Our Commitment
ControlHF, Inc. is committed to protecting the privacy of your Protected Health Information (PHI). PHI is information about you, including demographic information, that may identify you and relates to your past, present, or future physical or mental health condition, the provision of healthcare services to you, or the payment for those services.
We are required by law to maintain the privacy of your PHI, to provide you this Notice of our legal duties and privacy practices with respect to your PHI, and to notify you if there is a breach of your unsecured PHI. We are required to abide by the terms of the Notice currently in effect.
Your rights matter. This Notice explains your rights under HIPAA and how to exercise them. If you have questions at any point, contact our Privacy Officer at privacy@controlhf.com.
This Notice applies to ControlHF, Inc. when it acts as a Business Associate to your covered healthcare provider, and to ControlHF's own activities in connection with the health information you provide directly. When ControlHF operates on behalf of your provider, your provider's Notice of Privacy Practices also applies to the treatment relationship.
How We May Use & Disclose PHI
HIPAA permits covered entities and their business associates to use and disclose PHI without your specific authorization for the following purposes. These are the primary ways ControlHF may use or disclose your health information:
Treatment, payment, and healthcare operations
| Purpose | Who Receives PHI | Example |
|---|---|---|
| Treatment | Your assigned care team (cardiologist, care manager, nurses) | Sharing your daily weight trend and symptom scores with your cardiologist so they can adjust your diuretic dose |
| Payment | Your healthcare provider's billing department, your health insurer or payer | Providing RPM time logs and device synchronization records to support billing for remote patient monitoring services under CPT codes 99453, 99454, and 99457 |
| Healthcare Operations | ControlHF staff, quality improvement personnel, accreditation reviewers | Reviewing de-identified aggregate alert data to improve the accuracy of our early warning algorithms; training new care coordinators using anonymized case examples |
| Care Coordination | Other providers involved in your care with whom you have a treatment relationship | Sending a summary of your six-month monitoring data to a newly referred electrophysiologist |
| Legal & Regulatory | Government agencies, courts, law enforcement (as required) | Responding to a valid subpoena or complying with mandatory reporting obligations |
In all cases, we disclose only the minimum necessary PHI required to accomplish the stated purpose. We do not sell your PHI to any third party under any circumstances.
Uses Requiring Your Authorization
Certain uses and disclosures of your PHI require your written authorization before we may proceed. We will never use your PHI for the following purposes without your express written consent:
- Marketing: We will not use your PHI to send you marketing communications about products or services from third parties without your signed authorization.
- Sale of PHI: We will never sell your PHI to any third party, including data brokers, insurers, pharmaceutical companies, or advertisers. Any arrangement that constitutes a sale of PHI under HIPAA requires your specific written authorization.
- Psychotherapy notes: If you share information that constitutes psychotherapy notes within the Services, those notes receive special protections and will not be disclosed without your specific written authorization.
- Research: We may use de-identified data derived from your PHI for research and algorithm improvement without authorization. If we wish to use your identifiable PHI in a research study, we will obtain your written authorization or a valid IRB waiver of authorization, as required by HIPAA.
How to revoke authorization
You may revoke any written authorization at any time by sending a written revocation request to our Privacy Officer at privacy@controlhf.com. Your revocation takes effect from the date we receive it. We cannot undo uses or disclosures already made in reliance on a valid authorization before revocation.
Special Protections
Certain categories of health information receive additional protections under federal and state law. ControlHF applies heightened safeguards to the following categories, regardless of whether such protections are legally required in a specific context:
- HIV/AIDS information: Information related to HIV testing, diagnosis, or treatment is treated as highly sensitive and disclosed only as expressly authorized by you or required by law. Many states impose stricter consent requirements than HIPAA for HIV-related information.
- Mental health information: Information about mental health conditions, psychiatric care, or behavioral health treatment is handled with enhanced access controls. It is not shared with your cardiac care team without your specific consent unless clinically necessary for your safety.
- Substance use disorder records: Records relating to the treatment of substance use disorders are governed by 42 CFR Part 2 in addition to HIPAA. These records have strict confidentiality protections and may only be disclosed with your written consent or in specific emergency circumstances.
- Genetic information: Genetic data, if shared with ControlHF, is treated as PHI and is not used for underwriting, insurance rating, or employment purposes. The Genetic Information Nondiscrimination Act (GINA) prohibits discrimination based on genetic information in health insurance and employment.
State law may provide stronger protections. Some states, including California, Texas, and New York, impose additional restrictions on specific categories of health information. ControlHF complies with applicable state law, even when it is stricter than HIPAA.
Your HIPAA Rights
HIPAA gives you important rights with respect to your Protected Health Information. Below is a summary of each right and how to exercise it:
- Right to access your PHI: You have the right to inspect and obtain a copy of your health information held by ControlHF. You may request access in writing to privacy@controlhf.com or through Settings → Privacy & Data → Export My Data. We will respond within 30 days and provide access in the format you request where reasonably possible.
- Right to amend: If you believe that health information we hold about you is incorrect or incomplete, you may request that we amend it. We may deny the request if the information was not created by us or if we determine the record is accurate and complete. We will notify you of our decision within 60 days.
