We comply with the more stringent Florida timeline.

Breach Notification Timeline:

Individual Notification: Within 30 days of breach discovery
Media Notification: Within 30 days if breach affects 500 or more Florida residents
HHS Notification: Within 30-60 days depending on breach size
Florida Attorney General: Within 30 days if breach affects 500 or more Florida residents

11.4 How We Will Notify You

Primary Method: First-class mail to your last known mailing address OR email if you agreed to electronic communications

Urgent Situations: Telephone or other expedited means if we deem the breach poses a significant risk

Substitute Notice (if we have insufficient contact information for 10 or more individuals):

Posting on our website for 90 days, AND/OR
Notice through major media outlets serving Florida

11.5 What Our Notice Will Include

If a breach affects your information, our notification will include:

Brief Description: What happened and when
Types of Information: What types of your information were involved
Steps You Can Take: Actions you should take to protect yourself
Our Response: What we are doing to investigate, mitigate harm, and prevent future breaches
Contact Information: How to reach us with questions (toll-free number, email, website, or address)

The notice will be written in plain language to ensure you can understand the situation and your options.

11.6 Regulatory Notifications

In addition to notifying you, we will notify:

Federal Authorities:

U.S. Department of Health and Human Services Office for Civil Rights
Timing based on breach size (immediate for 500+, annual for fewer than 500)

Florida Authorities:

Florida Department of Legal Affairs (Attorney General)
Required if 500 or more Florida residents affected
Includes synopsis of breach, number affected, and services offered

Credit Reporting Agencies:

All nationwide consumer reporting agencies
Required if more than 1,000 individuals notified simultaneously

Media:

Prominent media outlets in Florida
Required if 500 or more Florida residents affected

11.7 Breach Response and Mitigation

In the event of a breach, we will:

Immediate Actions:

Contain the breach and prevent further unauthorized access
Secure affected systems
Begin forensic investigation
Assess scope and impact

Investigation:

Determine what information was accessed or disclosed
Identify affected individuals
Conduct risk assessment
Identify root cause

Mitigation:

Offer affected individuals appropriate services (such as credit monitoring if financial information involved)
Implement additional safeguards to prevent recurrence
Update policies and procedures as needed
Provide additional staff training
Consider third-party security assessments

Remediation:

Apply corrective actions
Enhance security measures
Monitor for additional incidents
Document lessons learned

11.8 Your Role in Prevention

You can help prevent breaches by:

Keeping login credentials confidential
Using strong, unique passwords
Enabling multi-factor authentication
Logging out after using shared devices
Not sharing your account with others
Reporting suspicious activity immediately
Keeping your contact information current

11.9 Reporting Security Concerns

If you suspect unauthorized access to your account or any security incident:

Immediate Contact: Security Team: security@tengriumhealth.com
Phone: [Security Hotline]
Available 24/7 for security incidents

What to Report:

Suspicious account activity
Unexpected access notifications
Phishing or social engineering attempts
Lost or stolen devices with account access
Unauthorized password resets
Any other security concerns

11.10 Documentation and Records

We maintain comprehensive documentation of:

All breach investigations and risk assessments
Notifications provided to individuals and authorities
Mitigation and remediation actions taken
Breach response timeline and decisions
Records retained for 6 years per HIPAA requirements

12. Children's Privacy

12.1 Our Services and Age Requirements

Tengrium Health provides healthcare services to individuals of all ages, including children and adolescents. Our platform is designed for use by parents and guardians to manage healthcare for their minor children.

12.2 Parental Control and Access

For Patients Under 18:

Parents or legal guardians create and control accounts for minor children
Parents provide consent for services on behalf of minor children
Parents have access to their children's health information as permitted by law
Parents exercise HIPAA privacy rights on behalf of minor children

Florida Adolescent Privacy Rights:

Florida law grants certain minors the right to consent to specific types of healthcare without parental permission (e.g., STD testing and treatment, including HIV testing under § 384.30)
When a minor legally consents to treatment without parental involvement, the minor controls access to those specific health records
Parents do NOT have automatic access to health records for services to which the minor legally consented independently

Emancipated Minors:

Legally emancipated minors (married or court-declared emancipation) have full adult rights
Emancipated minors control their own health information
Parents of emancipated minors do not have access rights

12.3 Children's Online Privacy Protection Act (COPPA) Compliance

COPPA Applicability: The Children's Online Privacy Protection Act (COPPA) applies to online services that collect personal information from children under 13. Because Tengrium Health services are controlled by parents/guardians and not directed to children for independent use, COPPA has limited application to our platform.

