HIPAA Notice of Privacy Practices

Important: This Notice applies to Protected Health Information (PHI) that CareSwaps, LLC receives, creates, or maintains as a HIPAA Business Associate of participating care facilities (Covered Entities). CareSwaps is not a Covered Entity. For information about general website, account, and billing data, see our Privacy Policy.

1. CareSwaps' Role Under HIPAA

CareSwaps, LLC is a healthcare technology platform provider. When CareSwaps receives, creates, stores, or transmits PHI on behalf of a participating care facility, CareSwaps acts as a HIPAA Business Associate as defined in 45 CFR § 160.103. A written Business Associate Agreement (BAA) is signed with every Covered Entity before PHI is exchanged.

CareSwaps complies with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (45 CFR Part 164, Subpart C), and the Breach Notification Rule (45 CFR Part 164, Subpart D), subject to the terms of the applicable BAA.

2. What PHI We Handle

CareSwaps may receive or generate PHI in the following categories:

Resident identifiers: Full name, date of birth, address, phone, email
Care status: Current living situation, care-level needs, desired transfer timeline
Decisional authority: Power of Attorney (POA) or Medical Durable Power of Attorney (MDPOA) status
Family contact: Applicant name, relationship, email, phone
Operational notes: Transfer preferences, preferred geography, insurance/payer information

2.3 POA / MDPOA Documentation

If you are submitting information about a family member, CareSwaps may request documentation of your legal authority to act on their behalf (POA, MDPOA, or guardianship order). We will only accept submissions where the submitter has confirmed in writing that they have lawful authority to share the resident's information. Where applicable, CareSwaps may request a copy of the POA/MDPOA instrument before proceeding with the match.

3. How We Use and Disclose PHI

CareSwaps uses and discloses PHI only as permitted by the BAA with the applicable Covered Entity and by 45 CFR § 164.504(e) and § 164.514. Specifically:

To operate the algorithmic transfer-matching service using operational factors (bed availability, payer acceptance, geographic proximity, timing).
To exchange PHI with other participating facilities that have signed a BAA, for the limited purpose of evaluating a potential match.
To provide access to the family subscriber (under the authority of the POA/MDPOA) for review of their own submission.
To comply with legal obligations (subpoena, court order, HHS OCR investigation).
To respond to a security or breach incident under the Breach Notification Rule.

CareSwaps will not use or disclose PHI for marketing, sale, fundraising, or advertising. CareSwaps will not use PHI for any purpose not permitted by the BAA or the HIPAA Privacy Rule.

4. Security Safeguards

CareSwaps maintains administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, consistent with the HIPAA Security Rule (45 CFR §§ 164.308, 164.310, 164.312).

4.1 Encryption

All PHI is encrypted in transit using TLS 1.2 or higher. PHI at rest is encrypted using AES-256 equivalent safeguards provided by our BAA-covered service providers (Google Workspace, Jotform HIPAA Gold, Paubox).

4.2 Network Security

All platform traffic is protected by Cloudflare's edge network, including DDoS mitigation and WAF rules. Administrative endpoints require MFA.

4.3 Access Controls

Access to PHI is restricted by role. Multi-factor authentication is required for all administrative accounts. Session timeouts and login audit logs are enforced.

4.4 Audit Logging

All PHI reads, writes, and exports are logged with actor, action, timestamp, and record ID. Logs are retained for a minimum of six (6) years.

4.5 Data Segregation

PHI is stored exclusively in BAA-covered systems (Google Workspace). Operational systems without BAAs (Airtable, Make.com) receive only de-identified IDs under 45 CFR § 164.514(b) (Safe Harbor) — never names, contact information, care details, or any of the 18 HIPAA identifiers.

4.6 Incident Response

CareSwaps maintains a written HIPAA Breach Response Plan. Upon discovery of a potential breach, CareSwaps investigates within 72 hours, notifies the affected Covered Entity within the timeframe required by the applicable BAA, and cooperates with the Covered Entity's Breach Notification Rule obligations.

