Portal Login

Privacy Policy

CandiHealth Privacy Policy 

Effective Date: Sept 4th, 2025 

1. Definitions

For purposes of this Privacy Policy:

– “Service” means the CandiHealth Remote Patient Monitoring (RPM) platform, including software, related applications, and the interfaces used by Clinics, authorized users, and CandiHealth staff for the monitoring of patient vitals. 

– “Personal Data” means any information relating to an identified or identifiable natural person. 

– “Protected Health Information” (PHI) means individually identifiable health information as defined under HIPAA. “ePHI” refers to electronic PHI. 

– “Covered Entity / Clinic” means the healthcare provider, clinic, hospital or other entity that enrolls patients and controls PHI. 

– “Business Associate” means an entity (including CandiHealth) that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. 

– “Authorized User” means a Clinic employee or contractor expressly authorized by the Clinic to access the Service. 

– “Patient” means an individual enrolled by the Clinic for RPM monitoring via the Service.

– “Patient Fee” means the recurring monthly subscription fee charged per Patient for access to the Service as described in Section 2. 

 

2. Scope and Applicability 

This Privacy Policy applies to all information collected, processed, stored, or accessed by CandiHealth in connection with the provision of the Service to Clinics and their authorized users. The Service is provided for clinical use by licensed healthcare providers in the United States. Patients do not access the Service directly; Clinics exercise control over patient PHI and are responsible for obtaining any required authorizations and consents. 

 

3. Information We Collect 

CandiHealth collects the following categories of information: 

A. Patient Data (PHI / ePHI) 

  • Vital signs and device readings (e.g., blood pressure readings) and associated timestamps. 
  • Device identifiers and device status metadata were provided to the Service. 
  • Alerts and notifications generated by the Service. 

B. Clinic and Authorized User Data 

  • Clinic name, address, contact details, authorized user names, email addresses and phone numbers. 
  • Billing and invoicing details required to bill Clinics for the Patient Fee. 

C. Technical Data 

  • IP addresses, browser/OS, usage logs, performance telemetry. 
  • Cellular network metadata and device connectivity logs when submitted by devices.

D. Cookies and Session Data 

  • Essential session cookies used to authenticate and maintain portal sessions. No analytics or tracking cookies are used by default. 

E. Support & Other Data 

  • Support requests, correspondence, and any information voluntarily provided to our support team. 

 

4. Billing and Patient Subscription 

– Patient Fees and Billing. CandiHealth charges a recurring Patient Fee for access to the Service. Specific fee amounts, billing schedules, proration rules, and payment terms are set forth in the separate Services Agreement, the Clinic’s onboarding paperwork, and the Clinic billing dashboard. Please consult those sources for current pricing and billing-cycle details. 

– Billing Cycle and Proration: Billing is tied to the Clinic’s billing cycle. When a Clinic’s subscription cycle begins, existing Patients are billed per the cycle. Any Patients added after the Clinic’s billing-cycle start will be billed on a pro-rated basis to align with the Clinic’s billing cycle. Clinic-level subscription terms (including billing-cycle dates) are established during onboarding and are visible in the Clinic billing dashboard. 

– Deactivation: Clinics may deactivate a Patient subscription at any time via the portal. Deactivation affects Service access and alerts as described elsewhere in this Policy and the Agreement. 

– Device independence: Devices (rental or purchased) are managed separately from Patient subscriptions. Device ownership, rental terms, and device-specific fees (if any) are governed by separate device-order paperwork and are not required to be linked to Patient subscription billing. 

 

5. How We Use Your Information

We use Personal Data and PHI to provide and improve the Service, including: 

– Service delivery, monitoring, and alerting to authorized Clinic users. 

– Billing and invoicing of Patients and Clinics. 

– Technical operations, troubleshooting, maintenance, and system analytics (de-identified). 

– Compliance with legal obligations and responses to lawful requests. 

– Aggregated, de-identified research and product improvements only with Clinic authorization for PHI-level research. 

 

6. Data Sharing and Disclosure 

CandiHealth may disclose Personal Data in the following limited circumstances: 

A. With the Clinic 

  • PHI is shared with the Clinic’s authorized users to enable patient care. 

B. With Business Associates and Vendors 

  • We engage third-party vendors and contractors to perform services on our behalf (e.g., hosting, messaging, analytics, support). Any vendor that handles PHI will be subject to a Business Associate Agreement (BAA) or equivalent contractual safe-guards. Example categories (placeholders are in BOLD for you to confirm): 

.AWS (hosting, backup, emails and logs storage) 

.Twilio (SMS notifications & Conversation) 

.Device Manufacturers (When Handling Data) 

 

Device manufacturers that will have access to PHI (for example, via cloud services, remote diagnostics, or support logs) are Business Associates and must execute a BAA before any PHI disclosure. Manufacturers that only supply hardware and do not access PHI must enter into a Vendor Security Agreement confirming they do not access PHI, require secure firmware/update practices, and agree to prompt notification of security incidents. 

