Effective Date: June 30, 2025

Last updated: June 30, 2025

Acuity Health, Inc. ("Acuity," "we," "our," or "us") is committed to protecting the privacy and security of the data we receive through our websites, mobile applications, connected medical devices, and cloud services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you ("you" or "your") interact with the Services, and the choices you have regarding that information.

HIPAA Notice  Acuity is a Business Associate to Covered Entities (e.g., hospitals, payers, home‑health agencies) under the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). When we create, receive, maintain, or transmit Protected Health Information ("PHI") on a Covered Entity’s behalf, we do so solely as permitted by our Business Associate Agreements ("BAAs"). This Privacy Policy supplements, but does not replace, the terms of any BAA.

1. Scope

This Policy applies to information collected by Acuity from 

  • clinicians and care‑team members who use the Acuity platform; 

  • patients whose PHI is processed via integrations (e.g., EHR, CommonWell, Tenovi RPM devices); and 

  • visitors to acuity.health or any landing pages we operate.

It does not apply to information handled exclusively by third‑party providers under their own privacy policies.

2. Information We Collect

2.1 Information You Provide

  • Account & Contact Data – name, professional credentials, e‑mail, phone, organization, role.

  • Content & Communications – notes, messages, documents, or other content uploaded to the platform or sent to our support team.

  • Payment & Contract Data – billing contacts, purchase orders, and related records (where applicable).

2.2 Protected Health Information (PHI)

  • Clinical Data received from EHR systems via USCDI‑compliant FHIR APIs (e.g., conditions, labs, medications, vitals).

  • Remote Patient Monitoring Data from devices such as Tenovi weight scales, pulse oximeters, or blood‑pressure cuffs.

  • OASIS & Assessment Data captured through Acuity forms (e.g., Sections A–Q, CHI scores).

2.3 Automatically Collected Data

  • Device & Usage Information – IP address, browser type, mobile OS, referring URLs, pages visited, and clickstream logs.

  • Cookies & Similar Technologies – see Section 7 below.

3. How We Use Information

We use the information we collect to:

  1. Deliver and improve the Services – including AI‑powered care‑gap detection, Continuous Health Index (CHI) risk scores, documentation autofill, and task routing.

  2. Maintain HIPAA‑grade security – authenticate users, log access, prevent fraud, and conduct audits.

  3. Provide customer support – respond to inquiries, troubleshoot issues, and train users.

  4. Develop analytics & machine‑learning models – we may de‑identify PHI (per HIPAA 45 C.F.R. §164.514) and aggregate usage data to improve algorithms.

  5. Comply with legal obligations – respond to lawful requests, enforce contracts, and protect rights, property, or safety.

We process personal data only when we have a legal basis, such as your consent, a BAA, our legitimate interests (e.g., improving the platform), or to meet contractual and regulatory requirements.

4. How We Share & Disclose Information

We disclose information only:

  • To authorized care teams acting under HIPAA or other applicable laws;

  • With service providers (e.g., secure cloud hosting, SMS gateways) bound by confidentiality and security obligations;

  • With integrated partners (e.g., EHR vendors, Health Information Exchanges) as directed by our customers;

  • For legal, safety, or compliance reasons – when required by law, subpoena, or to protect Acuity or others; and

  • In business transfers – in connection with a merger, acquisition, or asset sale, subject to confidentiality.

We never sell PHI or personal data for advertising purposes.

5. Cookies & Tracking Technologies

We use cookies, mobile‑SDK analytics, and similar tools to remember user preferences, secure sessions, and measure platform usage. You can control cookies through your browser settings; however, disabling them may affect certain features.

6. Data Security

Acuity implements administrative, technical, and physical safeguards aligned with NIST 800‑53, ISO 27001, and the HIPAA Security Rule, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES‑256 or stronger);

  • Multi‑factor authentication and least‑privilege IAM;

  • Continuous monitoring, intrusion detection, and third‑party penetration testing;

  • Formal incident‑response and breach‑notification procedures.

7. Data Retention

We retain PHI and other personal data only as long as necessary to fulfill the purposes outlined in this Policy or as required by BAAs, law, or contract. De‑identified and aggregated data may be stored indefinitely.

8. Your Rights & Choices

Depending on your jurisdiction and relationship with Acuity, you may have rights to:

  • Access or receive a copy of your data;

  • Correct or update inaccurate information;

  • Delete or request deletion of certain data (subject to HIPAA and contractual limits);

  • Restrict or object to certain processing;

  • Receive an accounting of disclosures (PHI, per HIPAA);

  • Opt out of non‑essential cookies or marketing communications.

To exercise these rights, contact us at privacy@acuity.health. We will verify your request and respond within applicable regulatory timeframes.

9. International Data Transfers

Our primary data centers are located in the United States. If you access the Services from outside the U.S., you consent to the transfer, storage, and processing of your information in the U.S., which may have privacy laws different from your jurisdiction.

10. Children’s Privacy

The Services are not directed to children under 13. We do not knowingly collect personal data directly from children without appropriate parental or guardian consent as required by law.

11. Third‑Party Links & Integrations

Our Services may link to or integrate with third‑party sites and tools (e.g., video‑visit platforms). This Policy does not cover their practices. We encourage you to review the privacy statements of any third‑party services you use.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via in‑app notice, e‑mail, or other prominent means, and indicate the "Last updated" date. Continued use of the Services after such changes constitutes acceptance.

13. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Acuity Health, Inc.
Attn: Privacy Officer
6101 Wendover Glen
E‑mail: srinivas@acuity.health
Phone: 615-415-7525

Thank you for trusting Acuity.health. We are dedicated to safeguarding your data and supporting secure, value‑based care.