1. Overview
This Privacy Policy explains how Cognera Health™ collects, receives, creates, uses, processes, stores, transmits, shares, retains, deletes, de-identifies, anonymizes, and protects information in connection with our websites, products, services, mobile applications, APIs, integrations, analytics, reporting, and related offerings.
Cognera Health provides cloud-based healthcare Software-as-a-Service solutions, including HealScript™, HealConnect™, CogneraAI™, and related platforms supporting mental health, behavioral health, wellness, integrated care, care coordination, clinical operations, documentation support, engagement, operational intelligence, and continuous care delivery.
2. Scope of this Policy
This Policy applies to information processed through Cognera Health websites, HealScript™, HealConnect™, CogneraAI™, mobile applications, APIs, integrations, reporting systems, analytics systems, clinical intelligence systems, operational intelligence systems, enterprise intelligence systems, support channels, and related services.
This Policy covers personal information, personal data, consumer health data, PHI, ePHI, clinical documentation, behavioral health information, wellness data, voice and audio data, transcriptions, audit logs, security logs, AI governance records, operational data, customer information, and other confidential or regulated information.
3. Our Role: Business Associate, Service Provider, Processor, or Controller
When Cognera Health processes PHI/ePHI on behalf of healthcare providers, organizations, or other Covered Entities, Cognera Health generally acts as a Business Associate under HIPAA and processes information according to applicable Business Associate Agreements, customer instructions, and permitted legal purposes.
For website, business, operational, analytics, and account-related activities, Cognera Health acts as a service provider, processor, controller, or business as determined by the applicable law, contract, jurisdiction, and processing activity.
4. Information We Collect or Process
4.1 Account, Contact, and Administrative Information
- Name, email address, phone number, organization, role, job title, account credentials, user profile information, communication preferences, and customer support records.
4.2 Clinical, Behavioral Health, Wellness, and Care Information
- Clinical notes, progress notes, SOAP notes, treatment plans, care plans, assessments, intake information, outcome measures, behavioral health records, wellness information, care coordination records, case management records, clinical summaries, intervention documentation, crisis monitoring documentation, patient-reported outcomes, provider-reported outcomes, engagement and adherence data, and related clinical documentation.
4.3 HealScript™ Practitioner and Organizational Information
- Caseload data, schedules, clinical documentation, client care module data, intake data, assessments, treatment plans, progress tracking, outcome measurement, workflow coordination, compliance tracking, operational dashboards, KPI dashboards, and organizational oversight data.
4.4 HealConnect™ Client Engagement Information
- Digital intake, mood and wellness tracking, guided journaling, reminders, alerts, appointment scheduling, secure communications, continuity-of-care support, voice-to-text journaling, engagement data, and information transmitted between HealConnect™ and HealScript™ for clinical use, storage, processing, and AI-assisted analysis.
4.5 Technical, Security, and Usage Information
- IP address, device information, browser type, operating system, application logs, audit logs, access logs, authentication logs, security events, SIEM records, vulnerability records, incident records, and usage metadata.
4.6 AI, Machine Learning, and Voice Processing Information
- AI prompts, inputs, outputs, clinical summaries, recommendations, prediction logs, voice inputs, audio recordings, transcriptions, model execution logs, user review actions, override decisions, validation outcomes, human review logs, AI monitoring records, and AI governance records.
5. How We Use Information
Cognera Health uses information for legitimate business, clinical, operational, security, contractual, legal, regulatory, compliance, analytics, and continuity-of-care purposes.
- Deliver, operate, maintain, and support Cognera Health products and services.
- Support care delivery, care coordination, documentation workflows, engagement, measurement-based care, and operational intelligence.
- Enable authorized healthcare providers and care teams to access, review, validate, and use platform information.
- Support AI-assisted documentation, analytics, workflow automation, quality improvement, and care coordination.
- Provide customer support, troubleshooting, service communications, and administrative notices.
- Maintain privacy, security, auditability, compliance, fraud prevention, system integrity, and operational resilience.
- Comply with HIPAA, HITECH, GDPR, UK GDPR, CCPA/CPRA, state privacy laws, consumer health privacy laws, telehealth obligations, contracts, legal obligations, and regulatory requirements.
