Privacy Policy
Effective Date: April 9, 2025 Last Updated: April 9, 2025
Updated from November 25, 2024.
1. Introduction
Pamastay Inc. ("we," "us," “Pamastay,” or "our") is committed to protecting the privacy and security of the information we handle. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our services, which include denial prediction, provider insights, compliance support tools, and related analytics (collectively, the "Services"), as well as through our website pamastay.com.
We provide Services primarily to healthcare providers, payers, and other healthcare-related organizations (our "Clients"). Crucially, in providing these Services, Pamastay acts as a "Business Associate" as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, "HIPAA"). Our collection, use, and disclosure of Protected Health Information (PHI) received from or on behalf of our Clients are strictly governed by HIPAA and the specific terms of the Business Associate Agreement ("BAA") executed with each Client.
This Policy applies to:
Information, including PHI, processed through our Services on behalf of our Clients under a BAA.
Personal Information collected directly from visitors to our website and individuals who interact with us (e.g., for sales inquiries, support, marketing).
2. Definitions
Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium by a Covered Entity or its Business Associate, as defined by HIPAA.
Covered Entity: Health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards, as defined by HIPAA. Our Clients are typically Covered Entities.
Business Associate: A person or entity (like Pamastay) that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity, as defined by HIPAA.
Business Associate Agreement (BAA): A written contract between a Covered Entity and a Business Associate, required by HIPAA, that details the permissible uses and disclosures of PHI and requires the protection of that PHI according to HIPAA standards.
Personal Information: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. PHI is a specific type of Personal Information in the healthcare context.
Services: Our denial prediction, provider insights, compliance support tools, analytics platforms, and related offerings provided to Clients.
3. Information We Collect
We collect different types of information depending on your interaction with us:
A. Information Processed on Behalf of Our Clients (as a Business Associate):
Protected Health Information (PHI): Governed by the BAA with the Client, this may include patient demographics, medical record numbers, diagnoses, treatment information, procedure codes, provider information, claims data, insurance information, and notes related to claim denials or compliance reviews. The specific PHI depends entirely on the data provided by the Client for the engaged Service.
Client Operational Data: Client-specific operational information related to the Services (e.g., provider identifiers, facility information, claim submission logs) which may or may not contain PHI.
B. Personal Information Collected Directly:
Contact Information: Name, email address, phone number, job title, company name when you fill out forms, request demos, register for webinars, or contact us.
Usage Information: Information about your interaction with our website (IP address, browser type, OS, pages visited, clicks, referring URLs, timestamps) collected via cookies and similar technologies. Contact us at product@pamastay.com for more details about cookies.
Marketing Preferences: Your choices regarding receiving marketing communications.
4. How We Use Information
A. Use of PHI and Client Operational Data (Processed as a Business Associate):
Strictly Limited by BAA and HIPAA: Our use and disclosure of PHI are confined to those permitted or required by the governing BAA and HIPAA.
Primary Purposes: To perform the specific Services contracted by our Clients (denial prediction, provider insights, compliance analysis); to fulfill our contractual obligations under the BAA; for our proper management and administration or to carry out our legal responsibilities, only as permitted by the BAA and HIPAA.
Service Improvement & De-identification: We may use PHI to improve our Services or create de-identified or aggregated data sets only if and as explicitly permitted by the applicable BAA and HIPAA. De-identified data, created in accordance with HIPAA standards, is not PHI and not subject to HIPAA's privacy restrictions.
We do not use PHI for any purpose not authorized in the BAA or by law.
B. Use of Personal Information Collected Directly:
To operate, maintain, secure, and improve our website.
To respond to your inquiries, provide support, and manage our relationship with you.
To send marketing communications, newsletters, and event invitations where you have consented or as otherwise permitted by law. You may opt-out at any time though Pamastay does not currently engage in any activities related to marketing based on activities on our website.
To analyze website usage and trends for improving user experience and marketing efforts.
For security monitoring, fraud detection, and prevention.
To comply with legal and regulatory obligations.
5. How We Share and Disclose Information
A. Sharing of PHI (Processed as a Business Associate):
As Directed by BAA and HIPAA: We share PHI only as permitted or required by the BAA with the respective Client and by HIPAA.
