Company

Privacy Policy

How Ordo Compliance collects, uses, protects, and handles your information — including Protected Health Information regulated under HIPAA.

Version: 1.2

Effective Date: April 5, 2026

Introduction

Ordo Compliance ("Company," "we," "us," "our") operates a HIPAA-compliant Medicare compliance tracking platform (the "Service") designed to help home health agencies, home services agencies, and home nursing agencies manage regulatory compliance, staff credentials, training records, and operational workflows.

We take your privacy seriously. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data. This policy applies to all users and organizations that access the Service.

Because our platform handles both Protected Health Information (PHI) regulated under the Health Insurance Portability and Accountability Act (HIPAA) and personal information subject to state and federal privacy laws, we address each separately where the rules differ. When you use Ordo Compliance, you enter into a Business Associate Agreement (BAA) with us, which governs how we handle PHI on your behalf.

1. Information We Collect

We collect information in several categories, described below. Some of this information constitutes PHI under HIPAA; other information is personal data subject to California privacy laws and general privacy principles.

1.1 Account Information

When you create an account, we collect:

  • Full name, email address, phone number
  • Job title and role within your organization
  • Password (hashed and salted, never stored in plain text)
  • Organization or agency name you represent
  • Mailing address and billing address

This information is necessary to establish your account, authenticate you, contact you about your account, and process billing.

1.2 Agency and Organizational Data

We collect information about your home health, home services, or home nursing agency:

  • Agency legal name and operating name(s)
  • National Provider Identifier (NPI)
  • Medicare/Medicaid provider numbers
  • State licensure numbers and license status
  • Agency mailing address, physical address, and billing address
  • Phone numbers and fax numbers
  • Primary contact person(s) and their contact information
  • Agency website and accreditation status

This data is necessary for you to configure your agency's settings, manage compliance records, and for us to understand the scope of your operations.

1.3 Staff and Workforce Data

When you upload staff information or integrate workforce data into the Service, we collect:

  • Employee/contractor full name
  • Job titles and role assignments
  • Professional licenses and license numbers (RN, LPN, CNA, therapist, aide certifications, etc.)
  • License expiration dates and renewal status
  • Continuing education and training completion records
  • Professional certifications (CPR, first aid, specialized clinical certifications)
  • Background check status and date of last background screening
  • Competency assessments and skills documentation
  • Wage and compensation information (for internal payroll tracking within your agency)
  • Employment start date and employment status

Note on PHI: To the extent staff data includes health information (e.g., immunization records, fitness-for-duty evaluations), it may constitute PHI and is subject to Section 1.4 below.

1.4 Protected Health Information (PHI)

Ordo Compliance is designed to handle PHI on your behalf as your Business Associate. PHI we may process includes:

  • Resident/patient names and identifiers associated with services provided and care documentation
  • Dates of service and clinical summary information in compliance and audit records
  • Health conditions and diagnoses referenced in incident reports, corrective action plans, and compliance documentation
  • Medication and treatment information that may appear in uploaded documents or compliance records
  • Background information such as health history where collected as part of staff eligibility verification or resident intake

PHI is governed by our Business Associate Agreement and the regulations below (Section 4). PHI is NOT used for marketing, is NOT sold, and is subject to the minimum necessary standard under HIPAA.

1.5 Compliance and Operational Data

We collect:

  • Compliance audit packets and audit results
  • Incident reports and unusual occurrence logs
  • Corrective action plans and remediation tracking
  • Policy acknowledgments and staff training sign-offs
  • Regulatory investigation records and correspondence
  • Quality assurance data and survey results
  • Payroll processing records (limited to dates and employee names)
  • Equipment and asset inventory (for facility operations)
  • Scheduling and shift assignments

1.6 Uploaded Documents

You upload documents into the Service including:

  • Personnel files (resumes, certifications, licenses, background check reports)
  • Training certificates and continuing education documentation
  • Agency policies and procedures
  • Meeting minutes and compliance documentation
  • Incident investigation files
  • Correspondence with state agencies and CMS

These documents may contain PHI or other sensitive information and are stored securely as part of your account.

