Privacy Policy

1. Introduction

ORHub ("we," "our," or "us") is a surgical coordination platform for ambulatory surgery centers (ASCs) and hospitals. We are committed to protecting your privacy and safeguarding the confidential health information entrusted to us.

This Privacy Policy describes how we collect, use, disclose, and protect information through the ORHub surgical coordination platform, including our SMS messaging services.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, job title, and facility affiliation
• Professional Information: Role (surgeon, nurse, anesthesiologist, etc.), credentials, and scheduling preferences
• Patient Health Information (PHI): Patient names, medical record numbers, procedure details, and surgical scheduling information as necessary to provide coordination services
• Communication Data: Messages, notifications, and interactions within the platform

2.2 Information Collected Automatically

• Usage Data: Log files, access times, pages viewed, and features used
• Device Information: IP address, browser type, operating system, and device identifiers
• SMS Delivery Information: Message delivery status, timestamps, and carrier information

3. How We Use Your Information

We use the information we collect to:

• Provide and maintain our surgical coordination services
• Send SMS notifications about case updates, room assignments, and schedule changes
• Facilitate communication between surgical staff members
• Improve and optimize our platform based on usage patterns
• Ensure security and prevent unauthorized access
• Comply with legal obligations and healthcare regulations
• Provide customer support and respond to inquiries

4. SMS Messaging Services

4.1 Consent and Opt-In

We only send SMS messages to staff members who have explicitly opted in to receive them. You can opt in during onboarding or at any time through your account settings.

4.2 Message Types and Frequency

ORHub sends surgical coordination SMS messages including case updates, room assignments, schedule changes, and urgent notifications. Message frequency may vary based on your facility's surgical schedule and operational needs.

4.3 Opt-Out Rights

You may opt out of SMS messages at any time by:

• Replying STOP to any SMS message
• Updating your notification preferences in your account settings
• Contacting our support team at support@orhub.io

After you opt out, you will receive one final confirmation message, and then no further messages unless you opt back in.

4.4 Help and Support

For assistance with SMS messages, reply HELP to any message or contact support@orhub.io. Message and data rates from your mobile carrier may apply.

5. Data Sharing and Third-Party Disclosure

5.1 Service Providers

We share limited data with trusted service providers who assist in operating our platform:

• Cloud Infrastructure: Google Cloud Platform / Firebase (data hosting and storage)
• SMS Delivery: Twilio (SMS message transmission only)
• Authentication: Firebase Authentication (secure login services)

All service providers are bound by strict data processing agreements and are prohibited from using your data for any purpose other than providing services to ORHub.

5.2 Legal Requirements

We may disclose information when required by law, court order, or government regulation, or when necessary to:

• Comply with legal obligations
• Protect the rights, property, or safety of ORHub, our users, or the public
• Detect, prevent, or address fraud or security issues

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

6. HIPAA Compliance

ORHub is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. We act as a Business Associate to covered healthcare entities.

6.1 Business Associate Agreements

We enter into Business Associate Agreements (BAAs) with all healthcare facilities using ORHub, establishing our obligations to safeguard Protected Health Information (PHI).

6.2 Security Safeguards

We implement administrative, physical, and technical safeguards to protect PHI:

• Encryption in transit (TLS/SSL) and at rest (AES-256)
• Role-based access controls and authentication
• Comprehensive audit logging of all PHI access
• Regular security assessments and penetration testing
• Incident response and breach notification procedures

6.3 Minimum Necessary Standard

We limit access to PHI to the minimum necessary to accomplish the intended coordination purpose. Staff members only receive information relevant to their role and assigned cases.

7. Data Storage and Security

7.1 Data Location

All data is stored on secure servers in the United States using Google Cloud Platform infrastructure with HIPAA-compliant configurations.

7.2 Security Measures

• End-to-end encryption for all data transmissions
• Encrypted database storage (AES-256)
• Multi-factor authentication options
• Regular automated backups with encryption
• 24/7 security monitoring and intrusion detection
• Annual third-party security audits

7.3 Data Retention

We retain data for as long as necessary to provide our services and comply with legal obligations:

• Active Case Data: Retained during active surgical cases and for 7 years after completion (standard medical record retention)
• User Account Data: Retained for the duration of your employment/affiliation with a facility using ORHub
• Audit Logs: Retained for 7 years to comply with HIPAA requirements
• SMS Consent Records: Retained for 7 years to demonstrate compliance with telecommunications regulations

8. Your Rights and Choices

8.1 Access and Correction

You have the right to access and update your personal information through your account settings or by contacting your facility administrator.

8.2 Data Portability

You may request a copy of your data in a structured, commonly used format by contacting support@orhub.io.

8.3 Deletion Requests

You may request deletion of your personal information, subject to legal retention requirements. Note that we may be required to retain certain PHI for compliance with HIPAA and state medical record laws.

8.4 Communication Preferences

You can manage your notification preferences, including SMS opt-in/opt-out, email frequency, and in-app alerts, through your account settings.

9. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected and how it is used
• Right to request deletion of personal information
• Right to opt-out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

To exercise these rights, contact us at privacy@orhub.io with "CCPA Request" in the subject line.

10. Children's Privacy

ORHub is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it immediately.

11. International Users

ORHub is based in the United States and our services are primarily intended for US healthcare facilities. If you access our services from outside the US, please be aware that your information will be transferred to, stored, and processed in the United States.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending email notifications to registered users
• Displaying in-app notifications for significant changes

Your continued use of ORHub after changes are posted constitutes acceptance of the updated policy.