6. Artificial Intelligence, Machine Learning, Voice-to-Text, and Clinical Decision Support
CogneraAI™ and related AI-enabled features are intended to assist and augment human decision-making. These technologies are used to convert spoken or written inputs into structured documentation, assist with data analysis, support workflow automation, enhance system functionality, support care coordination, and improve healthcare operations.
AI and ML tools are designed to assist—not replace—clinical judgment, professional decision-making, documentation review, or patient care. Final responsibility for clinical decisions, documentation accuracy, billing use, regulatory compliance, and patient care remains with licensed healthcare professionals and authorized organizational users.
6.1 Voice-to-Text and Audio Processing
When voice-to-text or audio processing features are enabled, audio is temporarily processed to generate text, transcriptions, summaries, or structured outputs. Audio and transcriptions can contain PHI/ePHI and are protected using privacy and security safeguards. Users and providers are responsible for obtaining legally required recording or transcription consent before use.
6.2 AI Training, Testing, and Improvement
Cognera Health does not sell PHI and does not use identifiable PHI for marketing or advertising without explicit authorization. Data used to train, test, validate, or improve AI/ML models is de-identified whenever feasible or processed pursuant to valid authorization, customer instruction, a Business Associate Agreement, or another legally permitted basis.
6.3 De-Identification
Cognera Health uses or discloses de-identified information in accordance with HIPAA de-identification requirements, including the Safe Harbor method under 45 CFR 164.514(b) or Expert Determination as applicable. De-identified information is used for product improvement, quality assurance, system performance analysis, research, analytics, reporting, and development or enhancement of AI/ML models.
7. Legal Bases and Permitted Purposes
Depending on the information type, jurisdiction, customer relationship, and processing activity, Cognera Health processes information based on treatment, payment, healthcare operations, customer instructions, contractual necessity, consent, authorization, legitimate interests, legal obligations, regulatory requirements, security requirements, or other permitted legal bases.
8. How We Share Information
Cognera Health shares information as permitted or required by law, contract, customer instruction, or authorization.
- With Covered Entities, healthcare organizations, providers, care teams, and authorized users.
- With Business Associates, subcontractors, cloud service providers, managed service providers, managed security service providers, and vendors supporting Cognera Health operations.
- With integrated systems, APIs, and approved third-party platforms at customer direction.
- With regulatory authorities, courts, government agencies, or law enforcement where legally required.
- During security investigations, incident response, legal claims, audits, compliance reviews, or business continuity activities.
- With successor organizations in connection with a merger, acquisition, restructuring, or similar transaction, subject to appropriate protections.
Cognera Health requires appropriate contractual, privacy, security, and data protection safeguards for vendors and service providers handling regulated or confidential information.
9. Data Retention, Deletion, and Secure Disposal
Cognera Health retains information only as long as necessary for legitimate business, clinical, legal, contractual, regulatory, privacy, security, audit, risk management, continuity-of-care, and operational purposes. When information is no longer required and no legal, regulatory, contractual, clinical, security, audit, investigative, or preservation obligation applies, information is securely deleted, destroyed, de-identified, anonymized, archived, or otherwise dispositioned.
| Information Type | General Retention | Notes |
|---|---|---|
| Clinical records, treatment plans, care plans, progress notes, SOAP notes, assessments, care coordination records, behavioral health records, wellness records, and related clinical documentation | Generally seven (7) years following last clinical activity, encounter, service, or documented interaction | Longer retention applies when required by law, contract, payer requirement, accreditation requirement, litigation hold, regulatory investigation, or customer requirement. |
| Assessment instruments and measurement-based care records | Generally seven (7) years | Retained as part of the designated clinical record set as applicable. |
| Messaging and care communication records | Generally seven (7) years | Retained as part of applicable clinical or operational records. |
| Authorizations, consents, disclosure records, HIPAA documentation, compliance records, audit records, security records, AI governance records, and voice consent records | Generally six (6) years | Retained longer when required by law, contract, legal hold, audit, investigation, or regulatory inquiry. |
| Raw audio recordings | Deleted after successful transcription, validation, and quality review unless retention is otherwise required | Audio is retained where legally, contractually, clinically, or operationally required or explicitly authorized. |
| Backup and disaster recovery data | Retained according to approved backup lifecycle schedules | Backup destruction occurs according to approved retention and secure disposal procedures. |
Secure disposal methods include secure deletion, cryptographic erasure, secure overwrite, media sanitization, secure cloud destruction, key destruction, shredding, pulverization, certified destruction, de-identification, or anonymization.