1.7 Technical and Usage Data

We automatically collect:

  • IP address and geolocation (country/state level, not street address)
  • Device information (operating system, browser type, device model)
  • Pages visited, features used, and time spent in the Service
  • Login timestamps and logout timestamps
  • User actions within the Service (document uploads, record updates, report generation)
  • Error logs and system performance data
  • Search queries within the Service

We use this data to operate the Service, diagnose technical problems, understand feature usage, improve performance, and maintain security audit logs.

1.8 Payment Information

Payment information is collected and processed by Stripe, our third-party payment processor. We do NOT collect or store your credit card numbers, expiration dates, or CVV codes. Stripe is PCI-DSS Level 1 compliant. We receive only a confirmation that payment was successful and the last four digits of your card for receipt purposes.

2. How We Use Your Information

We use the information collected above for the following purposes:

2.1 Service Delivery

  • Creating and managing your account
  • Authenticating you and maintaining your session
  • Processing and storing compliance records you input or upload
  • Generating compliance reports and audit documentation
  • Tracking staff credentials, licenses, and certifications
  • Supporting incident management and corrective actions
  • Providing customer support and troubleshooting

2.2 Compliance and Legal Obligations

  • Maintaining audit trails required by HIPAA and CMS
  • Responding to regulatory inquiries and investigations
  • Meeting retention requirements (minimum 6 years for HIPAA records)

2.3 AI-Powered Compliance Features

We use Amazon Web Services (AWS) Bedrock to provide artificial intelligence-powered features that help you manage compliance more efficiently. These features may include:

  • Automated analysis of compliance documentation
  • Suggested corrective actions based on incident patterns
  • Compliance risk assessments
  • Document classification and organization

Important: Your data is never used to train our AI models. AWS Bedrock processes your data within a secure environment governed by our Business Associate Agreement with AWS. Your data is not shared with other customers or used for any other purpose.

2.4 Analytics and Service Improvement

  • Analyzing feature usage patterns to improve the Service
  • Identifying technical issues and bugs
  • Understanding compliance workflows to enhance functionality
  • A/B testing interface improvements (anonymized)

2.5 Security and Fraud Prevention

  • Detecting and preventing unauthorized access
  • Investigating security incidents
  • Monitoring for fraudulent transactions
  • Implementing access controls and audit logging

2.6 Communications

  • Sending account notifications (login alerts, password reset, session timeouts)
  • Responding to your inquiries
  • Notifying you of material changes to our Privacy Policy or Terms of Service
  • Reminding you of upcoming license renewal dates or compliance deadlines

We do NOT use your information for marketing purposes without your explicit consent. We do not send promotional emails unless you have opted in.

3. HIPAA-Specific Disclosures

3.1 Business Associate Role

You are the Covered Entity (or your employer is the Covered Entity). Ordo Compliance is your Business Associate. This means:

  • We process PHI only as permitted by your written Business Associate Agreement
  • We act under your instructions and direction
  • We implement administrative, physical, and technical safeguards to protect PHI
  • We promptly notify you of any Security Incident or suspected Breach
  • We cooperate with your incident investigations and breach notifications
  • We do not use PHI for our own business purposes beyond providing the Service to you

3.2 Permitted Uses Under the BAA

We use PHI only to:

  • Perform services on your behalf as described in our Service Agreement, including compliance management, staff credentialing, and Medicare compliance monitoring
  • Support proper management and administration of the Service, including business operations, compliance, auditing, and quality assurance
  • Carry out legal responsibilities as required by law
  • Conduct data analytics using de-identified or aggregated data, only with your written authorization or where data is properly de-identified per HIPAA standards

3.3 Minimum Necessary Standard

We apply the "minimum necessary" principle to all uses of and requests for PHI:

