Privacy Policy
- Effective Date: January 1, 2026
- Last Updated: June 1, 2026
- Governing Law: Texas, USA
Table of Contents
About This Policy
This Privacy Policy describes how Care VMA Health LLC ("Care VMA Health," "we," "us," or "our"), located at 6340 N Eldridge Pkwy N 117, Houston, TX 77041, collects, uses, discloses, and protects information about you when you visit our website at carevmahealth.com or use our services. By accessing or using our website or services, you agree to this Privacy Policy. If you do not agree, please discontinue use of our website and services.
Information We Collect
We collect information you provide directly to us, information collected automatically when you use our website, and information from third parties. The types of information we collect include:
Information You Provide Directly
- Contact information: name, job title, email address, phone number, practice name, and mailing address when you fill out our contact forms, request a demo, or subscribe to our newsletter.
- Account information: username, password, and profile details when you register for an account or access our client portal.
- Service information: details about your healthcare practice, staffing needs, preferred Virtual Medical Assistant (VMA) services, and scheduling preferences.
- Business information: information about your medical practice including specialty, patient volume, EHR systems used, and operational workflow details necessary to match you with the appropriate VMA.
- Payment information: billing address and payment method details, processed and stored securely by our payment processor (we do not store full credit card numbers).
- Communications: messages, emails, and feedback you send to us, including support requests and survey responses.
Information Collected Automatically
- Log data: IP address, browser type and version, operating system, referring URLs, pages visited, time spent on pages, and date/time of access.
- Device information: hardware model, unique device identifiers, and mobile network information.
- Cookies and tracking technologies: see Section 4 for detailed information.
- Usage analytics: interactions with our website features, click patterns, and navigation paths.
Information from Third Parties
- Information from business partners and referral sources who have permission to share your data.
- Publicly available professional information (such as from LinkedIn or professional healthcare directories).
- Verification information from healthcare licensing databases when verifying practice legitimacy.
How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Description |
|---|---|
| Service Delivery | To provide, maintain, and improve our Virtual Medical Assistant services; match your practice with qualified VMAs; manage your onboarding and ongoing service relationship. |
| Communication | To respond to your inquiries, send service-related notifications, and provide customer support via email, phone, or messaging platforms. |
| Marketing | To send promotional emails, newsletters, and service updates — only with your consent. You may opt out at any time. |
| Analytics & Improvement | To understand how visitors use our website, identify areas for improvement, and develop new features or services. |
| Legal & Compliance | To comply with applicable laws and regulations, respond to legal requests, enforce our Terms of Service, and protect our rights and your safety. |
| Billing & Payments | To process payments, issue invoices, and maintain financial records as required by law. |
| Security | To detect, prevent, and respond to fraud, unauthorized access, and other security threats. |
Legal Basis for Processing (Where Applicable)
We process your personal information based on: (a) performance of a contract — when processing is necessary to deliver services you have requested; (b) legitimate interests — to improve our services and ensure security; (c) legal obligation — where required by applicable law; and (d) your consent — for marketing communications and optional features.
HIPAA Compliance & Protected Health Information
Our HIPAA Commitment
Care VMA Health operates as a HIPAA Business Associate. We maintain strict compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act to protect all Protected Health Information (PHI) we access in the course of providing services.
Business Associate Agreements (BAA)
As a Business Associate, Care VMA Health enters into a Business Associate Agreement (BAA) with each covered healthcare provider (Covered Entity) before any PHI is accessed or processed. This BAA outlines our obligations and the permitted uses of PHI. We do not access or process PHI from any healthcare practice without a signed BAA in place.
What Is Protected Health Information (PHI)?
PHI includes any health information that can be linked to an individual, such as:
- Patient names, addresses, dates of birth, Social Security numbers
- Medical record numbers, health plan beneficiary numbers
- Dates of medical treatment, diagnosis, or prescription information
- Any other information that could reasonably identify a patient
How We Handle PHI
- PHI is accessed by our VMAs only to the extent necessary to perform contracted services for your practice (Minimum Necessary Standard).
- All VMAs handling PHI undergo mandatory HIPAA training before being assigned to any healthcare practice and annually thereafter.
- PHI is never used for marketing, sold, or disclosed to unauthorized third parties.
- All systems used to access or transmit PHI are secured with encryption, access controls, and audit logging in accordance with HIPAA Security Rule requirements.
- We report any suspected or confirmed PHI breach to affected Covered Entities within the timeframes required by HIPAA’s Breach Notification Rule.
Safeguards We Maintain
- Administrative: HIPAA-trained staff, access management policies, workforce security procedures, and regular risk assessments.
- Physical: Secure workstation policies, device and media controls, and restricted physical access to systems containing PHI.
- Technical: End-to-end encryption in transit (TLS 1.2+) and at rest (AES-256), multi-factor authentication, automatic logoff, and comprehensive audit logs.
Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies to enhance your experience, understand usage patterns, and deliver relevant information. A cookie is a small text file placed on your device when you visit our site.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Enable core website functionality (e.g., form submissions, session management). Cannot be disabled. | Session |
| Performance & Analytics | Google Analytics — collect anonymized usage data to understand how visitors interact with our site. We use IP anonymization. | Up to 2 years |
| Functionality | Remember your preferences (language, region, form data) to personalize your experience. | Up to 1 year |
| Marketing & Targeting | Track conversions from advertising (Google Ads, Facebook Pixel) and enable retargeting. Only used with your consent. | Up to 90 days |
You may control cookie settings through your browser settings or by adjusting your preferences in our cookie consent tool (displayed on your first visit). Note that disabling certain cookies may affect the functionality of our website.