Information Collection from Children:

We do not knowingly collect personal information directly from children under 13 without verifiable parental consent
Parents create accounts and provide information on behalf of children
Children do not independently register or provide information through our platform

If Direct Child Interaction Occurs: If we become aware that a child under 13 has provided information directly without parental consent:

We will delete that information promptly
We will contact the parent/guardian
We will implement additional safeguards to prevent future occurrences

12.4 Parental Rights Regarding Children's Information

Rights of Parents/Guardians:

Right to review personal health information about their child
Right to request amendments to their child's information
Right to request accounting of disclosures
Right to request restrictions on use and disclosure
Right to receive confidential communications about their child
Right to authorize uses and disclosures beyond treatment, payment, and operations

How to Exercise Parental Rights: Contact our Privacy Official at [contact information] to exercise any privacy rights on behalf of your child.

12.5 Protection of Children's Information

Children's health information receives the same comprehensive security protections as adult information:

HIPAA Privacy and Security Rule protections
Florida state privacy law protections
Age-appropriate communication and education
Sensitive handling of behavioral health information
Protection of information about sensitive health issues (reproductive health, mental health, substance use)

12.6 Educational Technology

If we provide educational tools or resources for children:

Parents will be informed of these features
Parental consent obtained before child participation
Information collection limited to minimum necessary
No marketing to children
No disclosure of children's information for commercial purposes
Compliance with COPPA, FERPA (if applicable), and HIPAA

12.7 Adolescent Telehealth Privacy

For adolescent patients using telehealth services:

Age-appropriate privacy discussions
Clarification of confidentiality limits
Discussion of mandatory reporting obligations (abuse, neglect, danger to self/others)
Parental involvement appropriate to age and circumstances
Respect for developing autonomy while ensuring safety

13. Your Choices and Control

13.1 Communication Preferences

You have choices regarding how we communicate with you:

Service Communications: You will receive essential service communications including:

Account security notifications
Service updates and changes
Appointment reminders
Billing and subscription information
Privacy policy updates
Security incident notifications

These communications are necessary for service operation and cannot be opted out of while you maintain an active account.

Marketing Communications: You may choose whether to receive:

Health and wellness information
New service announcements
Educational content
Newsletter and blog updates

How to Manage Preferences:

Update communication preferences in your account settings
Click "unsubscribe" in marketing emails
Contact customer service at [contact information]
Call our Privacy Official at [phone number]

Florida Marketing Restrictions: Under Florida law (§ 456.057), we cannot use your patient information for marketing or solicitation without your specific written authorization. We honor this protection strictly.

13.2 Account Management

Access Your Account:

Log in at [website URL]
View and update personal information
Review subscription details
Access health records
Manage communication preferences
Update payment information

Account Security:

Change password regularly
Enable multi-factor authentication (strongly recommended)
Review account activity logs
Report suspicious activity immediately

Account Closure:

You may request account closure at any time
Contact customer service at [contact information]
Health records retained per legal requirements (typically 7 years minimum)
Subscription cancellation per Terms of Service
Payment information deleted per PCI DSS requirements

13.3 Cookie and Tracking Controls

As described in Section 9, you can control cookies and tracking through:

Browser settings and preferences
Platform privacy settings
Third-party opt-out tools
Mobile device privacy settings

13.4 Data Portability

Electronic Access:

Request electronic copies of your health records
Choose format (PDF, CCD, CSV where available)
Direct transmission to another provider or entity
Maximum $6.50 fee for electronic copies of electronic records

Data Export: Contact our Privacy Official to request data export in machine-readable format.

