Privacy
Policy

1. Regulatory Compliance

OnKlinic operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Our compliance program covers:

• HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
• HIPAA Security Rule (45 CFR Part 164, Subpart C)
• HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)

OnKlinic's HIPAA compliance program is actively monitored by Compliancy Group, an independent healthcare compliance monitoring organization.

Detailed compliance documentation is available upon request for auditors, regulators, and prospective clinic clients. To request documentation, contact: compliance@onklinic.com

2. Personal Data We Collect

This section applies to licensed behavioral health professionals, clinical directors, supervisors, and practice managers who use the OnKlinic platform.

Information You Provide

• Contact Information: name, email address, phone number, and professional credentials.
• Account Information: username, encrypted password, and assigned role within your clinic (Specialist, Supervisor, Clinical Director, or Practice Manager).
• Professional Information: specialty, clinic affiliation, and professional license number.
• Clinical Documentation: treatment plans, progress notes, assessments, care plans, and other clinical documents generated or approved through the platform.
• Communication Information: support requests and messages submitted through the platform.

Information Collected Automatically

• Log Data: IP address, browser type, operating system, access timestamps, and session activity.
• Device Information: device name, type, and operating system version.
• Usage Information: features accessed, documents generated, supervision actions taken, and session duration.
• Cookies: session cookies to maintain authenticated sessions and persistent cookies to improve platform performance.

Protected Health Information (PHI)

OnKlinic processes electronic Protected Health Information (ePHI) on behalf of clinics as a HIPAA Business Associate. This includes patient demographic data, clinical notes, diagnoses, treatment plans, progress notes, and care coordination records. PHI is processed exclusively to provide the platform's clinical documentation and supervision services and is never shared with third-party advertising or analytics platforms.

3. How We Use Personal Data

• To provide, operate, and maintain the OnKlinic platform and its clinical documentation features.
• To support AI-assisted document generation, clinical supervision workflows, and multi-service care coordination.
• To authenticate users and enforce role-based access controls within each clinic.
• To send service notifications, security alerts, and account communications.
• To analyze platform usage and improve the quality of clinical features.
• To prevent unauthorized access, fraud, and misuse of the platform.
• To comply with legal obligations and respond to lawful requests from regulatory authorities.

Important notice regarding AI-generated content: Content generated by OnKlinic is for drafting support only and may be incomplete or inaccurate. Licensed healthcare professionals must independently verify all information before signature, use, or reliance. OnKlinic does not use user conversations, PHI, or personal data to train or improve its AI models.

4. Protected Health Information and HIPAA

OnKlinic acts as a HIPAA Business Associate for all clinics that use our platform. Before accessing or processing any ePHI on behalf of a clinic, OnKlinic executes a Business Associate Agreement (BAA) with that clinic in compliance with 45 CFR 164.504(e).

Safeguards

OnKlinic implements administrative, physical, and technical safeguards to protect ePHI in compliance with the HIPAA Security Rule. These safeguards include, but are not limited to: encryption of data in transit and at rest, multi-factor authentication, role-based access controls, audit logging, session management controls, disaster recovery and business continuity procedures, and ongoing vulnerability management.

Shared Responsibility

OnKlinic operates under a shared responsibility model with clinic clients. OnKlinic is responsible for the security of the platform infrastructure and technical controls. Clinics (Covered Entities) are responsible for administrative safeguards (workforce training, sanctions policies), physical safeguards (facility access, workstation security), and patient-facing Privacy Rule obligations (Notice of Privacy Practices, patient authorizations, and breach notification to individuals and HHS).

Shared responsibility documentation is available upon request. Contact: compliance@onklinic.com

Patient Consent

Clinics using OnKlinic are responsible for obtaining valid written patient consent before collecting, using, or disclosing PHI through the platform. OnKlinic provides the infrastructure to support this workflow but does not independently obtain patient consent.

5. Sharing and Disclosure of Personal Data

We do not sell or rent Personal Data. We may share data in the following limited circumstances:

Service Providers and Subcontractors

OnKlinic works with trusted third-party infrastructure and AI service providers to operate the platform. Any subcontractor that creates, receives, maintains, or transmits ePHI on behalf of OnKlinic is required to execute a Business Associate Agreement and is subject to the same HIPAA obligations. These vendors access data only to perform services on our behalf and are prohibited from using it for any other purpose.

Clinical Supervision and Review Workflows

Within the platform, clinical documents are shared between authorized roles — Specialists, Supervisors, and Clinical Directors — as part of the built-in supervision, document approval, and cross-service review workflows. This sharing is governed by each clinic's organizational policies and the role assignments managed by the Practice Manager.

Legal Requirements

We may disclose Personal Data when required by law, court order, or regulatory authority, or when we believe in good faith that disclosure is necessary to protect the rights, safety, or property of OnKlinic, its users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred to the successor entity. We will notify affected users in advance where required by applicable law.

6. Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes described in this Policy and to comply with applicable legal and regulatory obligations. Clinics may request deletion of their data by contacting compliance@onklinic.com. Deletion requests are subject to applicable legal retention requirements and must be submitted by an authorized representative of the clinic.

7. Security

OnKlinic maintains a comprehensive security program aligned with the HIPAA Security Rule to protect Personal Data and ePHI from unauthorized access, disclosure, alteration, or destruction. Security monitoring is continuous and includes incident detection and response capabilities.

No system can guarantee absolute security. If you believe your account or data has been compromised, please contact us immediately at compliance@onklinic.com.

8. Breach Notification

In the event of a breach of unsecured ePHI, OnKlinic will notify the affected Covered Entity (clinic) within 60 days of discovery, in compliance with 45 CFR 164.410. Our notification will include the nature and scope of the breach, the types of PHI involved, and the mitigation actions taken.

The clinic (Covered Entity) is responsible for notifying affected patients and the HHS Office for Civil Rights as required by 45 CFR 164.404–408. Breach notification procedures are available upon request. Contact: compliance@onklinic.com

9. Your Rights

You may have the following rights regarding your Personal Data:

• Right to access: request a copy of the Personal Data we hold about you.
• Right to correction: request that inaccurate or incomplete data be corrected.
• Right to deletion: request deletion of your Personal Data, subject to applicable legal retention requirements.
• Right to object: object to processing of your data for specific purposes.

To exercise any of these rights, contact compliance@onklinic.com. We will verify your identity before responding to any request.

10. Cookies

OnKlinic uses session cookies to maintain authenticated sessions and persistent cookies to improve platform performance. We do not use third-party advertising cookies or behavioral tracking.

You can configure your browser to refuse cookies, but doing so may limit access to certain platform features.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, platform features, or applicable regulations. When we make material changes, we will notify users through the platform or by email before the changes take effect. Continued use of the platform after an update constitutes acceptance of the revised terms.

12. Contact Us

For all privacy, compliance, data, and security inquiries — including BAA requests, audit documentation, and breach notifications — please contact:

compliance@onklinic.com