With the Covered Entity Client: Returning processed data, reports, and insights generated through the Services.
With Our Subcontractors (Downstream Business Associates): We may utilize subcontractors to assist in providing the Services. If these subcontractors require access to PHI, they must enter into a formal Business Associate Agreement with us that provides comparable protections for the PHI as our BAA with the Client. We remain responsible for ensuring our subcontractors comply with these obligations.
As Required by Law: If legally compelled by subpoena, court order, or other legal process, or as required for public health or health oversight activities under HIPAA.
We Do Not Sell PHI. Under no circumstances do we sell PHI received from our Clients.
B. Sharing of Personal Information Collected Directly:
Service Providers: With third-party vendors performing services on our behalf (e.g., hosting, analytics, CRM, email delivery), who are contractually bound to protect the data and use it only for the services requested.
Legal Requirements: If required by law or in good faith belief that disclosure is necessary to protect our rights, ensure safety, or comply with a legal proceeding.
Business Transfers: In connection with a merger, acquisition, financing, or sale of assets, information may be transferred, subject to confidentiality agreements.
Sale/Sharing under CCPA/CPRA: We do not sell or share Personal Information collected directly from website visitors or other direct interactions, as those terms are defined under the CCPA/CPRA.
6. Data Security
We implement and maintain a comprehensive security program with reasonable and appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of all information we process, including PHI. Our security measures are designed to align with the requirements of the HIPAA Security Rule and incorporate industry best practices. These include, but are not limited to:
Access controls and authentication mechanisms.
Encryption of PHI at rest and in transit where appropriate and feasible.
Regular vulnerability scanning and penetration testing.
Security awareness training for personnel.
Incident detection and response plan.
Cloud services that maintain HIPAA compliant practices
We guarantee industry best practices in data management.
7. Data Retention
PHI: We retain PHI only for the period necessary to provide Services to our Clients, as defined in our BAAs, or as required by law. Upon termination of a BAA, we will return or destroy PHI as stipulated in the agreement and required by HIPAA, unless legally obligated to retain it.
Personal Information Collected Directly: We retain this information for as long as needed to fulfill the purposes outlined in this Policy, maintain our business relationship, or comply with legal, accounting, or reporting requirements.
8. Your Rights Regarding Your Information
A. Rights Regarding Your Protected Health Information (PHI):
Contact Your Provider (Covered Entity): Because we act as a Business Associate, individuals (patients) seeking to exercise their rights under HIPAA concerning their PHI that we may process on behalf of a healthcare provider or plan (our Client/Covered Entity) – such as the right to access, amend, request restrictions on use/disclosure, or receive an accounting of disclosures – must contact their healthcare provider or health plan directly.
Please refer to your provider's or plan's Notice of Privacy Practices for instructions. We will assist our Clients in responding to these requests as required by our BAA and HIPAA.
B. Rights Regarding Personal Information We Collect Directly (Including California Privacy Rights):
You may have certain rights regarding the Personal Information we collect directly from you (e.g., via our website). Depending on applicable law (such as the California Consumer Privacy Act/California Privacy Rights Act - CCPA/CPRA for California residents), these rights may include:
Right to Know/Access: Request details about the categories and specific pieces of Personal Information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
Right to Delete: Request deletion of your Personal Information, subject to certain exceptions (e.g., necessary to complete a transaction, detect security incidents, comply with legal obligations).
Right to Correct: Request correction of inaccurate Personal Information we maintain about you.
Exercising These Rights: To exercise rights regarding your directly collected Personal Information, please contact us using the methods provided in Section 12. We will need to verify your identity before processing your request and will respond within the timeframes required by law.
9. Children's Privacy
Our Services and website are not intended for or directed to children under the age of 16. We do not knowingly collect Personal Information from children under 16. If we learn we have inadvertently collected such information, we will take steps to delete it.
10. Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy at any time. If we make material changes, we will notify you by posting the updated policy on our website and updating the "Last Updated" date. We encourage you to review this Policy periodically. Continued use of our website or Services after changes are posted constitutes acceptance of the revised policy, subject to applicable law.
11. Contact Us