13.5 Opting Out of De-identified Data Use

While de-identified data is no longer PHI under HIPAA and does not identify you, if you prefer that your information not be included in our de-identification process for AI training and research:

How to Opt Out: Contact our Privacy Official in writing at [contact information] with your request. We will:

Document your opt-out preference
Exclude your records from future de-identification processes
Confirm your request in writing

Important Notes:

This opt-out applies to future de-identification processes
Data already de-identified cannot be re-identified or removed
This opt-out does not affect our use of your identifiable PHI for treatment, payment, or healthcare operations
Opting out will not affect your care or services in any way

14. Data Retention and Deletion

14.1 How Long We Retain Your Information

Protected Health Information:

Medical records: Minimum 7 years from last service date (Florida requirement)
Pediatric records: Minimum until age 25 or 7 years from last service, whichever is longer
Records may be retained longer if:
- Required by law
- Necessary for ongoing legal matters
- Needed for continuity of care

Account and Subscription Information:

Active account information: Duration of relationship
Closed account information: [X years] for business and legal compliance
Payment transaction records: [X years] for accounting and tax purposes

Privacy and Security Documentation:

Privacy policies and procedures: 6 years from creation or last effective date
Authorization forms: 6 years from creation or last use
Breach documentation: 6 years from breach resolution
Security incident records: 6 years per HIPAA requirements

Technical and Usage Data:

Usage logs and analytics: [X years] or until no longer needed
Security logs: Minimum 6 years per HIPAA
System audit trails: 6 years

14.2 Secure Deletion

When retention periods expire, we securely delete or destroy information:

Electronic Data:

Cryptographic erasure (destroying encryption keys)
Secure deletion software (DoD 5220.22-M or equivalent)
Physical destruction of storage media when retired
Verification of complete deletion

Physical Records:

Shredding or pulverizing paper records
Certified destruction services
Destruction certificates maintained

Backup Data:

Deleted from active backups per retention schedules
Historical backups retained for disaster recovery purposes with appropriate security
Backup deletion upon expiration of retention periods

14.3 Right to Request Deletion

HIPAA Does Not Require Deletion: HIPAA does not generally require covered entities to delete health information upon request, and we may be required to retain records for legal and regulatory purposes.

However:

You may request restriction on use and disclosure (see Section 5.4)
You may request amendment of inaccurate information (see Section 5.2)
You may close your account (records retained per legal requirements)
Upon account closure, we will cease using your identifiable information for purposes other than legal requirements

State Law Considerations: Some state privacy laws may provide deletion rights. Contact our Privacy Official to discuss your specific situation.

14.4 Legal Holds

We may be required to retain information longer than standard retention periods when:

Legal proceedings are pending or reasonably anticipated
Government investigations are ongoing
Regulatory audits require extended retention
Other legal obligations mandate preservation

In these situations, legal holds override standard retention periods.

15. Changes to This Privacy Policy

15.1 Policy Updates

We reserve the right to amend this Privacy Policy at any time. Changes may be necessary due to:

Legal or regulatory requirements
Changes in our services or operations
Enhanced privacy protections
Technological developments
Best practice evolution

15.2 Material Changes

HIPAA Requirements for Material Changes:

We may not implement material changes to our privacy practices before updating and distributing the revised notice
Material changes include significant alterations to how we use or disclose PHI

How We Notify You of Material Changes:

Updated Privacy Policy posted on our website with new effective date
Notification via email to address on file
Notice in patient portal upon login
Notice at service locations
Available in print upon request

Effective Date:

Changes effective on the date specified in the revised policy
We will apply changes to all PHI we maintain, including information created or received before the change (unless otherwise specified)

15.3 Accessing Current Policy

The current Privacy Policy is always available:

On our website at [website URL]
In your patient portal
By contacting our Privacy Official
At our office locations
You may request a paper copy at any time

15.4 Policy Version History

We maintain records of:

All versions of this Privacy Policy
Effective dates of each version
Material changes between versions
Retained for 6 years per HIPAA requirements

16. State-Specific Privacy Rights

16.1 Florida Residents

As detailed throughout this policy, Florida provides additional privacy protections:

30-day breach notification requirement (Section 11)
Constitutional privacy right for medical records
Written authorization requirements for certain disclosures
Enhanced HIV/AIDS confidentiality protections
Geographic data storage restrictions (U.S., territories, or Canada only)
Subpoena notice requirements
Marketing prohibition without specific authorization

16.2 Other State Residents

If you reside in another state with additional privacy protections, those protections apply to your information. States with comprehensive privacy laws include:

California (CCPA/CPRA)
Virginia (VCDPA)
Colorado (CPA)
Connecticut (CTDPA)
Utah (UCPA)
And others

Please contact our Privacy Official if you wish to exercise rights under your state's privacy law.