 

A. Legal Requirements 

  • We may disclose information when required by law, regulation, subpoena, court order, or government request. 

B. Business Transfers 

  • In a sale, merger, or other business transaction, Personal Data may be transferred to an acquiring entity. Clinics will be notified in advance where legally required. 

C. De-identified / Aggregate Data 

  • We may use or share aggregated, de-identified data that cannot reasonably be used to identify an individual. 

 

7. Business Associate Agreements and Audit Requests 

– CandiHealth executes BAAs with any third party that will receive or process PHI on our behalf. Clinics may request evidence of BAAs or compliance artifacts. 

– Response to Requests: We will respond to valid, documented requests for audit documentation, copies of BAAs, or compliance evidence in accordance with the timelines described in Section 9 (Patient Rights (HIPAA) and Request Process). 

– Verification: To protect PHI, CandiHealth will verify the identity and authority of any individual or entity requesting PHI or compliance documents before disclosure. 

 

8. Data Retention and Deletion (PER LAW) 

– CandiHealth retains Personal Data and PHI in compliance with applicable federal, state, and local laws and the Clinic’s recordkeeping policies. 

– Clinics may request specific retention or deletion instructions; we will comply where legally permitted and in accordance with the Clinic’s lawful direction. 

– Where law requires retention for certain periods (e.g., state medical record retention requirements), we will retain PHI for the applicable period even if a Clinic requests earlier deletion. 

 

Return or Secure Destruction of PHI — Manual Review Process 

CandiHealth recognizes that Clinics (Covered Entities) control their patients’ PHI and may request return or secure destruction of PHI maintained by CandiHealth. Upon receiving a written request from an authorized Clinic representative to return or destroy PHI, CandiHealth will: 

 

  1. Acknowledge receipt of the request within five (5) business days. 
  2. Conduct a compliance review to determine whether the requested return or destruction is legally and technically feasible, including review of applicable state and federal retention requirements and any contractual obligations (including the Business Associate Agreement). CandiHealth will complete this review and notify the Clinic of the outcome within thirty (30) calendar days of receipt of the request. 
  3. If CandiHealth determines the request is feasible, it will, at the Clinic’s election, (a) return the PHI to the Clinic or (b) securely destroy the PHI and provide certification of destruction. CandiHealth will complete the return or destruction as soon as reasonably practicable and, unless otherwise agreed, within thirty (30) calendar days after confirming feasibility. 
  4. If CandiHealth determines the request is not feasible (for example, because applicable law requires longer retention, or PHI resides in immutable backups that cannot be segregated), CandiHealth will notify the Clinic, explain the reasons, and continue to protect the PHI in accordance with this Privacy Policy and the applicable BAA. In such cases CandiHealth will not use or disclose the PHI except as required by law or as the Clinic directs. 

 

9. Patient Rights (HIPAA) and Request Process 

– Patients have rights under HIPAA (access, amendment, accounting of disclosures, restriction requests, confidential communications). Because Clinics control PHI, patients should submit requests to their Clinic. The Clinic will coordinate with CandiHealth to fulfill requests in accordance with HIPAA timelines. 

CandiHealth Commitment on Requests: We will respond to all valid requests (including data subject access requests, audit requests, and requests for BAAs/compliance evidence) within one calendar month of receipt. If the request is complex or a number of requests are made, we may extend our response period by up to an additional two months. In such a case, we will notify the requester within the initial one-month period and explain the reason for the extension.

Verification: To protect Personal Data, we will need to verify your identity before fulfilling any request. The response timeline will not begin until identity verification is successful. 

– To exercise rights or submit a request, contact the Clinic in the first instance or email contact@candihealth.com for assistance. 

 

10. Cookies, Tracking & “Do Not Track” 

– CandiHealth uses only essential session cookies necessary to operate the portal. We do not use analytics or tracking cookies by default. 

– If Clinic-level analytics are later enabled, that functionality will be disclosed and Clinics will have the option to enable or disable it for their organization. Clinics may request that we disable any non-essential cookies by emailing contact@candihealth.com 

– CandiHealth does not currently respond to Do Not Track signals. 

 

Anonymous Analytics 

We may use third-party analytics providers to collect anonymized, aggregated usage statistics about how Clinics and authorized users interact with the Service (for example: pages visited, time on page, feature usage). These analytics are used only to improve functionality, performance, and user experience, and are not used to identify Patients. We will never send Protected Health Information (PHI) or any patient identifiers to analytics services. 