4.7 Role-Based Access

Role	Access Scope	Notes
Privacy / Security Officer	All systems, all PHI	Michael Ford (Founder). MFA required.
Platform Administrator	Read/write PHI, admin console	MFA. Background-checked.
Support Staff	Ticket-scoped PHI only (when family initiates contact)	No bulk export. Audit-logged.
Matching Engine (automated)	Read PHI within BAA scope	Service account. No human reads without audit event.
Finance / Billing	Billing fields only. No PHI.	Scoped to Stripe and GL only.
Operational Systems (Airtable, Make.com)	De-identified IDs only. No PHI.	Per 45 CFR § 164.514(b) Safe Harbor.

5. Your Rights Under HIPAA

Under the HIPAA Privacy Rule, you (or your legally authorized representative) have the following rights with respect to PHI that CareSwaps holds:

Right of Access: Request a copy of the PHI we maintain about you.
Right to Amend: Request correction of PHI you believe is inaccurate or incomplete.
Right to an Accounting of Disclosures: Request a list of disclosures of your PHI made for purposes other than treatment, payment, operations, or those authorized by you.
Right to Request Restrictions: Ask us to limit how your PHI is used or disclosed. We will consider but are not required to agree to every request.
Right to Confidential Communications: Ask us to contact you at a specific email, phone, or mailing address.
Right to File a Complaint: File a complaint with CareSwaps or with HHS OCR without retaliation.

To exercise any of these rights, email privacy@careswaps.com. We will respond within thirty (30) days, consistent with 45 CFR § 164.524.

6. Breach Notification

In the event of a breach of unsecured PHI, CareSwaps will notify the affected Covered Entity without unreasonable delay and in no event later than sixty (60) days after discovery, in accordance with 45 CFR § 164.410 and the applicable BAA. The Covered Entity is responsible for notifying affected individuals, HHS, and, where applicable, the media.

Where CareSwaps' services create a direct-to-family relationship and CareSwaps has a notification obligation under the BAA, CareSwaps will send a breach notice to the affected family subscriber by the method specified in the BAA.

7. De-Identification — HIPAA Safe Harbor

CareSwaps uses de-identified data in all systems that do not have a signed BAA (Airtable, Make.com). De-identification is performed consistent with the Safe Harbor method in 45 CFR § 164.514(b), removing all eighteen (18) identifiers:

Names
Geographic subdivisions smaller than a state (street, city, county, ZIP if population < 20,000)
All elements of dates (except year) for dates directly related to an individual
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers (fingerprints, voice prints)
Full-face photographic images and any comparable images
Any other unique identifying number, characteristic, or code

Once de-identified, the record is reduced to operational IDs (e.g., SW-0007, CS-012) and status flags only. No re-identification key is stored in the de-identified system.

8. Service Providers and BAAs

CareSwaps has executed Business Associate Agreements with the following service providers whose systems may touch PHI:

Google Workspace (Gmail, Sheets, Drive, Apps Script) — BAA signed March 11, 2026
Jotform (HIPAA Gold tier, hipaa.jotform.com) — BAA
Paubox (encrypted outbound email) — BAA

Stripe is classified as a payment processor under 45 CFR § 164.501 (payment processor exemption). Cloudflare operates as a network service under a DPA; no PHI is persisted in Cloudflare. Airtable and Make.com hold only de-identified data as described in Section 7 above.

9. Minimum Necessary

CareSwaps applies the HIPAA Minimum Necessary Standard (45 CFR § 164.502(b)). We request, use, and disclose only the PHI reasonably necessary to accomplish the intended purpose of the matching service. Matching uses operational factors only; diagnosis and treatment information are not used by the algorithm.

10. Contact — Privacy Officer and Security Officer

Privacy Officer & Security Officer: Michael Ford, Founder, CareSwaps, LLC
Email: privacy@careswaps.com
Phone: (970) 306-7131
Mail: CareSwaps, LLC, 2519 S. Shields St., Suite 1K PMB 1159, Fort Collins, CO 80526

Federal complaint: HHS Office for Civil Rights — hhs.gov/ocr · Toll-free: 1-800-368-1019.

11. Changes to This Notice

CareSwaps reserves the right to modify this HIPAA Notice of Privacy Practices at any time, consistent with 45 CFR § 164.520(b). Changes will be posted with a new effective date. We will notify active subscribers by email of any material change.

Reminder: This Notice describes CareSwaps' obligations as a Business Associate. Each participating Covered Entity (care facility) maintains its own Notice of Privacy Practices describing the Covered Entity's independent obligations. For facility-level privacy practices, request the facility's HIPAA Notice directly.