16.3 Biometric Information

Some states have specific laws protecting biometric information (fingerprints, facial scans, voiceprints, retina scans, etc.). If we collect biometric information:

We will obtain specific consent as required by state law
Provide notice of purpose and duration of retention
Implement heightened security measures
Not sell or disclose without consent
Comply with Illinois BIPA, Texas biometric law, Washington biometric law, and others as applicable

Current Practice: Tengrium Health does not currently collect biometric information for identification purposes.

17. Contact Information and Filing Complaints

17.1 Privacy Official Contact Information

For questions about this Privacy Policy, to exercise your privacy rights, or for any privacy concerns:

Tengrium Health Privacy Official
[Name or Title]
[Street Address]
[City], Florida [ZIP Code]

Email: privacy@tengriumhealth.com
Phone: [Phone Number] (Toll-Free: [Toll-Free Number])
Fax: [Fax Number]
Office Hours: [Hours and Time Zone]

17.2 Customer Service

For general questions, account support, or subscription assistance:

Customer Service
Email: support@tengriumhealth.com
Phone: [Phone Number]
Hours: [Hours and Time Zone]

17.3 Security Incidents

To report security incidents or suspected unauthorized access:

Security Team
Email: security@tengriumhealth.com
Phone: [Emergency Security Hotline]
Available: 24/7 for security emergencies

17.4 Filing a Complaint

You have the right to file a complaint if you believe your privacy rights have been violated.

Internal Complaints - File with Tengrium Health:

Contact our Privacy Official using the information in Section 17.1 above.

You may submit complaints:

In writing by mail
By email to privacy@tengriumhealth.com
By phone at [phone number]
In person at our office during business hours

What to Include:

Your name and contact information
Description of your privacy concern
Date(s) of incident(s)
Any relevant details or documentation

Our Response:

We will acknowledge receipt of your complaint within [timeframe]
We will investigate all complaints thoroughly
We will respond with our findings and any corrective action taken
Investigation typically completed within [timeframe]

Federal Complaints - File with HHS Office for Civil Rights:

You also have the right to file a complaint with the U.S. Department of Health and Human Services:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201

Phone: 1-877-696-6775
TTY: 1-800-537-7697
Online Complaint Portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Email: OCRComplaint@hhs.gov

OCR Regional Office for Florida:

Region IV Office
U.S. Department of Health and Human Services
Office for Civil Rights
Sam Nunn Atlanta Federal Center, Suite 16T70
61 Forsyth Street, S.W.
Atlanta, GA 30303-8909

Phone: (404) 562-7886
TDD: (404) 331-2867
Fax: (404) 562-7881

Important Filing Information:

Complaints to HHS must be filed within 180 days of when you knew or should have known of the act or omission
OCR has a standard complaint form available on their website
You may file online, by mail, by fax, or by email

Florida Department of Legal Affairs:

For complaints related to Florida data breach notification:

Florida Attorney General
Office of the Attorney General
PL-01, The Capitol
Tallahassee, FL 32399-1050

Phone: (850) 414-3990
Website: myfloridalegal.com

17.5 No Retaliation Policy

We will not retaliate against you in any way for filing a complaint.

Filing a complaint will not affect your treatment or services
We will not deny, delay, or otherwise discriminate based on complaints
No penalties or consequences for exercising your rights
We welcome feedback and take all complaints seriously

Protection Against Retaliation is a Legal Requirement: HIPAA prohibits covered entities from intimidating, threatening, coercing, discriminating against, or retaliating against any individual for:

Exercising HIPAA privacy rights
Filing a complaint with HHS or internally
Testifying or participating in investigations or compliance proceedings
Opposing practices believed unlawful under HIPAA

18. Additional Legal Information

18.1 Effective Date and Acknowledgment

Effective Date: [INSERT DATE]

This Privacy Policy is effective as of the date listed above and remains in effect until superseded by a revised version.

