Logo
Logo

Privacy Policy

PRINCIPLE HEALTH SYSTEMS

Privacy Policy & HIPAA Notice of Privacy Practices

Effective Date: April 23, 2026

Last Updated: April 23, 2026

1. Introduction & Scope

Principle Health Systems (“PHS,” “we,” “our,” or “us”) is a healthcare services organization providing clinical care, care coordination, population health management, and administrative support services. Visit us at principleHS.com.

In delivering these services, we collect, use, and safeguard personal data, including Protected Health Information (PHI), about patients, members, caregivers, and workforce personnel.

We process data in the following capacities:

  • As a Covered Entity under HIPAA when providing direct healthcare services
  • As a Business Associate when supporting partner healthcare organizations
  • As a Data Controller for our own business operations

This Policy incorporates requirements from:

  • Federal law, including the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act
  • U.S. state comprehensive privacy laws, including California (CMIA/CPRA), Colorado (CPA), Virginia (VCDPA), and others
  • Applicable state breach notification laws

2. HIPAA Notice of Privacy Practices (NPP)

2.1 Our Legal Responsibilities

As a HIPAA Covered Entity, Principle Health Systems is required by law to:

  • Maintain the privacy and security of your Protected Health Information (PHI)
  • Provide you with this Notice describing our legal duties and privacy practices
  • Notify affected individuals following a breach of unsecured PHI
  • Abide by the terms of this Notice currently in effect
  • Not use or disclose your PHI in any way not described in this Notice without your written authorization

2.2 How We May Use & Disclose PHI

Treatment

We use and share PHI to provide, coordinate, or manage your healthcare and related services. For example, we may share your information with specialists, laboratories, pharmacies, or other providers involved in your care.

Payment

We use PHI to bill for services and receive payment from you, your health plan, or other payers. For example, we may submit claims containing diagnosis and treatment information to your insurance company.

Healthcare Operations

We use PHI for internal operations necessary to run our organization, including:

  • Quality assessment and improvement activities
  • Care coordination and population health management
  • Workforce training, credentialing, and performance evaluation
  • Compliance auditing, legal services, and business planning

2.3 Other Permitted Uses & Disclosures

We may also disclose PHI without your authorization in specific situations permitted or required by law, including:

  • As required by federal, state, or local law
  • For public health activities (e.g., disease reporting)
  • For health oversight activities (e.g., audits, inspections)
  • In response to a court order, subpoena, or legal process
  • For law enforcement purposes as permitted by HIPAA
  • To avert a serious and imminent threat to health or safety
  • For research purposes, subject to applicable requirements
  • For workers’ compensation or similar programs

2.4 Uses Requiring Your Written Authorization

We will obtain your written authorization before using or disclosing PHI for:

  • Marketing communications (except as permitted under HIPAA)
  • Sale of PHI
  • Psychotherapy notes (where applicable)
  • Any use or disclosure not described in this Notice

You may revoke a written authorization at any time by submitting a written request to our Privacy Office. Revocation will not affect uses or disclosures made prior to receipt of your revocation.

2.5 Minimum Necessary Standard

Consistent with HIPAA requirements, Principle Health Systems limits the use, disclosure, and access to PHI to the minimum amount reasonably necessary to accomplish the intended purpose. This standard does not apply to disclosures for treatment purposes.

2.6 Your Individual Rights Under HIPAA

You have the following rights regarding your PHI:

  • Right of Access: Request inspection and copies of PHI maintained in designated record sets
  • Right to Amendment: Request corrections to PHI you believe is inaccurate or incomplete
  • Right to Restrict Uses/Disclosures: Request limitations on certain uses of your PHI (we may not always be able to agree)
  • Right to Confidential Communications: Request we communicate with you in a specific way or at a specific location
  • Right to an Accounting of Disclosures: Receive a list of certain disclosures made in the prior six years
  • Right to a Paper Copy of this Notice: Obtain a printed copy even if you received it electronically
  • Right to File a Complaint: Submit complaints to us or to the U.S. Department of Health and Human Services Office for Civil Rights, without fear of retaliation

To exercise your rights, contact our Privacy Office using the information in Section 19.