Example data types: aggregate event counts, page view totals, anonymized session durations, and non-identifying device type statistics.

Any analytics vendor that processes data on our behalf will be subject to contractual data protection terms and will not receive PHI. 

Clinics may opt out of non-essential analytics for their organization by contacting contact@candihealth.com. If you are a Clinic admin and require analytics to be disabled immediately for your org, contact us and we will disable it for your account. 

 

11. California Privacy (CCPA/CalOPPA) 

– California residents may submit verifiable requests to learn categories of Personal Data we collect, request deletion, or opt-out of any sale of Personal Data. CandiHealth DOES NOT SELL Personal Data. 

– Submit requests via contact@candihealth.com. We will follow the timelines and verification procedures described in Section 9 when responding to CCPA requests. 

– We will not discriminate against individuals for exercising their California privacy rights. 

 

HIPAA & PHI (how this interacts with California privacy laws) 

Protected Health Information (PHI) that CandiHealth receives from or processes on behalf of a Covered Entity (Clinic) is subject to HIPAA and the terms of the applicable Business Associate Agreement (BAA). Such PHI is generally exempt from the CCPA/CPRA to the extent it is regulated by HIPAA. If you are seeking access, deletion, or other CCPA/CPRA-type rights for information that is PHI and controlled by a Clinic, please submit your request to the Clinic in the first instance; the Clinic may coordinate with CandiHealth under the BAA. For non-PHI personal information (for example, employee contact details, billing contacts, or support correspondence), CandiHealth will handle California privacy requests in accordance with this Section 11. 

 

CPRA Thresholds and Applicability 

Whether CandiHealth is a “business” covered by the CPRA depends on statutory thresholds (for example, gross revenue, number of California consumers/households, or percentage of revenue from selling/sharing personal information). CandiHealth currently provides a mechanism to respond to California consumer requests as described above; if and when CandiHealth meets any CPRA threshold or materially expands services to California residents beyond our current scope, we will update this Policy and our practices to ensure full CPRA compliance. For questions about whether a particular request involves PHI subject to HIPAA versus personal data subject to the CPRA, contact contact@candihealth.com.

 

12. International Transfers / Geographic Scope 

– CandiHealth operates in the United States and does not intentionally target or process data of EU/EEA residents. All operational services and data centers for PHI are located in the U.S. 

– If this geographic scope changes, we will update this Policy and implement appropriate safeguards (e.g., Standard Contractual Clauses) as required by law.

 

13. Third-Party Links and Embedded Content 

– Our Service may include links to third-party sites (e.g., device manufacturers). We are not responsible for the privacy practices of third parties. Review third-party privacy policies before providing data to them. 

 

14. Security Measures, Breach Notification & Incident Response 

CandiHealth implements administrative, technical, and physical safeguards designed to protect Protected Health Information (PHI) in a manner consistent with HIPAA and industry practice. We use encryption in transit, access controls, and other measures appropriate to our environment.

Access to PHI is limited to authorized personnel who have signed confidentiality obligations and completed HIPAA awareness training. CandiHealth maintains reasonable backup and recovery processes to preserve data availability. 

If CandiHealth discovers a breach of PHI, we will investigate and notify the Clinic’s designated contact within seven (7) business days of discovery. We will cooperate with the Clinic on required patient and regulatory notifications. Report suspected incidents immediately to contact@candihealth.com. 

Requests to return or securely destroy PHI will be handled per the policy’s retention/return section; if destruction is infeasible (e.g., immutable backups), we will notify the Clinic and continue to protect the data. 

 

15. Children’s Privacy 

– CandiHealth does not knowingly collect Personal Data directly from individuals under 18 except through Clinics acting on behalf of minors. Parents or guardians who believe a minor’s data was collected may contact contact@candihealth.com for assistance. 

 

16. Changes to this Privacy Policy 

– We may update this Privacy Policy from time to time. Material changes will be posted with a revised “Effective Date” and Clinics will be notified via the portal and by email to contact@candihealth.com.

 – Continued use of the Service after the Effective Date constitutes acceptance of the updated Policy. 

 

17. Contact Information 

For questions, requests, or notices regarding this Privacy Policy or our data practices, contact:

Email: contact@candihealth.com 

(If a physical address or additional contact details are required by law for a particular notice, CandiHealth will provide them upon request.)

One flat rate per patient and preconfigured cellular devices—empower your practice to focus on healing, not hassles

Quicklinks

Explore

Contact

Facebook Instagram Linkedin-in
© 2025 — Copyright, All rights reserved to CandiHealth
Scroll to Top