Acknowledgment:

When you create a Tengrium Health account, you will be asked to acknowledge receipt of this Privacy Policy
Your use of our services indicates acceptance of the practices described
You may request a copy at any time without affecting your services

18.2 Relationship to Other Documents

This Privacy Policy works together with other documents:

Notice of Privacy Practices (NPP): Upon launch of healthcare services, as a HIPAA-covered entity, we will provide a separate Notice of Privacy Practices that describes in detail how we use and disclose your PHI for treatment, payment, and healthcare operations. Both this Privacy Policy and the NPP will apply to our handling of your information.

Terms of Service: Our Terms of Service govern your use of the Tengrium Health platform and services. Privacy practices described in this policy are incorporated into the Terms of Service.

Business Associate Agreements: Our vendors and service providers who handle PHI on our behalf have separate Business Associate Agreements that legally require them to protect your information.

Consent Forms: Specific consent forms may be required for particular uses of your information (e.g., telehealth consent, research participation, marketing authorizations).

18.3 Compliance Certifications

Tengrium Health maintains compliance with:

HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
HIPAA Security Rule (45 CFR Part 164, Subparts A and C)
HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)
Florida Information Protection Act (FL Stat. § 501.171)
Florida medical records privacy laws (FL Stat. § 456.057)
PCI DSS (Payment Card Industry Data Security Standards)
Florida Electronic Health Records geographic restrictions (FL SB 264)

18.4 Independent Legal Review Recommended

LEGAL REVIEW NOTICE:

This Privacy Policy has been drafted based on current HIPAA regulations, Florida state privacy laws, and healthcare privacy best practices.

⚠️ Before launching healthcare services and implementing this Privacy Policy for actual patient care, Tengrium Health will have it reviewed and may implement improvemeents and add further restrictions based on the recommendation by qualified legal counsel experienced in:

Healthcare privacy law and HIPAA compliance
Florida health law and state-specific requirements
Digital health and telehealth regulation
AI/ML healthcare applications and data governance
Health information technology law

Key areas requiring particular legal attention:

Confirmation of Covered Entity status under HIPAA
Verification that AI de-identification processes meet Safe Harbor requirements
Review of business associate relationships and agreements
Compliance with Florida's more stringent requirements
Coordination with separate Notice of Privacy Practices (NPP)
Subscription billing practices and relationship to HIPAA
State-specific requirements for telehealth across states where services provided
Any Medicare/Medicaid considerations if applicable in future
Specific de-identification methodologies and documentation
Out-of-state patient privacy rights if serving patients beyond Florida

18.5 Notice of Privacy Practices (NPP) Requirement

IMPORTANT: Separate NPP Required Upon Launch

Upon launch of healthcare services, in addition to this Privacy Policy, HIPAA requires Covered Entities to provide patients with a Notice of Privacy Practices (NPP) per 45 CFR § 164.520.

Why Both Documents Are Needed:

Privacy Policy (This Document):

Applies to all website users and platform visitors
Addresses website cookies, analytics, and tracking
Covers subscription and payment information
Explains platform security and technology
General privacy practices for all users

Notice of Privacy Practices (Required Separate Document):

Specifically for patients receiving healthcare services
HIPAA-mandated format and required content
Detailed description of permitted uses of PHI for treatment, payment, and operations
Must include all 6 patient rights in specific format
Must include specific statements about covered entity duties
Must be provided no later than first service delivery
Must obtain written acknowledgment of receipt (or document good faith efforts)
Must be posted prominently at service sites and on website
Must be available in print form

NPP Distribution Requirements:

Provide at first service encounter
Make good faith effort to obtain written acknowledgment
Post prominently where patients can read
Post on website
Provide revised NPP if material changes occur

Recommendation: Tengrium Health should work with legal counsel to develop a compliant HIPAA Notice of Privacy Practices that coordinates with but does not duplicate this Privacy Policy.

18.6 Governing Law

This Privacy Policy is governed by:

Federal law (HIPAA and related regulations)
Florida state law
Where federal and state law conflict, the more stringent protection applies

18.7 Severability

If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

18.8 Languages and Translations

Primary Language: English

Section 1557 of the Affordable Care Act Requirements: As a healthcare provider, we are required to provide taglines in the top 15 languages spoken by individuals with limited English proficiency in the state.

