Skip to main content
Home

Privacy Policy

Last updated: March 2026

Overview

HealthData-in-Motion ("HDIM"), operated by Mahoosuc Solutions LLC, is committed to protecting the privacy and security of your information. This policy describes how we collect, use, and safeguard data when you visit our website or use our platform.

HIPAA Compliance

HDIM is designed to be HIPAA-compliant. Protected Health Information (PHI) processed by our platform is handled in accordance with HIPAA Privacy and Security Rules. We execute Business Associate Agreements (BAAs) with all customers who process PHI through our platform.

Data We Collect

Website visitors: We may collect standard web analytics data (page views, referral sources, device type) to improve our website. We do not collect PHI through our marketing website.

Platform customers: Clinical data processed by HDIM remains within your infrastructure. HDIM queries your FHIR servers directly and does not centralize or replicate your clinical data.

Data Retention

Platform data: PHI cache entries are retained for a maximum of 5 minutes (per HIPAA compliance requirements). Quality measure results, care gap reports, and audit logs are retained within your infrastructure according to your organization's retention policies. HDIM does not independently retain copies of your clinical data.

Account data: Customer account information (organization name, contact details, contract terms) is retained for the duration of the service agreement plus 3 years for compliance and audit purposes.

Website analytics: Web analytics data is retained for up to 26 months and is not linked to individual identities.

Cookies & Tracking

Our marketing website uses privacy-respecting, cookieless analytics (Plausible). We do not use tracking cookies, advertising cookies, or sell data to third parties.

  • Essential cookies: Required for site functionality (session management, security). Cannot be disabled.
  • Optional cookies: If we introduce optional analytics or marketing tools in the future, they will only activate after you grant consent via our cookie banner.

You can manage your cookie preferences at any time via the Cookie Settings link in our footer. The HDIM platform itself does not use cookies — authentication is handled via JWT tokens within your infrastructure.

Subprocessors

HDIM deploys on your infrastructure. For customers using our hosted services, we may use the following categories of subprocessors:

  • Cloud infrastructure: Compute and storage providers (customer-selected: AWS, Azure, or GCP)
  • Monitoring: Application performance and uptime monitoring (no PHI transmitted)
  • Support: Customer support ticketing (no PHI included in support tickets)

A current list of specific subprocessors is available upon request and is included in your Business Associate Agreement.

Data Security

We employ TLS 1.3 encryption for all data in transit, AES-256 encryption for data at rest, multi-tenant isolation at the database level with row-level security, role-based access control with five privilege tiers, and comprehensive audit logging for 100% of data access events per HIPAA §164.312(b).

Breach Notification

In the event of a confirmed security breach involving PHI, Mahoosuc Solutions LLC will notify affected customers within 72 hours of discovery, consistent with HIPAA Breach Notification Rule requirements (§164.404). Notification will include the nature of the breach, types of data involved, steps taken to mitigate harm, and recommended protective actions.

Your Rights

You have the right to:

  • Access: Request a copy of personal data we hold about you or your organization
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your account data (subject to legal retention requirements)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing of your personal data for marketing purposes

For PHI-related rights (access, amendment, accounting of disclosures), these are governed by your organization's HIPAA policies, as HDIM acts as a Business Associate.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to platform customers and posted on this page with an updated revision date.

Contact

For privacy-related inquiries, data subject requests, or to obtain our current subprocessor list, contact us at sales@mahoosuc.solutions.