Privacy Policy

Information We Collect

We collect the following types of information:

• Protected Health Information (PHI): Medical records, treatment information, insurance details, and prescription data processed on behalf of your healthcare provider
• Personal Information: Name, contact information, date of birth, Social Security Number (when required for billing)
• Account Information: Login credentials for authorized staff of our practice clients
• Usage Information: Pages visited on this website, features used within our platform

How We Use Your Information

We use your information for:

• Providing administrative services to your healthcare provider, including billing, scheduling, and operational support
• Processing insurance claims and verifying eligibility on behalf of your provider
• Communicating with practice clients about services and updates
• Complying with legal and regulatory requirements
• Improving the quality and reliability of our services

Information Sharing and Disclosure

We may share your information with:

• Healthcare Providers: Your provider and other providers involved in coordinating your care, as directed by your healthcare provider
• Insurance and Claims Processing: Insurance companies and clearinghouses for billing and claims processing
• Legal Authorities: When required by law or court order
• Service Providers: Companies that help us provide our services, all of whom are bound by agreements that protect your information

We will never sell your personal or health information to third parties.

Data Security

We implement comprehensive security measures to protect your information:

• Industry-standard encryption for health information at rest
• Encryption in transit for all data communications
• Multi-factor authentication for administrative access
• Periodic security assessments
• HIPAA-compliant audit logging of all access to health information
• Role-based access controls and least privilege principles
• Periodic key rotation for encryption systems
• Secure data disposal procedures

BCSS maintains a comprehensive data security program consistent with the New York SHIELD Act (NY Gen. Bus. Law 899-bb), which applies to organizations handling data of New York residents regardless of business location. This program includes employee training and management, risk assessment, vendor management, secure data disposal, and incident response procedures.

Cookies and Analytics

This site uses essential cookies for session management and security. We do not use third-party tracking or advertising cookies. No analytics tools that collect personally identifiable information are used on this website.

Your HIPAA Rights

If your health information is processed through our services, you have rights under HIPAA. Because BCSS is a Business Associate, you should contact your healthcare provider directly to exercise these rights. Your provider is responsible for responding to your requests, and we will assist them as needed.

Your rights include the ability to:

• See and get copies of your health records
• Ask for corrections to your health information
• Ask for limits on how your information is used or shared
• Choose how your provider contacts you
• Get a list of who your information was shared with
• Get a paper copy of this privacy policy
• File a complaint with your provider, with us, or with the HHS Office for Civil Rights

For more detail, see our How We Protect Your Health Information page.

Data Retention

We retain different types of information for different periods:

• Health information: Minimum of 7 years after the last date of service, or as required by applicable state law, whichever is longer
• Minor patient records: Retained longer as required by the state in which services were provided (typically until the minor reaches the age of majority plus the standard retention period)
• Billing and financial records: Minimum of 7 years as required for tax and audit purposes
• Website usage data: Retained for up to 12 months
• Contact form submissions: Retained for 3 years unless you request earlier deletion

After the applicable retention period, records are securely destroyed using secure data disposal procedures.

California Privacy Rights (CCPA/CPRA)

Health information governed by HIPAA is generally exempt from the California Consumer Privacy Act and California Privacy Rights Act. However, other personal information we collect may be subject to these laws. If you are a California resident, you have the following rights with respect to non-HIPAA personal information:

Categories of Personal Information Collected

• Identifiers: Name, email address, phone number, mailing address
• Commercial information: Records of services purchased or considered
• Internet or electronic activity: Browsing history on our website, pages visited
• Professional or employment information: Job title and employer (for practice client staff)

Sources of Personal Information

We collect personal information directly from you (via contact forms and account registration), from your healthcare provider, and automatically through website usage.

Your California Rights

• Right to know: You can request what personal information we have collected about you, including the categories of information, the sources, the business purpose, and the categories of third parties we share it with
• Right to delete: You can request that we delete your personal information, subject to legal exceptions
• Right to correct: You can request that we correct inaccurate personal information
• Right to limit use of sensitive personal information: You can ask us to limit our use of sensitive personal information to what is necessary to provide our services
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact our Privacy Officer using the information below.

Connecticut and Virginia Privacy Rights

If you are a resident of Connecticut or Virginia, you may have the following rights with respect to non-HIPAA personal information:

• Right to access: Request access to the personal data we process about you
• Right to correct: Request correction of inaccurate personal data
• Right to delete: Request deletion of your personal data
• Right to data portability: Obtain a copy of your personal data in a portable format
• Right to opt out of targeted advertising: We do not engage in targeted advertising, but you may opt out if this changes
• Right to opt out of profiling: You may opt out of automated decision-making that produces legal or similarly significant effects
• Right to appeal: If we decline your request, you have the right to appeal our decision. We will respond to appeals within 60 days

Other State Privacy Laws

We comply with all applicable state privacy laws, including but not limited to those in Colorado, Texas, Oregon, Montana, and Utah. If you are a resident of a state with consumer privacy legislation, you may have similar rights to access, correct, delete, and port your non-HIPAA personal information.

Contact our Privacy Officer to exercise any state-specific privacy rights.

Do Not Sell or Share My Personal Information

BCSS does not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. We have not sold or shared personal information in the preceding 12 months.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page with a new effective date.

Last updated: May 28, 2026