Translation Availability: [If translations available, list languages and how to access]

Language Assistance: We provide free language assistance services. To request an interpreter or translated materials:

Email info@tengrium.com
Indicate language assistance needs when scheduling appointments

19. Glossary of Terms

Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium by a covered entity or business associate, excluding certain educational and employment records.

Covered Entity: Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with HIPAA-covered transactions.

Business Associate: A person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve access to protected health information.

De-identified Information: Health information from which all 18 identifiers specified in the HIPAA Safe Harbor method have been removed, and for which the covered entity has no actual knowledge that the remaining information could be used to identify an individual.

Limited Data Set: PHI that excludes 16 direct identifiers but may include city, state, ZIP code, dates, and ages.

Treatment: Provision, coordination, or management of healthcare and related services, including consultation between providers and referral of patients.

Payment: Activities to obtain reimbursement for healthcare services, including billing, claims management, and utilization review.

Healthcare Operations: Administrative, quality improvement, training, credentialing, and business activities necessary to run a healthcare organization and support treatment and payment.

Minimum Necessary: The HIPAA requirement to use, disclose, or request only the minimum amount of PHI needed to accomplish the intended purpose.

Authorization: Written permission from a patient allowing specific uses or disclosures of their PHI beyond what is permitted for treatment, payment, and operations.

Breach: An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.

Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.

Business Associate Agreement (BAA): A written contract between a covered entity and business associate that specifies how PHI will be protected and used.

HIPAA: The Health Insurance Portability and Accountability Act of 1996, federal legislation that provides data privacy and security provisions for protecting medical information.

Safe Harbor Method: A de-identification method that requires removal of 18 specific identifiers and confirmation that the covered entity has no actual knowledge that remaining information could identify an individual.

Expert Determination: A de-identification method that relies on a qualified expert to determine that the risk of re-identification is very small using generally accepted statistical and scientific principles.

20. Additional Resources

20.1 HIPAA Resources

HHS Office for Civil Rights:

Website: https://www.hhs.gov/hipaa
HIPAA Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy
Your Rights Under HIPAA: https://www.hhs.gov/hipaa/for-individuals

Healthcare Provider Resources:

Breach Notification Rule: https://www.hhs.gov/hipaa/for-professionals/breach-notification
Security Rule Guidance: https://www.hhs.gov/hipaa/for-professionals/security
Telehealth Guidance: https://telehealth.hhs.gov/providers/preparing-patients-for-telehealth/privacy-and-security-in-telehealth

20.2 Florida Resources

Florida Department of Health:

Website: http://www.floridahealth.gov
Privacy inquiries: [Florida DOH contact]

Florida Attorney General:

Data Breach Resources: https://www.myfloridalegal.com
Consumer Protection: [Contact information]

20.3 Patient Rights Information

Patient Advocate Foundation:

Website: https://www.patientadvocate.org
Helps patients with access to care, medical debt, and insurance issues

National Patient Safety Foundation:

Resources on healthcare quality and safety
Patient rights education

20.4 Identity Theft Resources

If your information is involved in a breach, these resources can help:

Federal Trade Commission:

Identity Theft Website: https://www.identitytheft.gov
Phone: 1-877-ID-THEFT (1-877-438-4338)

Credit Reporting Agencies:

Equifax: 1-800-685-1111 / https://www.equifax.com
Experian: 1-888-397-3742 / https://www.experian.com
TransUnion: 1-800-888-4213 / https://www.transunion.com

Annual Credit Report:

Free annual credit reports: https://www.annualcreditreport.com
Phone: 1-877-322-8228

Conclusion

Thank you for your interest in Tengrium Health. We are committed to protecting your privacy while developing a high-quality, technology-enabled healthcare platform.

This Privacy Policy reflects our dedication to transparency, compliance with all applicable laws, and implementation of robust security measures to safeguard your information. While we are currently in pre-launch development, we are building our platform with privacy and security at its foundation.

When we launch healthcare services, these comprehensive protections will be fully operational, and we will notify all interested individuals about the availability of our services.

If you have any questions about this Privacy Policy or our privacy practices, please contact our Privacy Official at the contact information provided in Section 17.

Last Updated: October 04, 2025