Privacy

1. Introduction

Bedrock Health Group is a nonprofit dedicated to advancing healthcare compliance, risk management, and public health education. Protecting personal information is central to our mission. This Privacy Policy explains how we collect, use, share, and safeguard information across our programs, websites, and technology platforms.

2. Information We Collect

We may collect the following categories of information:

Personal identifiers: Name, email address, phone number, organization, job title.
Account credentials: Usernames for Bedrock portals, Microsoft 365, or partner platforms.
Healthcare-related information: Only when necessary for compliance projects (e.g., HIPAA training, RADV audits, or risk scoring projects). We treat this as Protected Health Information (PHI) when applicable.
Technical data: IP address, browser type, device identifiers, usage logs.
Cookies & tracking technologies: See our Cookies Policy.
Training records: Course completion, certifications, and compliance tracking results.

3. How We Use Information

We use personal information to:

Deliver compliance and training services.
Maintain secure access to Bedrock systems.
Provide technical and administrative support.
Monitor program impact and generate reporting.
Conduct audits, risk scoring, and compliance assessments.
Meet regulatory requirements (HIPAA, GDPR, HITECH, etc.).
Improve our services and user experience.

4. Legal Basis for Processing

Depending on context, our use of data is based on:

Consent (e.g., signing up for newsletters, training enrollment).
Contractual necessity (e.g., delivering compliance services to clients).
Legal obligation (e.g., HIPAA, IRS requirements for nonprofits).
Legitimate interest (e.g., securing systems, monitoring service performance).

5. Sharing of Information

We do not sell personal information. We may share data with:

Authorized staff and contractors who must follow strict confidentiality.
Vendors and partners (e.g., IT hosting providers, RADV audit partners) under binding agreements.
Regulatory agencies only when legally required.
Emergency response vendors if engaged during a breach or compliance incident.

6. Data Retention

Personal data is kept only as long as necessary for compliance, legal, and operational purposes.
Training and certification records are typically retained for one year unless client contracts specify otherwise.
PHI is retained and disposed of in compliance with HIPAA.
Technical logs are retained no longer than 12 months unless under investigation.

7. Security

We implement administrative, technical, and physical safeguards including:

Encrypted storage and transmission of sensitive data.
Role-based access controls.
Regular audits and risk assessments.
Vendor security reviews.
Incident response and breach notification protocols.

8. Cookies & Tracking

We use cookies and tracking technologies to support secure login, analytics, and user experience. Details are in our Cookies Policy.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

Access and request a copy of your information.
Correct or update inaccurate information.
Request deletion, subject to legal and contractual limits.
Opt out of certain uses (e.g., marketing).
File a complaint with a regulator.

10. International Data Transfers

If you are located outside the United States, your data may be transferred to the U.S. where our servers and vendors operate. We implement safeguards to protect transferred data.