- Right to an accounting of disclosures: You may request a list of the disclosures we have made of your PHI in the past six (6) years, other than disclosures for treatment, payment, healthcare operations, and certain other routine disclosures. We will provide the accounting within 60 days of your request.
- Right to request restrictions: You may request that we restrict how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to every restriction, but if we do agree, we will honor it unless the restriction would endanger your health in an emergency.
- Right to receive confidential communications: You may request that we communicate with you about your health information in a specific way or at a specific location — for example, only via encrypted email rather than push notification. We will accommodate reasonable requests that do not impair our ability to deliver care.
- Right to a paper copy of this Notice: You may request a printed copy of this Notice of Privacy Practices at any time, even if you previously agreed to receive it electronically. Request one by emailing privacy@controlhf.com.
All rights requests should be submitted in writing to our Privacy Officer. We will respond promptly and in compliance with HIPAA's required timeframes. We will not discriminate against you for exercising any of these rights.
Our Duties
ControlHF is required by law to fulfill the following obligations with respect to your Protected Health Information:
- Maintain privacy: We must maintain the privacy of your PHI in accordance with the HIPAA Privacy Rule and all applicable state health privacy laws.
- Abide by this Notice: We are required to abide by the terms of the Notice of Privacy Practices currently in effect. We will follow the practices described in this Notice unless we notify you of a change.
- Notify you of a breach: If a breach of your unsecured PHI occurs, we are required to notify you without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
- Implement safeguards: We must implement appropriate administrative, physical, and technical safeguards to protect the privacy and security of your PHI, in compliance with the HIPAA Security Rule.
- Train our workforce: All ControlHF employees and contractors who access PHI receive HIPAA privacy and security training as a condition of employment and on an annual basis thereafter.
- Enter into BAAs: We require all vendors and subcontractors who access PHI on our behalf to sign Business Associate Agreements (BAAs) committing to HIPAA-compliant handling of your health information.
Breach Notification
A breach under HIPAA is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of that information. Not all security incidents constitute a breach — we evaluate each incident using a four-factor risk assessment to determine whether a breach has occurred.
What we consider a breach
- Unauthorized access: An employee or contractor accesses PHI beyond the scope of their job function without a legitimate clinical or operational need.
- Improper disclosure: PHI is shared with an unauthorized party, including sending clinical data to the wrong recipient.
- Theft or loss: A device or storage medium containing PHI is lost or stolen and the data was not encrypted.
- Cyberattack: A successful external intrusion results in unauthorized acquisition of PHI.
How we notify you
If a breach affects your PHI, we will notify you without unreasonable delay and no later than 60 calendar days after discovery. Notification will be sent to your registered email address and via in-app notification. The notice will include: a description of what happened, the types of PHI involved, steps you can take to protect yourself, what we are doing to investigate and mitigate the breach, and our contact information.
HHS notification
We are required to notify the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) of breaches affecting 500 or more individuals within 60 days of discovery. For breaches affecting fewer than 500 individuals, we submit an annual log to HHS OCR. For major breaches, we may also be required to notify prominent media outlets in affected states.
Prevention is our first priority. Our security program — including encryption at rest and in transit, role-based access controls, continuous monitoring, and annual penetration testing — is designed to prevent breaches before they occur.
Complaints
If you believe your privacy rights under HIPAA have been violated, you have the right to file a complaint. We take all complaints seriously and will not retaliate against you in any way for filing a complaint.
File a complaint with ControlHF
Contact our Privacy Officer directly by email at complaints@controlhf.com. Include your name, a description of the concern, and the approximate date of the incident. We will acknowledge your complaint within 5 business days and work to resolve it within 30 days. If the matter is complex, we will notify you of the extended timeline.
File a complaint with HHS Office for Civil Rights
You may also file a complaint directly with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which enforces HIPAA:
- Online: Visit hhs.gov/ocr/complaints to file electronically through the HHS complaint portal.
- By mail: Send your complaint to the HHS Office for Civil Rights, 200 Independence Avenue S.W., Washington, D.C. 20201.
- By phone: Call 1-800-368-1019 (toll-free) or 1-800-537-7697 (TDD) for hearing-impaired individuals.
Complaints must generally be filed within 180 days of when you knew or should have known about the violation, though OCR may waive this deadline for good cause.
No retaliation. You will not be penalized, have your access restricted, or receive degraded service for filing a complaint with ControlHF or with HHS OCR.
Effective Date & Changes
This Notice of Privacy Practices is effective as of January 1, 2026. It applies to all Protected Health Information we maintain, including information created or received before this date.
We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI we maintain, including health information we created or received before the effective date of the change. This is permitted by HIPAA where ControlHF functions as a Business Associate rather than a covered entity.
How we communicate changes
- Updated Notice: The most current version of this Notice will always be available at controlhf.com/hipaa and within the ControlHF app under Settings → Legal.
- In-app notification: We will notify all active users via in-app banner and email at least 30 days before any material change to this Notice takes effect.
- Paper copy available: You may request a printed copy of the current or any prior version of this Notice at any time by emailing privacy@controlhf.com.
- Archive: Prior versions of this Notice are archived at controlhf.com/hipaa/archive so you can review what changed and when.
If you are a patient enrolled through a healthcare provider, your provider may also be required to provide you with an updated Notice under their own HIPAA obligations. Please review notices from your provider as well.