← Back to sign in
NXiOne · MRM

Data & Compliance (CCPA/CPRA)

MRM — Medical Record Management — Multi-tenant, HIPAA-aligned medical-records management platform
Effective July 3, 2026 · Last updated July 3, 2026

Privacy PolicyTerms of ServiceData & Compliance (CCPA/CPRA)

1. Scope

This Data & Compliance notice supplements the Privacy Policy and addresses the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and related obligations for MRM — Medical Record Management.

MRM processes personal information on behalf of its customers as a service provider under the CCPA/CPRA. We process that information only to perform the services and per our contract with the customer — not for our own commercial purposes.

2. Categories of information

In the last 12 months, MRM may have processed these CCPA categories:

3. Purposes & sources

Sources: directly from authorized users and the customer organization; automatically from use of the service; and from the integrations listed in the Privacy Policy.

Business purposes: to provide, secure, support, and improve MRM; to authenticate users; to perform the customer's directed processing; and to comply with law. We do not use the information for incompatible purposes.

4. No sale or sharing

NXiOne does not sell personal information and does not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months. We do not knowingly process the personal information of children under 16 for sale or sharing.

5. Your CCPA/CPRA rights

Subject to verification and legal limits, California residents have the right to:

6. How to exercise rights

Because we act as a service provider, we will forward a rights request to the relevant customer (the business/controller) and assist them in responding, or act on the customer's instructions. If you are a customer's authorized representative, contact us directly. Submit requests to privacy@nxione.com. We will acknowledge within 10 business days and respond within 45 days (extendable by 45 days with notice). We verify requests by confirming your identity and relationship to the account; an authorized agent must provide proof of authority.

7. Sensitive information & medical data

We process sensitive personal information (which may include Social Security numbers and health/medical information) only as necessary to provide, secure, and support the service, and not to infer characteristics. We do not use or disclose it for purposes a consumer could limit under the CPRA beyond those permitted uses.

Medical information. Health/medical data is governed by the California Confidentiality of Medical Information Act (Civil Code §56 et seq.) and, as Protected Health Information, by HIPAA under a Business Associate Agreement. To the extent information is covered by those frameworks, they control, and certain CCPA/CPRA provisions may not apply to that data.

8. Security & retention

We maintain reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the data (see the Privacy Policy's Security section). PHI is retained for the term of your BAA and then returned or destroyed as the BAA requires. Backups follow a fixed rotation and are purged on their normal cycle. Audit logs are retained for the period required by HIPAA and your policies.

9. Other frameworks

MRM's handling of PHI is governed primarily by HIPAA/HITECH and the applicable Business Associate Agreement, which take precedence for PHI.

10. Contact

NXiOne — Privacy: privacy@nxione.com · Legal: legal@nxione.com · [NXiONE LEGAL ENTITY, INC.], [Registered business address].