Legal · Privacy

Privacy Policy

Effective Date: June 23, 2026 · Last Updated: June 23, 2026
This Privacy Policy is published by IMFUTECH, the owner and operator of CARE RCM.

1. Scope of This Policy

IMFUTECH ("IMFUTECH," "we," "us," or "our") develops and operates CARE RCM, a cloud-based healthcare practice management and revenue cycle management platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when healthcare practices, their staff, and authorized individuals ("Customers," "you," or "your") use the Service, and when patients of those practices interact with patient-facing features such as the Patient Portal.

This Policy applies to all users of CARE RCM, including practice administrators, providers, billing staff, and patients who access the Patient Portal. It does not apply to third-party websites or services that may be linked from within the Service, which are governed by their own privacy policies.

Healthcare data notice: Because CARE RCM processes Protected Health Information ("PHI") on behalf of Customers who are themselves HIPAA Covered Entities, IMFUTECH acts as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"). Our handling of PHI is additionally governed by a signed Business Associate Agreement ("BAA") with each Customer, which takes precedence over this Policy with respect to PHI. See our BAA Template for details.

2. Information We Collect

We collect information in the following categories:

2.1 Account and Practice Information

Practice name, address, Tax ID, NPI numbers, and service facility locations
Staff and provider names, roles, login credentials, and contact details
Billing and subscription information, including payment method details processed via our payment processor (Stripe)

2.2 Protected Health Information (PHI)

On behalf of our Customers, we process PHI necessary to operate the Service, including patient demographics, appointment and scheduling data, clinical records (SOAP notes, vitals, diagnoses, medications, lab results, allergies), insurance and billing information, and claims data submitted via EDI 837P/835 transactions. We process this PHI strictly as a Business Associate, under the instructions of our Customers, and never for our own independent purposes.

2.3 Technical and Usage Information

IP address, browser type, device identifiers, and operating system
Log data such as pages visited, features used, and timestamps (used for security audit logging as required by HIPAA)
Cookies and similar technologies (see Section 9)

3. Protected Health Information (PHI)

PHI processed through CARE RCM is subject to heightened protections beyond this general Privacy Policy:

PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access to PHI is restricted by role-based access controls; staff can only view PHI for practices and patients they are authorized to serve
Every access, creation, modification, and deletion of PHI is logged in an immutable audit trail, consistent with 45 CFR §164.312(b)
IMFUTECH does not use, sell, or disclose PHI for marketing, advertising, or any purpose outside of providing the Service, except as permitted under our BAA with the Customer or as required by law

If you are a patient and have questions about how a specific healthcare practice uses your PHI, please contact that practice directly — they are the HIPAA Covered Entity and data controller responsible for your medical records. IMFUTECH acts only as their technology provider (Business Associate).

4. How We Use Information

We use collected information to:

Provide, operate, and maintain the Service, including scheduling, billing, EDI claim generation, ERA payment posting, and clinical documentation features
Process payments through our payment processor and generate billing statements
Communicate with Customers about their account, including service updates, security alerts, and support responses
Monitor and improve platform performance, reliability, and security
Detect, investigate, and prevent fraudulent or unauthorized activity
Comply with legal obligations, including HIPAA, state healthcare privacy laws, and tax/financial recordkeeping requirements

5. How We Share Information

We do not sell personal information or PHI. We share information only in the following circumstances:

Recipient	Purpose
Clearinghouses (Office Ally, Availity)	Submitting EDI 837P claims and receiving ERA 835 remittance files on behalf of the Customer
Payment processor (Stripe)	Processing patient payments and subscription billing
Cloud infrastructure providers	Hosting and storing data securely (subject to their own BAAs with IMFUTECH)
Insurance payers	Submitting claims and verifying eligibility, as directed by the Customer practice
Law enforcement / regulators	Where required by law, subpoena, or court order

All third parties who may access PHI on our behalf are bound by their own Business Associate Agreements or equivalent contractual data protection obligations.

6. Data Security

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction, including:

Encryption in transit and at rest
Multi-factor authentication (MFA) for all staff accounts accessing PHI
Automatic session timeout in accordance with HIPAA security requirements
Role-based access control scoped to practice, patient, and module level
Immutable, timestamped audit logging of all PHI access
Regular security reviews and vulnerability monitoring

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain PHI and account data for as long as the Customer's account is active, and thereafter as required to comply with legal, regulatory, tax, and audit obligations — typically a minimum of 6 years from the date of creation or last use, consistent with HIPAA recordkeeping requirements (45 CFR §164.316(b)(2)), or longer if required by applicable state law. Upon termination of a Customer's account, data is retained for a defined transition period to allow export, after which it is securely deleted or anonymized, except where retention is legally required.

8. Your Rights and Choices

Depending on your role and location, you may have rights including:

Access: Request a copy of personal information we hold about you
Correction: Request correction of inaccurate information
Deletion: Request deletion of your information, subject to our legal retention obligations
Portability: Request export of your data in a structured, machine-readable format

Patients seeking to exercise rights over their medical records under HIPAA should contact their healthcare practice directly, as the practice — not IMFUTECH — is the HIPAA Covered Entity responsible for fulfilling patient record requests. Practice administrators and staff may contact us directly using the information in Section 13.

9. Cookies and Tracking

We use strictly necessary cookies to maintain login sessions, enforce HIPAA-required session timeouts, and remember interface preferences (such as sidebar collapse state). We do not use third-party advertising cookies or trackers within the application itself. Our public marketing website (carercm.com) may use limited analytics cookies to understand site traffic; you can control cookie preferences through your browser settings.

10. Children's Privacy

CARE RCM is a business-to-business healthcare platform. Patient records for minors may be entered into the Service by healthcare practices under the practice's own authority and parental/guardian consent obtained by the practice. We do not knowingly collect personal information directly from children under 13 through our public marketing website.

11. International Users

CARE RCM is designed for use by healthcare practices located in the United States and is built around U.S. healthcare regulatory frameworks (HIPAA, CMS, X12 837/835 standards). We do not currently support practices operating outside the United States. Data is stored and processed within the United States.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Policy with a revised "Last Updated" date. Material changes affecting PHI handling will be communicated to Customers in advance as required under our Business Associate Agreements.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

IMFUTECH
Attn: Privacy Officer
[IMFUTECH BUSINESS ADDRESS]
Email: [PRIVACY CONTACT EMAIL]
Phone: [PHONE NUMBER]