Privacy Policy

1. Introduction 

Intrahealth Systems Limited (“Intrahealth,” “we,” “us,” or “our”) is a HEALWELL AI Inc. company that provides electronic medical record (EMR), practice management, interoperability, and related digital health solutions for healthcare organizations and providers. Our solutions support clinical documentation, scheduling, billing, and operational workflows for healthcare organizations and providers.

This Privacy Policy explains how Intrahealth collects, uses, discloses, retains, and safeguards personal information (“PI”) and personal health information (“PHI”) in connection with:

• The provision of Intrahealth products and services; and
• Use of the Intrahealth website and related digital platforms.

Because Intrahealth is part of the HEALWELL group, certain general privacy practices (including governance, security standards, and corporate oversight) are described in the HEALWELL AI Inc. Privacy Policy, which can be accessed here.

The Intrahealth Privacy Policy (“this policy”) provides additional detail specific to Intrahealth’s products and operations.

2. Our Role

Intrahealth usually operates as an agent, information manager, or service provider on behalf of healthcare providers and institutions, which remain the health information custodians (“custodians”) responsible for the PI and PHI. Unless explicitly stated otherwise, Intrahealth does not act as the health information custodian for patient PHI. We process PHI:

• Under the authority and direction of the applicable custodian
• In accordance with written contractual arrangements, and
• In compliance with applicable privacy and health information legislation.

3. Information We Collect

• Sources of PI and PHI

Intrahealth collects PI and PHI:

• Directly from healthcare providers or their authorized users,
• Through integrations and EMR systems authorized by Custodians,
• Automatically through system usage (logs, audit trails),
• Through website inquiries, marketing communications, or event registrations.

Patient PHI is made available to Intrahealth by custodians through the use of our systems.  

• Information related to healthcare providers and authorized users

When healthcare providers, health system partners, or authorized users interact with our website, we may collect:

• Account and contact details (name, title, organization, email, phone)
• Credentials and authentication data
• Administrative and configuration information
• Billing and invoicing details
• Communications with Intrahealth (support requests, feedback)
• Technical and usage data (IP address, device identifiers, system logs, audit trails)

If you choose not to provide certain information necessary for account setup, support, or billing, we may be unable to provide the requested services.

• Information related to patients

Intrahealth does not typically collect PHI directly from patients. Instead, custodians input or make patient PHI available through Intrahealth systems so that we may deliver authorized services. Patient PHI processed may include:

• EMR data (diagnoses, medications, clinical notes)
• Demographic and administrative identifiers
• Appointment, billing, and operational records
• Clinical interaction data (virtual care, telephony, documentation) 
• Program-specific healthcare data
• De-identified or aggregated datasets where authorized

All patient PHI is processed solely in accordance with the contractual arrangements made with the applicable custodian.  

4. How we use the information we collect

Intrahealth uses provider related information to:

• Deliver and configure services 
• Authenticate users and manage access
• Provide onboarding, training and support
• Monitor and improve system performance and security
• Process billing
• Comply with contractual and legal obligations

 Patient PHI is used only to:

• Support clinical care and coordination
• Enable EMR and practice management operations
• Facilitate authorized interoperability and data exchange
• Support quality improvement and reporting as authorized
• Maintain system security and integrity

Intrahealth does not use identifiable patient PHI for advertising or independent commercial purposes.

5. Artificial Intelligence (AI) and analytics

Intrahealth systems may incorporate analytics or AI-assisted features designed to support operational and administrative efficiency. These tools are used exclusively for non-clinical purposes and do not process, analyze, or interact with identifiable personal information or personal health information. Intrahealth does not use identifiable PI or PHI in any AI system for model training, analysis, profiling, or automated decision-making. Where AI-assisted functionality is used, outputs are subject to review and validation by an authorized Intrahealth employee before being relied upon.  

6. Website information and cookies

When patients or healthcare providers visit our website, we may collect the following information:  

• Contact information submitted voluntarily
• Device and browser information
• Cookies and analytics data

Where practicable, users may browse our website anonymously. However, certain services require contact information. We use cookies for functionality and analytics. Users may manage cookie preferences through their browser settings.

7. Disclosure of information

Intrahealth discloses patient PHI to authorized service providers supporting operations only under custodian direction or where required or permitted by law. We may disclose provider related information collected via our website to:

• Contracted service providers,
• Professional advisors,
• Regulators (where required)
• Business transaction counterparties under confidentiality protections

8. Cross-border data transfers

Intrahealth does not transfer core EMR PHI outside the jurisdiction in which it is generated or hosted. Core clinical data remains stored and processed within the applicable jurisdiction in accordance with customer contractual requirements and applicable health information legislation. In limited circumstances, certain operational or optional integration services may involve authorized third-party service providers located outside the originating jurisdiction. Where such integrations are used:

• The involvement of the third-party service provider is disclosed in applicable customer agreements,
• Processing is limited to the information necessary to provide the specific integration service,
• Appropriate contractual privacy, confidentiality, and security safeguards are implemented prior to any access being granted.

Where personal information (other than core EMR PHI) is accessed or processed outside the originating jurisdiction, Intrahealth applies appropriate technical, organizational, and contractual safeguards consistent with its Information Security Management System and applicable privacy laws. These safeguards include, binding contractual privacy and confidentiality obligations with all third-party service providers, encryption of PI at rest and in transit, least privilege access provisioning, RBAC and data minimization principles, etc. Third-party service providers are assessed prior to engagement and periodically thereafter to ensure their privacy and security controls meet Intrahealth’s standards and applicable legal obligations.

9. Data Security

Intrahealth actively seeks to maintain the privacy of the information under our control. To prevent unauthorised use, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate physical, electronic, and administrative procedures to safeguard and secure the information we collect.  

10. Data Retention 

Intrahealth retains PI and PHI for only as long as necessary to provide services, meet applicable contractual and legal obligations and comply with any applicable regulatory requirements. Where authorized, we may retain de-identified or aggregated data for analytics or product improvement purposes. Intrahealth does not de-identify patient PHI without written authorization from the custodian. 

11. Privacy Rights 

Subject to certain limitations and depending on the applicable privacy laws, providers, patients and staff, as applicable, have rights under privacy laws to access the personal information that Intrahealth holds regarding them, and have it corrected where necessary, subject to some exceptions. Depending on the country patients or providers reside in, they may also have rights to access their personal information in a portable, electronic format, a right to have their personal information erased, a right to know the third parties with whom their personal information has been shared with and/or a right to object to Intrahealth processing their personal information. Individuals also have rights, under applicable laws, to lodge a complaint with the relevant data protection or privacy authorities if they believe Intrahealth is not handling their personal information in accordance with the law. Where Intrahealth acts as an agent/ information manager or service provider, we may direct an individual’s request to the appropriate custodian and then support the custodian in fulfilling the request based on what has been agreed within the contract.

For any questions or concerns about Intrahealth’s privacy practices or this policy, please contact our Privacy Office at privacy@intrahealth.com

12. Changes to this Privacy Policy

This policy may be updated from time to time. The date of the most recent revisions will appear on our page. If you do not agree to these changes, please do not continue to use our website or services. Continued use of Intrahealth website or services constitutes acceptance of updates.