policystamp.com
Home / Examples / Healthcare SaaS
Healthcare SaaS · anonymized example

Cedar Health

Cedar Health offers a clinical-workflow product to small and mid-sized medical practices in the United States. Because Cedar processes Protected Health Information on behalf of those practices, it acts as a HIPAA Business Associate and signs a Business Associate Agreement (BAA) with each customer. The privacy posture has to thread several needles: HIPAA disclosures for the US, GDPR / Canadian privacy law for any non-US user accounts, and state-by-state breach-notification laws (CA, NY, MA, etc.) on top.

Free preview · $2 Audit passed · 4 issues addressed 1320 words
Jurisdictions
USCA
Integrations
AWS HIPAA-eligibleStripeTwilio (BAA)Sentry
Distinctive in this archetype
  • · HIPAA Business Associate Agreement reference + scope
  • · PHI separated from operational data in the disclosure
  • · 60-day breach notification window (HIPAA Breach Notification Rule)
  • · Subprocessors all confirmed HIPAA-eligible / BAA-covered
Start with this profile

Loads the wizard with the business name pre-filled.

Documents in this archetype

Privacy Policy

Effective date: January 1, 2026

Cedar Health, Inc. ("Cedar", "we", "us") provides a clinical-workflow product to medical practices and other healthcare providers. This policy describes the personal information we collect from visitors to cedarhealth.example, from users of the product (clinicians, administrators, billing staff), and from prospects who contact us — and your rights over that information.

Important scope note: when Cedar processes Protected Health Information ("PHI") on behalf of a customer that is a HIPAA covered entity, we do so as a Business Associate under a Business Associate Agreement ("BAA") signed with that customer. In that role, the customer is the controller of the PHI; their own Notice of Privacy Practices governs patient relationships; and our processing is described in the BAA. This Privacy Policy does not modify the BAA.

1. Information we collect

From website visitors

Pages viewed, referring source, browser type, and approximate location derived from IP at city level. Used in aggregate to improve our website. We use a privacy-respecting analytics provider that does not set cross-site tracking cookies.

From prospects

If you contact us, request a demo, or download a resource, we collect your name, work email, organization, role, and any context you provide. We keep this in our CRM (HubSpot) and use it to follow up.

From users of the product

When a customer creates user accounts for their staff, we receive each user's name, work email, role within the practice, and any preferences they set. We also collect:

  • Authentication and session activity (when they log in, from what device).
  • Audit log entries required by HIPAA (every access to PHI is recorded with user, time, action, and the record accessed).
  • Bug reports and support messages.

Protected Health Information

PHI flows through Cedar only as part of the product. Cedar processes PHI strictly as the customer's Business Associate, only for the purposes set out in the BAA and the customer's instructions. The categories of PHI we process are defined per customer in their BAA; commonly they include patient identifiers, appointment information, clinical notes, billing codes, and where the customer's workflow requires, lab and imaging metadata.

We do not use PHI for our own analytics, for product improvement (other than incident debugging strictly scoped to a specific issue), for marketing, or for training AI models. PHI is segregated from operational data at the storage layer.

2. How we use information

We use the information above to:

  • Operate the product (authenticate users, route requests, deliver features).
  • Provide support to customers and respond to user-reported issues.
  • Maintain the audit logs required by 45 CFR §164.312(b).
  • Bill customers (Stripe processes payments under a BAA).
  • Send transactional emails (account confirmations, security notifications).
  • Send product updates only to people who have explicitly subscribed.
  • Comply with our legal obligations (tax records, BAA notification requirements, etc.).

We do not use PHI for any purpose not authorized by the applicable BAA.

3. Subprocessors

We share data with subprocessors only as needed to operate the product. Each subprocessor that may have access to PHI has signed a HIPAA-compliant Business Associate Agreement with us:

Subprocessor Purpose PHI access BAA
Amazon Web Services (HIPAA-eligible services) Hosting, database, storage Yes Yes
Stripe Payments No (PHI not transmitted) Yes
Twilio SMS appointment reminders (where customer enables) Yes Yes
Sentry Error tracking Yes (incidental, scrubbed before retention) Yes
Resend Transactional email Yes (incidental) Yes

A current subprocessor list is maintained at cedarhealth.example/legal/subprocessors. We notify customers at least 60 days before adding a new subprocessor that will process PHI; customers may object as described in their BAA.

4. State law overlays

In addition to HIPAA, we comply with the state privacy laws applicable in each US state where customers operate, including:

  • California — CMIA (Confidentiality of Medical Information Act); CCPA / CPRA where applicable to non-PHI personal information.
  • New York — SHIELD Act security requirements.
  • Massachusetts — 201 CMR 17.00 personal-information security requirements.
  • Texas — Texas Medical Records Privacy Act.

State law that imposes more protective requirements than HIPAA on a specific data element controls for that element (HIPAA preemption analysis is performed at the data-flow level).

5. Breach notification

If we discover a breach of unsecured PHI, we notify the affected customer (covered entity) without unreasonable delay and in any case within 60 days, as required by 45 CFR §164.410. The customer is then responsible for any individual notifications under §164.404, with our cooperation.

For breaches affecting our own (non-PHI) data — for example, business contact information about prospects — we follow the breach-notification timelines required by applicable state law, typically within 72 hours of confirmed discovery.

6. Retention

  • Operational data and audit logs — retained for at least 6 years from the date of last use, as required by 45 CFR §164.316(b)(2).
  • PHI — retained per the customer's BAA; on termination of the BAA, we return or destroy PHI within 30 days, except where return or destruction is not feasible (in which case we extend the protections of the BAA indefinitely).
  • Marketing prospect records — retained for 3 years after last contact.
  • Billing records — 7 years.

7. Your rights

Patients whose PHI we process on behalf of a covered entity should direct requests for access, amendment, accounting of disclosures, or restrictions to the relevant covered entity. We support our customers in responding to these requests as required by the BAA.

For non-PHI personal information (e.g. business-contact records of prospects, user-account information of clinicians using our product):

  • You may request access, correction, portability, or deletion by writing to [email protected].
  • California residents have rights under the CCPA / CPRA where the data is not subject to HIPAA. The HIPAA-regulated data is exempt from CCPA per §1798.146(a)(1).
  • Canadian residents may submit complaints to the Office of the Privacy Commissioner of Canada (priv.gc.ca).

8. Security

Cedar is HIPAA Security Rule compliant. Specifically:

  • All PHI is encrypted at rest with AES-256 and in transit with TLS 1.2+.
  • Access is role-based and audited; no engineer has access to production PHI outside of a customer-authorized incident.
  • We maintain an annual HIPAA risk analysis under 45 CFR §164.308(a)(1)(ii)(A).
  • We complete SOC 2 Type II audits annually. Customer-specific security documentation is available under NDA.

9. Children

Cedar Health is a B2B product used by clinical professionals. We do not direct the product to children; covered entities using the product may serve patients of any age and are responsible for parental-consent obligations where applicable.

10. Changes

We will notify customers of material changes to this policy through the product and by email at least 60 days before they take effect, so that customers can review and (if needed) amend their own patient-facing notices.

11. Contact

[email protected] Cedar Health, Inc., 200 Health Plaza, Boston, MA 02115, USA.

Want one for your business?

Start with the healthcare saas profile.

The wizard takes 2–3 minutes. Free preview shows the first three sections. Two dollars unlocks the rest.

Start a privacy policy All examples