1. Scope
This Data & Compliance notice supplements the Privacy Policy and addresses the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and related obligations for MRM — Medical Record Management.
MRM processes personal information on behalf of its customers as a service provider under the CCPA/CPRA. We process that information only to perform the services and per our contract with the customer — not for our own commercial purposes.
2. Categories of information
In the last 12 months, MRM may have processed these CCPA categories:
- Identifiers — names, work emails, account IDs, and (for the subjects of records) identifiers such as name, date of birth, and Social Security number;
- Customer records — the case/records/account data described in the Privacy Policy;
- Medical information / health data — records and identifiers relating to health, handled under CMIA and HIPAA;
- Internet/network activity — logs, IP address, timestamps, actions;
- Professional information — role and organization of authorized users.
3. Purposes & sources
Sources: directly from authorized users and the customer organization; automatically from use of the service; and from the integrations listed in the Privacy Policy.
Business purposes: to provide, secure, support, and improve MRM; to authenticate users; to perform the customer's directed processing; and to comply with law. We do not use the information for incompatible purposes.
4. No sale or sharing
NXiOne does not sell personal information and does not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months. We do not knowingly process the personal information of children under 16 for sale or sharing.
5. Your CCPA/CPRA rights
Subject to verification and legal limits, California residents have the right to:
- Know / access the categories and specific pieces of personal information collected;
- Delete personal information, subject to exceptions (e.g., legal-hold, transaction completion, security);
- Correct inaccurate personal information;
- Opt out of sale/sharing (not applicable — we do neither);
- Limit the use of sensitive personal information to what is necessary to provide the service;
- Non-discrimination for exercising these rights.
6. How to exercise rights
Because we act as a service provider, we will forward a rights request to the relevant customer (the business/controller) and assist them in responding, or act on the customer's instructions. If you are a customer's authorized representative, contact us directly. Submit requests to privacy@nxione.com. We will acknowledge within 10 business days and respond within 45 days (extendable by 45 days with notice). We verify requests by confirming your identity and relationship to the account; an authorized agent must provide proof of authority.
7. Sensitive information & medical data
We process sensitive personal information (which may include Social Security numbers and health/medical information) only as necessary to provide, secure, and support the service, and not to infer characteristics. We do not use or disclose it for purposes a consumer could limit under the CPRA beyond those permitted uses.
Medical information. Health/medical data is governed by the California Confidentiality of Medical Information Act (Civil Code §56 et seq.) and, as Protected Health Information, by HIPAA under a Business Associate Agreement. To the extent information is covered by those frameworks, they control, and certain CCPA/CPRA provisions may not apply to that data.
8. Security & retention
We maintain reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the data (see the Privacy Policy's Security section). PHI is retained for the term of your BAA and then returned or destroyed as the BAA requires. Backups follow a fixed rotation and are purged on their normal cycle. Audit logs are retained for the period required by HIPAA and your policies.
9. Other frameworks
MRM's handling of PHI is governed primarily by HIPAA/HITECH and the applicable Business Associate Agreement, which take precedence for PHI.
10. Contact
NXiOne — Privacy: privacy@nxione.com · Legal: legal@nxione.com · [NXiONE LEGAL ENTITY, INC.], [Registered business address].