  • We implement policies and procedures to limit access, use, and disclosure of PHI to the minimum amount needed for each purpose
  • We restrict employees and agents to the minimum PHI necessary to perform their assigned job functions through role-based access controls
  • We regularly review access patterns and audit logs to identify and eliminate unnecessary access
  • We train all workforce members on the minimum necessary standard

3.4 No Sale of PHI

We do not and will not:

  • Sell PHI to any third party
  • Use PHI for marketing purposes
  • Use or disclose PHI for any purpose other than those explicitly permitted in our Business Associate Agreement or Service Agreement, without your prior written authorization

3.5 Subcontractor Disclosures

We may share PHI with subcontractors who perform services on our behalf. All subcontractors that access PHI are required to enter into written agreements that:

  • Require compliance with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and HITECH Act
  • Prohibit use or disclosure of PHI except as necessary to perform their services
  • Require appropriate administrative, physical, and technical safeguards
  • Require prompt reporting of any Breach or Security Incident

Our primary subcontractor is Amazon Web Services (AWS), which provides cloud infrastructure, data hosting, storage, and AI processing services. AWS has executed a Business Associate Agreement with us. We remain fully responsible for all subcontractor performance. We will provide you with a list of subcontractors that access PHI upon request and will give you thirty (30) days' written notice before adding or replacing any subcontractor with access to PHI.

3.6 No Secondary Uses Without Authorization

We do not use or disclose PHI in any manner that would violate HIPAA if you made the same use or disclosure directly. Specifically, we do not use PHI to:

  • Train or improve AI models for other customers
  • Conduct research
  • Create datasets for other customers
  • Market products or services
  • Develop competing products

De-identified information, prepared in accordance with 45 CFR § 164.514, is no longer subject to these restrictions. We maintain documentation of all de-identification processes and prohibit re-identification without your prior written authorization.

4. Data Storage and Security

4.1 Infrastructure

Ordo Compliance is hosted on Amazon Web Services (AWS) in the United States. All data processing and storage occurs in AWS data centers located within the U.S.

4.2 Encryption

We employ multiple layers of encryption:

Encryption in Transit:

  • All data transmitted between your device and our servers uses TLS 1.3
  • Connections to our API and web application require HTTPS

Encryption at Rest:

  • Data stored in AWS RDS (database) and S3 (document storage) is encrypted using AES-256 encryption
  • All backups are also encrypted with AES-256

Field-Level Encryption:

  • Sensitive fields (certain PII and PHI identifiers) are additionally encrypted using Fernet symmetric encryption before being written to the database
  • This means even Ordo administrators with database access cannot decrypt these fields without the encryption key

Specific encryption technologies and configurations are updated as industry standards evolve. The methods described here reflect our current implementation.

4.3 Access Controls

  • All Ordo Compliance staff access is controlled through role-based access control (RBAC)
  • Multi-factor authentication (MFA) is required for all staff access to production systems
  • Access is logged and audited
  • Employees have access only to the minimum data necessary for their job function
  • Sessions automatically timeout after 30 minutes of inactivity

4.4 Business Associate Agreement

We have executed a signed Business Associate Agreement (BAA) with AWS covering both infrastructure and AI services. This BAA:

  • Obligates AWS to implement safeguards protecting PHI
  • Restricts AWS's use of PHI to providing the services
  • Requires AWS to notify us immediately of breaches
  • Permits us to audit AWS's compliance

4.5 Audit Logging and Monitoring

  • All access to data is logged in an immutable audit trail
  • Access logs record who accessed what data, when, and from which IP address
  • System logs are retained for a minimum of 12 months
  • We monitor for suspicious activity and unauthorized access attempts

4.6 Security Assessments

We conduct regular security assessments consistent with industry standards, including:

  • Automated security monitoring and alerting
  • Code reviews and security testing before production deployment
  • Incident response and disaster recovery planning
  • Regular review and updating of security controls

Security practices are reviewed and updated as industry standards evolve and as our platform grows.