3. Categories of Personal Data We Collect

The following table describes the categories of personal data we collect, consistent with state privacy law disclosure requirements:

Category Examples Sources Purpose Shared With
Identifiers Name, address, SSN, email Patient, provider Care delivery, records Providers, insurers, regulators
Health / PHI Diagnoses, treatment, prescriptions Patient, providers, labs Treatment, operations, billing Providers, labs, insurers
Financial Billing info, insurance details Patient, payer Payment processing Insurers, billing vendors
Demographic Age, gender, race (where required) Patient Care management, reporting Internal, regulators
Device/Usage Portal login activity, IP address Systems Security, analytics IT vendors
Biometric Patient ID, fingerprint (if used) Devices Identity verification Vendors (if applicable)

4. Sale & Sharing of Personal Data

Principle Health Systems does not sell PHI or personal data. We do not share personal data for cross-context behavioral advertising or for any commercial purpose unrelated to our healthcare services. We engage third-party vendors solely to support our operations, and all such relationships are governed by Business Associate Agreements (BAAs) or Data Processing Agreements (DPAs) as applicable.

5. Sensitive Personal Data

We collect and process sensitive categories of personal data in the course of providing healthcare services, including:

  • Health and medical information (Protected Health Information)
  • Genetic data (where applicable to care)
  • Biometric identifiers (e.g., for patient identity verification)
  • Government-issued identifiers (e.g., SSN for billing)

We use sensitive personal data only as necessary to deliver care and comply with applicable law. Where required, we obtain appropriate consent before processing sensitive data. Enhanced administrative, technical, and physical safeguards are applied to all sensitive data.

6. Purpose Limitation

We process personal data only for the following purposes:

  • Delivering and coordinating healthcare services
  • Population health management and care quality improvement
  • Billing, payment, and financial operations
  • Legal and regulatory compliance
  • Security monitoring, fraud prevention, and risk management
  • Business operations and workforce administration

We do not process personal data for purposes that are incompatible with those for which it was originally collected, unless we obtain your consent or as otherwise permitted by law.

7. Data Retention

We retain personal data and PHI in accordance with HIPAA, applicable state laws, and sound records management practice. Standard retention periods are as follows:

Data Category Retention Period
Medical Records 7–10 years (or per applicable state law)
Billing Records 7 years
HIPAA Audit Logs 6 years (minimum per HIPAA)
Security/Access Logs 12–24 months
Authorization Records 6 years from date of creation or last effect

Data may be retained longer if required by applicable law, active litigation, or regulatory proceedings. De-identified data may be retained for research and analytics purposes.

8. Your Individual Privacy Rights (State Law)

Depending on your state of residence, you may have additional rights under applicable state privacy laws, including the right to:

  • Access the personal data we hold about you
  • Correct inaccuracies in your personal data
  • Request deletion of your personal data (subject to healthcare and legal exceptions)
  • Obtain a portable copy of your personal data
  • Opt out of the sale or sharing of personal data (not applicable, as we do not sell data)
  • Opt out of profiling or automated decision-making (where applicable)
  • Limit use of sensitive personal data
  • Not be discriminated against for exercising your privacy rights

To submit a privacy request, contact us at: privacy@principleHS.com or visit principleHS.com/privacy.

8.1 Verification

We will verify your identity before processing any request. We may request additional information reasonably necessary to confirm your identity and right to make the request.

8.2 Appeals Process

If your request is denied in whole or in part, you may appeal the decision by submitting a written appeal to privacy@principleHS.com with the subject line “Privacy Request Appeal.” We will respond within the timeframe required by applicable law, and will include information about how to escalate to the relevant state Attorney General if your appeal is denied.

9. Notice at Collection

At or before the time we collect personal data, we provide individuals with notice of: the categories of data being collected, the purposes for which data will be used, applicable retention periods, and available privacy rights. This Notice serves as our primary notice at collection.

