← Back to NEXQ Legal Center

Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.

Healthcare Privacy Policy

Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.

Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered: NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices

1. Scope

This policy applies when the organization creates, receives, maintains, or transmits protected health information (PHI/ePHI) as a HIPAA covered entity, business associate, subcontractor, technology vendor, hospital service provider, telehealth vendor, patient portal operator, or healthcare integration provider. It also includes guardrails for non-HIPAA consumer health data.

2. HIPAA baseline

Where HIPAA applies, implement Privacy Rule, Security Rule, and Breach Notification Rule obligations through written policies, workforce training, access controls, audit logs, encryption, device/media controls, business associate agreements, minimum necessary practices, individual-rights workflows, sanctions, and incident response.

3. Business associate and subcontractor controls

Do not receive PHI/ePHI until a valid Business Associate Agreement or customer-approved equivalent is executed. Subcontractors that handle PHI/ePHI must sign flow-down terms. Contracts should address permitted uses/disclosures, safeguards, breach reporting, access/amendment/accounting support, return/destruction, audit cooperation, and termination.

4. 42 CFR Part 2 and substance-use-disorder information

Part 2 records and substance-use-disorder treatment information require additional review. Covered entities that maintain notices of privacy practices must include applicable Part 2/SUD information in notices as required on the compliance schedule. Treat SUD-related data as highly sensitive and route disclosures, subpoenas, and law-enforcement requests to legal.

5. Reproductive health information

Requests for reproductive health information require special scrutiny and attestation workflows where applicable. Do not disclose reproductive health information for prohibited purposes or in response to ambiguous third-party requests without legal review.

6. Online tracking technologies

Healthcare websites, portals, mobile apps, scheduling pages, symptom pages, condition pages, billing pages, and patient communications must not deploy advertising trackers, retargeting tags, unapproved analytics, or session replay unless privacy/security/legal review concludes the use is lawful and contractually permitted. HHS tracking-technology guidance and related litigation should be reviewed before deployment.

7. FTC Health Breach Notification Rule and consumer health data

Health apps, connected devices, wellness services, and other non-HIPAA health services may be regulated by the FTC Health Breach Notification Rule and state consumer-health-data laws. Maintain incident criteria for unauthorized acquisition, disclosure, or access involving identifiable health information.

8. Minimum necessary and access controls

PHI/ePHI access must be role-based, logged, reviewed, and limited to the minimum necessary. Use MFA for privileged and remote access, encrypt ePHI in transit and at rest where appropriate, segregate tenant/customer data, and conduct periodic access reviews.

9. Individual rights and patient requests

Support access, amendment, accounting, restriction, confidential communications, and privacy complaint workflows where applicable. Coordinate with the covered entity customer when operating as a business associate.

10. Breach and incident response

Escalate suspected incidents immediately. Determine whether HIPAA, Part 2, FTC Health Breach Notification Rule, state breach laws, state consumer-health-data laws, app-store notices, customer contracts, OCR/FTC/state AG notice, or media notice obligations apply.