4.7 Backup and Disaster Recovery

  • Data is automatically backed up multiple times per day
  • Backups are stored in geographically separate AWS regions
  • Backups are tested quarterly
  • Recovery time objective (RTO) is designed to be less than 4 hours

5. Data Retention and Deletion

5.1 HIPAA Retention Requirements

Under 45 CFR §164.530(j), we are required to maintain PHI for a minimum of 6 years from the date of its creation or the date it was last used, whichever is later. This applies to:

  • Audit records
  • Compliance documentation
  • Incident reports
  • Staff credential records

Ordo Compliance retains PHI for at least 6 years by default to ensure compliance with HIPAA, CMS, and state health department requirements.

5.2 Configurable Retention Periods

You may configure longer retention periods in your account settings. You cannot configure shorter periods without violating HIPAA regulations.

5.3 Deletion Upon Termination

When your Covered Entity terminates the Service:

  • We will, at your request, return or securely delete all PHI in your account
  • Deletion is performed using secure data destruction methods (overwriting and physical destruction)
  • We provide written confirmation of deletion
  • This obligation is specified in our Business Associate Agreement

5.4 Account Data Retention

If your individual user account is inactive for 24 months, we may contact you to confirm continued use. If you do not respond, we may deactivate your account and archive associated data, provided this does not violate retention requirements for PHI.

5.5 Technical Data and Logs

System logs, audit trails, and technical data are retained for a minimum of 12 months and may be retained longer for security and compliance purposes.

6. Third-Party Services

We use the following third-party services to operate Ordo Compliance. Each processes data under a data processing or business associate agreement.

6.1 Stripe (Payment Processing)

Purpose: Processing billing and subscription payments
Data Shared: Your billing name, billing address, email address, and limited card information (last four digits only)
Data Protection: Stripe is PCI-DSS Level 1 certified. Stripe does NOT have access to stored card numbers or CVV codes.
Terms: https://stripe.com/privacy
PHI Handling: Stripe does not process PHI.

6.2 Amazon Web Services (AWS)

Purpose: Cloud infrastructure, database hosting (RDS), document storage (S3), backup and disaster recovery, AI processing (Bedrock)
Data Shared: All data stored in Ordo Compliance accounts
Data Protection: AWS is SOC 2 Type II certified and has executed a Business Associate Agreement with Ordo Compliance
Terms: https://aws.amazon.com/privacy/
PHI Handling: AWS processes PHI under the BAA and implements HIPAA-required safeguards

6.3 Cloudflare (DNS and DDoS Protection)

Purpose: Domain name system (DNS) resolution and distributed denial-of-service (DDoS) protection
Data Shared: DNS queries (website name lookups)
Data Protection: Cloudflare implements standard security protections but does not store customer data
Terms: https://www.cloudflare.com/privacypolicy/
PHI Handling: Cloudflare does not process PHI; it only handles DNS routing

6.4 No Data Sales

Ordo Compliance does NOT:

  • Sell customer data to any third party
  • Share data with marketing or advertising companies
  • Use your data for purposes other than those described in this policy
  • Give third parties the ability to contact you for marketing purposes

7. AI and Automated Processing

7.1 AWS Bedrock for Compliance Features

Ordo Compliance uses Amazon Web Services Bedrock to provide AI-powered compliance features, including:

  • Document analysis and classification
  • Compliance recommendations based on regulatory standards
  • Pattern detection in incident reports
  • Risk assessment scoring
  • Automated policy gap analysis

7.2 How Your Data Is Processed

When you use an AI feature:

  1. Your documents or compliance data are sent securely to AWS Bedrock
  2. AWS processes the data using large language models
  3. The AI returns an analysis or recommendation to Ordo Compliance
  4. We display the result in your account

7.3 Important Protections

  • No Training on Your Data: AWS does not use your data to train or improve AI models for other customers. Your data is not used to train foundation models.
  • Data Stays in AWS Environment: All processing occurs within AWS infrastructure covered by our Business Associate Agreement
  • No Secondary Uses: We do not sell, share, or use AI analysis results for any purpose beyond providing the specific feature you requested
  • Audit Trail: All AI processing is logged in our immutable audit trail

7.4 Your Control

You control which compliance features use AI processing. You can:

  • Disable AI features in your account settings
  • Delete AI analysis results at any time
  • Request that we not use AI for specific document types

8. Breach Notification Procedures

8.1 Definition of a Breach

A Breach is an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI. A Breach does NOT include an unintended access by an authorized user if the user did not acquire or use the PHI.