Third-Party Services
We use trusted third-party service providers to help operate our website and deliver our services. These providers are contractually obligated to protect your information and use it only as directed by us:
- Google Analytics — website traffic analysis and performance measurement (Google Privacy Policy: policies.google.com/privacy)
- Calendly — appointment scheduling and calendar management (calendly.com/privacy)
- Payment processors — secure billing and transaction processing (PCI DSS compliant)
- Email marketing platforms — delivery of newsletters and service notifications
- CRM systems — client relationship management and communication tracking
- Cloud hosting providers — website infrastructure and secure data storage
- Video conferencing tools — client onboarding calls and VMA consultations
We do not sell your personal information to any third party, and our service providers are prohibited from using your data for their own independent purposes.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:
Service Delivery
With our VMAs, operational staff, and vetted subcontractors to the extent necessary to provide contracted services. All personnel with access to client or patient data are bound by strict confidentiality obligations and HIPAA training requirements.
Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government investigation. We will notify you of such requests where legally permitted to do so.
Protection of Rights
We may disclose information when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Care VMA Health, our clients, our employees, or the public.
Business Transfers
If Care VMA Health is involved in a merger, acquisition, asset sale, or restructuring, your information may be transferred as part of that transaction. We will notify affected individuals before such a transfer and give you the opportunity to opt out where applicable.
With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
Data Security
We implement industry-standard and HIPAA-required technical, administrative, and physical safeguards to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. Our security measures include:
- 256-bit AES encryption for data at rest; TLS 1.2 or higher for data in transit
- Multi-factor authentication (MFA) for all internal systems and client portals
- Role-based access controls (RBAC) limiting data access to authorized personnel only
- Regular security audits, vulnerability assessments, and penetration testing
- Secure workstation policies for all remote staff handling client or patient data
- Continuous monitoring and audit logging for systems containing sensitive data
- Incident response plan with defined breach notification procedures
Important Notice
While we employ robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We encourage you to use strong, unique passwords and to notify us immediately at [email protected] if you suspect any unauthorized access to your account.
Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, maintain our business relationship with you, and comply with legal and regulatory obligations.
| Data Type | Retention Period |
|---|---|
| Client account & service records | 7 years after end of service relationship, or as required by applicable law |
| Financial and billing records | 7 years (IRS and Texas state tax compliance) |
| Marketing contact data | Until you opt out or request deletion, then 30 days |
| Website analytics (Google Analytics) | 26 months (anonymized) |
| Support communications | 3 years from last interaction |
| PHI (as Business Associate) | Per the terms of the applicable BAA with each Covered Entity, typically 6 years from creation or last effective date (HIPAA requirement) |
When data is no longer required, we securely delete or anonymize it in accordance with our data disposal policy.
Your Rights & Choices
Depending on your location and applicable law, you may have the following rights regarding your personal information:
Right to Access
You may request a copy of the personal information we hold about you. We will provide this information within 30 days of a verifiable request.
Right to Correction
You may request that we correct inaccurate or incomplete personal information. We will update records promptly upon verification.
Right to Deletion
You may request deletion of your personal information, subject to certain exceptions (such as legal compliance obligations, active contract requirements, or HIPAA retention mandates).
Right to Opt-Out of Marketing
You may opt out of marketing communications at any time by clicking “Unsubscribe” in any email we send, or by contacting us directly at [email protected]. Opting out of marketing does not affect service-related communications.
Right to Data Portability
Where technically feasible, you may request a copy of your data in a structured, machine-readable format.
California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know, delete, correct, and opt-out of the sale or sharing of personal information. Care VMA Health does not sell personal information. To exercise your California rights, contact us at [email protected].
Texas Residents
Texas residents may have rights under the Texas Data Privacy and Security Act (TDPSA). To exercise rights under TDPSA, please contact us using the information in Section 13.
To exercise any of these rights, please submit a request to [email protected]. We may need to verify your identity before processing your request. We will respond to all verifiable requests within 30 days.
Children's Privacy
Our website and services are intended for healthcare professionals and business entities only. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided us with personal information without appropriate parental or guardian consent, we will take steps to delete such information promptly. If you believe a minor has submitted information to us, please contact us immediately at [email protected].
International Users
Care VMA Health is based in the United States, and our services are primarily intended for US-based healthcare providers. If you are accessing our website from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.
By using our website or services from outside the United States, you consent to the transfer, storage, and processing of your information in the United States in accordance with this Privacy Policy and applicable US law.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Post a notice on our homepage for a minimum of 30 days
- Send an email notification to registered users and active clients
Your continued use of our website or services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, your personal information, or our privacy practices, please contact our Privacy Team:
Privacy & Compliance Team — Care VMA Health
We are committed to resolving all privacy inquiries within 5 business days.
Phone
(214) 281-4464
Mailing Address
6340 N Eldridge Pkwy N 117 Houston, TX 77041
Website
carevmahealth.com