10. Privacy Rights and Individual Requests
Individual privacy rights include access, correction, amendment, deletion, processing restriction, objection, portability, consent withdrawal, accounting of disclosures, and limitation of sensitive personal information use, subject to applicable law, contract, jurisdiction, role, healthcare obligations, and legal exceptions.
Cognera Health will take reasonable steps to verify identity and authority before disclosing, correcting, deleting, exporting, restricting, or otherwise processing information in response to a request. Requests shall be limited or denied where retention is required for healthcare record retention, HIPAA obligations, regulatory requirements, litigation holds, security investigations, fraud prevention, contractual obligations, or continuity-of-care requirements.
11. HIPAA Rights and Covered Entity Support
Where Cognera Health acts as a Business Associate, individuals shall direct HIPAA rights requests to the Covered Entity or healthcare provider responsible for the individual’s care. Cognera Health supports Covered Entities in fulfilling applicable HIPAA rights including access, amendment, accounting of disclosures, restrictions, and confidential communications where required by contract and law.
12. California and U.S. State Privacy Rights
Under CCPA/CPRA and other applicable state privacy laws, individuals have rights to know, access, delete, correct, limit the use of sensitive personal information, opt out of certain data sharing activities, and not be discriminated against for exercising privacy rights.
Cognera Health does not sell PHI. Cognera Health does not use identifiable PHI for marketing or advertising without explicit authorization.
13. Voice, Audio, and Biometric Data Notice
Voice-to-text functionality processes spoken audio to generate text, structured outputs, documentation, summaries, or engagement support. Where voice processing involves the capture or derivation of a voiceprint or biometric identifier for unique identification, Cognera Health shall follow applicable biometric privacy requirements, including prior informed consent where legally required.
Individuals shall receive notice of the purpose and duration of use when required by applicable law. Cognera Health does not sell, lease, trade, or profit from biometric identifiers.
14. Security Safeguards
Cognera Health uses administrative, technical, physical, and organizational safeguards designed to protect information. Safeguards include encryption at rest and in transit, role-based access controls, least-privilege access, multi-factor authentication, unique user IDs, audit logging, security monitoring, access reviews, vulnerability management, vendor oversight, incident response procedures, backup management, disaster recovery, and workforce training.
15. Account Deletion, Data Deletion, and In-App Requests
Cognera Health mobile applications and services with account creation capabilities shall provide an in-app account deletion flow or a clearly accessible account deletion request process. Users shall initiate account deletion from within HealConnect™ or HealScript™, and Cognera Health shall maintain a web-based deletion request page for app store, privacy, and data safety compliance.
Deletion requests include deletion or deactivation of the user account, deletion of personal information that Cognera Health is not legally or contractually required to retain, and removal of app-accessible account data from active systems as permitted. Certain records shall be retained when required for HIPAA, healthcare record retention, legal obligations, security, fraud prevention, audits, investigations, legal holds, customer contracts, continuity-of-care requirements, or other permitted preservation purposes.
In-app path: Settings → Account → Delete Account.
16. App Tracking, Analytics, Cookies, SDKs, and Device Identifiers
Cognera Health uses limited analytics, diagnostic, crash reporting, security monitoring, fraud prevention, performance measurement, and operational tools to operate and improve its websites, applications, and services. These tools process device identifiers, app instance identifiers, IP address, device type, operating system, browser type, usage events, diagnostic data, crash logs, and security signals.
Cognera Health does not use PHI/ePHI for third-party advertising. Cognera Health shall request user permission where required for technologies that constitute tracking under Apple App Tracking Transparency rules or applicable privacy laws, and Cognera Health shall describe the applicable data practices in the App Store privacy disclosures and this Privacy Policy.
Any analytics, crash reporting, fraud prevention, or SDK provider will be governed through appropriate vendor review, contractual safeguards, privacy review, and security review before use.
17. Do Not Sell or Share My Personal Information
Cognera Health does not sell PHI. Cognera Health does not sell personal information for money. When applicable law defines sharing to include certain cross-context behavioral advertising or analytics activities, Cognera Health shall provide required opt-out mechanisms and honor applicable privacy choices.