A Security Incident (such as a failed login attempt, routine system error, or detected intrusion attempt that was blocked) is not automatically a Breach.

8.2 Our Notification Obligation

If we discover or suspect a Breach of PHI, we will:

  1. Investigate Immediately — We will initiate an investigation to determine the scope and nature of the Breach
  2. Notify You Within 30 Days — We will provide you written notification without unreasonable delay and no later than thirty (30) calendar days after discovery of the Breach, consistent with our Business Associate Agreement
  3. Provide Required Information — Our notification will include:
    • A description of what happened and the date of the Breach
    • What data was affected (specific categories and approximate number of individuals)
    • What we are doing to investigate and remediate
    • What you should do to protect affected individuals
    • Steps we have taken to prevent similar breaches

8.3 Your Notification Obligations

As the Covered Entity, you are responsible for notifying affected individuals and regulatory authorities. We will cooperate fully by:

  • Providing you the information needed for your notifications
  • Assisting you in determining which individuals were affected
  • Providing evidence for your breach investigation
  • Assisting with your notification to state attorneys general or CMS, if required

8.4 Cooperation with Covered Entities

If a Covered Entity you work with (such as a hospital or physician group) notifies us of a Breach that may involve our systems, we will cooperate fully in their investigation and provide requested information.

9. User Rights

Your rights regarding your data depend on whether the information is PHI or non-PHI data, as described below.

9.1 Rights Regarding PHI

Under HIPAA, you (as the Covered Entity) have the right to:

  • Access: Obtain a copy of PHI in your account
  • Amend: Request corrections to inaccurate PHI
  • Accounting of Disclosures: Obtain a list of all disclosures of PHI
  • Restrict Processing: Request restrictions on our use or disclosure of PHI
  • Request Confidential Communications: Request that we communicate about PHI in a specific manner

How to Exercise These Rights: Contact your organization's Privacy Officer. Because Ordo Compliance is your Business Associate, we do not handle individual PHI access requests directly; instead, your organization (the Covered Entity) receives and processes requests on behalf of individuals.

9.2 Rights Regarding Non-PHI Personal Data

If you have a user account with Ordo Compliance, you have the right to:

  • Access Your Data — Request a copy of your account information and personal data we hold
  • Correct Your Data — Update or correct inaccurate information (you can do this directly in account settings)
  • Delete Your Account — Request deletion of your account and associated non-PHI personal data
  • Export Your Data — Request your data in a portable, machine-readable format
  • Withdraw Consent — Withdraw consent to non-essential data processing (such as analytics)

How to Exercise These Rights: Email privacy@ordocompliance.com with your request. We will respond within 30 days.

10. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These laws apply to non-PHI personal data only — Protected Health Information governed by HIPAA is exempt from CCPA/CPRA.

Your rights include:

  • Right to Know: Request what personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information, subject to legal retention requirements
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Non-Discrimination: We will not deny service, charge different prices, or reduce quality based on your privacy choices

Important: Ordo Compliance does not sell personal information and does not share personal information for cross-context behavioral advertising. There is no sale or sharing to opt out of.

To exercise your California privacy rights, email privacy@ordocompliance.com with your name, account email, and the right you wish to exercise. We will respond within 45 days.

11. Cookie and Tracking Policy

11.1 Types of Cookies We Use

Session Cookies:

  • Used to maintain your login session
  • Deleted when you close your browser
  • Necessary for the Service to function

Authentication Cookies:

  • Used to verify your identity and remember your login state
  • Contain encrypted session tokens
  • Required for security

Preference Cookies:

  • Store your account preferences (dark mode, default view, language)
  • Persist across sessions
  • Optional; you can clear these at any time

11.2 Analytics Tracking

We may use analytics tools to understand feature usage and improve performance. We do not use third-party advertising cookies or cross-site tracking.