10. Automated Decision-Making

Where we use automated systems or algorithms to make or assist in decisions that may have significant effects on individuals (such as care management or coverage determinations), we provide transparency about the logic involved, the significance of the processing, and the likely consequences. Where required by applicable law, we offer individuals the ability to opt out of automated decision-making or to request human review.

11. Data Protection & Privacy Assessments

Principle Health Systems conducts Data Protection Assessments (DPAs) or Privacy Impact Assessments (PIAs) for high-risk processing activities, including:

  • Processing of sensitive personal data
  • Deployment of new technologies that collect or analyze personal data
  • Data sharing arrangements with third parties
  • Large-scale processing of PHI for population health purposes

12. Children & Minors

We comply with all federal and state laws governing the health data of minors. Parental or legal guardian authorization is obtained for the treatment of minors where required by law. Certain minors may have the right to consent to their own care under applicable state law, in which case their records may be protected from parental access.

13. Security & Safeguards

We implement a comprehensive information security program designed to protect PHI and personal data from unauthorized access, use, disclosure, alteration, or destruction, including:

Administrative Safeguards

  • Privacy and security policies and procedures
  • Workforce training and ongoing education
  • Risk analysis and risk management processes
  • Sanctions for workforce non-compliance

Technical Safeguards

  • Encryption of PHI in transit and at rest
  • Role-based access controls and multi-factor authentication
  • Audit logging and monitoring
  • Automatic logoff and session timeout

Physical Safeguards

  • Facility access controls
  • Workstation and device security policies
  • Secure disposal of PHI-containing media

13.1 Breach Notification

In the event of a breach of unsecured PHI, Principle Health Systems will notify affected individuals, the U.S. Department of Health and Human Services, and, where applicable, state regulators and the media, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and applicable state breach notification laws.

14. Cross-Border Data Transfers

Where we transfer personal data outside the United States, we implement appropriate safeguards to ensure the data receives an equivalent level of protection, including the use of Standard Contractual Clauses or other transfer mechanisms recognized under applicable law.

15. Business Associates & Vendors

We share PHI and personal data with third-party vendors and service providers only as necessary to support our operations. All vendors who create, receive, maintain, or transmit PHI on our behalf are required to:

  • Execute a HIPAA-compliant Business Associate Agreement (BAA)
  • Implement appropriate administrative, technical, and physical safeguards
  • Use PHI only for the purposes specified in the BAA
  • Report breaches or security incidents to Principle Health Systems promptly

16. Global Privacy Controls & Opt-Out Signals

Where required by applicable law, Principle Health Systems honors opt-out signals transmitted via recognized mechanisms, such as the Global Privacy Control (GPC). Residents of states with such requirements do not need to submit individual opt-out requests when using a compatible browser or device setting.

17. Non-Discrimination

Principle Health Systems will not deny services, charge a different price, or provide a different level of service to individuals who exercise their privacy rights under HIPAA or applicable state law. We are also committed to compliance with Section 1557 of the Affordable Care Act, which prohibits discrimination in healthcare on the basis of race, color, national origin, sex, age, or disability.

18. Changes to This Policy

We reserve the right to update this Privacy Policy and HIPAA Notice at any time. Material changes will be posted on our website at principleHS.com and, where required, distributed to patients. The “Last Updated” date at the top of this document reflects the most recent revision. Continued use of our services following notice of changes constitutes acceptance of the updated Policy.

19. Contact Information

For questions, concerns, or to exercise your privacy rights, please contact:

Privacy Office

Principle Health Systems
Website: principlehs.com/privacy
Email: privacy@principleHS.com
Phone: (888)932-0990
Mailing Address: [PO Box 57058, Webster, TX 77598]

You may also file a complaint with:
U.S. Department of Health and Human Services
Office for Civil Rights (OCR)
Website: www.hhs.gov/ocr
Phone: 1-800-368-1019

We will not retaliate against you in any way for filing a complaint.

© 2026 Principle Health Systems | principleHS.com | privacy@principleHS.com

© 2026 Principle Health Systems