California residents and other eligible individuals shall submit privacy requests through the privacy contact listed below or through the designated privacy request form.
18. Health Data Advertising, Marketing, and Sensitive Data Restrictions
Cognera Health does not use PHI/ePHI, clinical records, behavioral health information, mental health information, voice journaling content, assessment responses, treatment documentation, crisis-related information, or identifiable consumer health data for third-party advertising, targeted advertising, ad personalization, data broker disclosure, or sale.
Cognera Health uses business contact information for permitted business communications, product notices, security notices, customer support, service updates, and legally permitted marketing communications, subject to applicable opt-out rights and contractual restrictions.
19. Advertising and Marketing Restrictions
Cognera Health does not sell PHI, ePHI, behavioral health information, mental health information, treatment information, assessment responses, voice journaling content, crisis-related information, or identifiable consumer health data.
Cognera Health does not use PHI, ePHI, or identifiable health information for third-party advertising, targeted advertising, cross-context behavioral advertising, advertising profiling, data broker disclosure, or advertising personalization without legally required authorization.
20. Apple App Store, Google Play, and Data Safety Disclosures
Cognera Health mobile application privacy disclosures shall be consistent with this Privacy Policy and applicable app store submissions. Before publishing or updating HealConnect™ or related mobile applications, Cognera Health shall map collected and shared data categories to Apple App Privacy and Google Play Data Safety requirements.
| Data Safety Topic | Policy Position |
|---|---|
| Account creation and deletion | Account deletion is available in-app where accounts are created, with a web deletion request page available for app store disclosures. |
| Data collection | Collected categories include account information, health and wellness information, user content, identifiers, diagnostics, usage data, and support communications according to enabled features. |
| Data sharing | Information is shared with healthcare providers, authorized care teams, service providers, Business Associates, cloud providers, security vendors, and regulators as permitted or required. |
| Encryption | Sensitive information is protected using encryption in transit and at rest as applicable. |
| Deletion | Users can request deletion, subject to legal, healthcare, security, contractual, and retention exceptions. |
| Advertising | PHI/ePHI and identifiable consumer health data are not sold or used for third-party advertising. |
21. Cross-Border Transfers
Cognera Health services are operated, hosted, supported, accessed, or processed in the United States and other jurisdictions where Cognera Health, cloud infrastructure providers, service providers, contractors, or authorized support personnel operate.
Where required by applicable law, Cognera Health implements appropriate contractual, technical, administrative, and organizational safeguards designed to support lawful international data transfers, including customer agreements, vendor data protection terms, access controls, encryption, auditability, and other data protection measures.
22. EU / UK Data Protection Contacts
Eligible individuals can contact Cognera Health regarding access, correction, deletion, restriction, portability, objection, withdrawal of consent, or other applicable data protection rights under GDPR or UK GDPR.
Data Protection Contact: Privacy
Cognera Health shall publish applicable GDPR Article 27 representative or Data Protection Officer contact details when representative or DPO requirements apply.
23. Privacy Officer and Data Protection Contact
Cognera Health maintains privacy, security, compliance, and information governance oversight functions responsible for privacy rights management, regulatory compliance, data protection, and information governance activities.
Privacy Officer / Data Protection Contact: Privacy
For GDPR, UK GDPR, privacy rights, international data protection, deletion, correction, access, portability, objection, restriction, or consent-related inquiries, please contact the Privacy Office at Privacy.
Cognera Health shall publish applicable GDPR Article 27 representative or formal Data Protection Officer details when those requirements apply based on operating activities, customer contracts, jurisdictional scope, or applicable law.
24. Children and Minors
Cognera Health services are not directed to children for unsupervised use. Unless a product-specific workflow, healthcare provider, customer agreement, or applicable law provides otherwise, users must be at least 18 years old or the age of majority in their jurisdiction to create an account directly.
Where services involve minors, use must occur under applicable provider, parent, guardian, school, organizational, Covered Entity, or legally authorized consent frameworks. Cognera Health does not knowingly collect information from children outside authorized healthcare, organizational, parental/guardian, or legally permitted workflows.
25. Changes to this Privacy Policy
Cognera Health shall update this Privacy Policy as needed to reflect changes in law, regulation, technology, business practices, services, or governance requirements. Material changes shall be communicated where required by applicable law or contract.