11.3 Do Not Track Signals

We recognize Do Not Track (DNT) signals. If you enable DNT in your browser, we will limit our analytics collection, though functional cookies necessary for the Service to operate will continue.

11.4 Managing Cookies

You can:

  • Clear cookies in your browser settings
  • Disable cookies (though this may impair Service functionality)
  • Use your browser's private/incognito mode to avoid persistent cookies
  • Contact privacy@ordocompliance.com to request that we not use non-essential cookies

12. Children's Privacy

Ordo Compliance is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. The Service is designed for healthcare professionals and organizational administrators.

If we become aware that we have collected information from a child under 13 in violation of the Children's Online Privacy Protection Act (COPPA), we will:

  • Delete that information immediately
  • Notify the parent or guardian
  • Cease collection from that user

If you believe we have collected information from a child under 13, please contact privacy@ordocompliance.com immediately.

13. International Data

Ordo Compliance stores and processes all data in the United States. We do not operate in the European Union and do not offer services to EU residents at this time. If you are located outside the United States, by using Ordo Compliance, you consent to the transfer of your data to the United States and its storage and processing there.

14. Changes to This Privacy Policy

14.1 When We Update This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes as follows:

14.2 Notification of Changes

For material changes (changes that affect how we use or protect your data):

  • We will email you at your registered email address
  • We will display a notification in your Ordo Compliance account
  • We will provide at least 30 days' notice before the change takes effect
  • We will ask for your acknowledgment or consent if legally required

For non-material changes (such as updates to contact information or minor clarifications):

  • We may update the policy without advance notice
  • We will update the "Last Updated" date at the bottom of the policy

14.3 Your Rights Upon Changes

If you disagree with any change to this policy, you may:

14.4 Policy Archive

We maintain an archive of previous versions of this Privacy Policy. You can request a copy of a previous version by contacting privacy@ordocompliance.com.

15. Contact Information

15.1 Privacy Officer

For questions, requests, or concerns about this Privacy Policy or our privacy practices, contact:

Privacy Officer
Ordo Compliance
Email: privacy@ordocompliance.com

Mailing Address:
Ordo Compliance LLC
Chicago, IL

15.2 Response Timeline

We will respond to all privacy inquiries within 10 business days. For complex requests (such as access or deletion requests), we may need up to 30 days.

15.3 Regulatory Inquiries

If you have a complaint about our privacy practices, you may also file a complaint with:

  • Your state's attorney general's office
  • The U.S. Department of Health and Human Services Office for Civil Rights (for HIPAA issues): https://www.hhs.gov/ocr/

16. HIPAA Complaint Rights

Under HIPAA, if you believe your privacy rights have been violated, you have the right to file a complaint with:

U.S. Department of Health and Human Services (HHS) Office for Civil Rights
Phone: 1-800-368-1019
Email: ocrmail@hhs.gov
Website: https://www.hhs.gov/ocr/

The complaint must be filed in writing and may be submitted even if Ordo Compliance is your service provider rather than your Covered Entity.

17. Data Portability and Migration

17.1 Your Right to Export

You have the right to export your data from Ordo Compliance at any time. We provide functionality to:

  • Export your agency configuration and settings
  • Export compliance records in CSV or JSON format
  • Export uploaded documents
  • Export audit logs (in a limited format for your review)

17.2 Assistance with Migration

If you discontinue the Service, we will assist you in exporting your data or migrating to another platform, provided you request this before your account is terminated.

17.3 Data Deletion Upon Termination

Upon termination of your account:

  • We will delete your account data and associated non-PHI personal information within 30 days (or per your request timeline)
  • PHI will be deleted according to the terms of your Business Associate Agreement and retention requirements
  • We will provide written confirmation of deletion

Last Updated: April 5, 2026

Version: 1.2