Important Notice: This document is intended to inform patients and site visitors about how our clinic (“we,” “us,” “our”) uses Application Programming Interfaces (APIs) to connect our approved electronic medical records (EMRs) with external vendors across various industries to streamline patient care. This is an informational policy and risk disclosure—not legal advice—and may be updated at any time without prior notice. By using our services or this website, you acknowledge and consent to the practices described below, as permitted by applicable law.
1.1 Purpose. This Policy explains our enterprise integration architecture, data flows, and security controls related to our use of APIs in connection with approved EMRs and affiliated platforms.
1.2 Scope. This Policy covers protected health information (PHI), electronic PHI (ePHI), personally identifiable information (PII), de-identified data, limited data sets, and other operational metadata processed by or through our APIs, to the extent handled by us or on our behalf in the United States.
1.3 Audience. This document is intended for patients, authorized personal representatives, caregivers, and stakeholders who interact with our services; it also provides transparency for regulators, business associates, and vendors who request insight into our security posture.
1.4 Regulatory Alignment. We implement administrative, physical, and technical safeguards designed to comply with applicable U.S. federal laws (including HIPAA and HITECH), applicable New Mexico laws governing privacy, security, and breach notification, and, where relevant, 42 C.F.R. Part 2 for substance use disorder (SUD) treatment records. Where multiple laws apply, we follow the more protective standard consistent with our legal obligations and the “minimum necessary” principle.
API (Application Programming Interface): A software interface enabling secure, authenticated exchange of data between systems, including EMRs and vendor platforms.
Approved EMR: An electronic medical record platform that we have vetted, contracted with (as applicable), and configured pursuant to our security and compliance standards.
Business Associate (BA): An entity that creates, receives, maintains, or transmits PHI on our behalf and is required to sign a Business Associate Agreement (BAA) where mandated by HIPAA.
Vendor: Any third party—whether a BA or non-BA—that interoperates with our systems. Vendors may include labs, imaging centers, pharmacies, payers, clearinghouses, billing platforms, telehealth and remote monitoring providers, analytics services, or infrastructure providers.
PHI/ePHI: Individually identifiable health information protected under HIPAA.
Minimum Necessary: The obligation to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the intended purpose.
De-Identification: A process consistent with HIPAA standards to remove identifiers such that information is no longer considered PHI.
3.1 Interoperability Framework. Our API program leverages widely adopted healthcare standards where feasible, including HL7®️ FHIR®️ (R4 or later), SMART on FHIR, HL7 v2, X12/EDI for claims/eligibility, and secure transport protocols (e.g., TLS 1.2+).
3.2 Authentication & Authorization. We utilize industry best practices for identity and access management, which may include OAuth 2.0, OpenID Connect, mutual TLS, signed JSON Web Tokens (JWT), and role-based access controls (RBAC). Privileged operations are gated by least-privilege rules and policy-based authorization.
3.3 Data Segmentation & Tagging. We use logical and, where applicable, data-level segmentation to separate PHI from non-PHI, to enforce access controls, and to support additional protections for specially sensitive data classes (e.g., SUD records under 42 C.F.R. Part 2 and other state-protected categories).
3.4 Secure Software Development Lifecycle (SSDLC). Our integrations are developed and maintained pursuant to a risk-based SSDLC that includes code review, dependency hygiene, vulnerability scanning, and change control.
3.5 Resilience & Observability. We employ high-availability configurations, audit-ready event logging, metrics/telemetry, and monitoring for anomalous behavior. Logging excludes PHI where feasible; otherwise, PHI in logs is minimized and access-controlled.
4.1 Treatment, Payment, and Health Care Operations (TPO). We use and disclose PHI via APIs for TPO purposes as permitted under HIPAA. Examples include care coordination, lab orders/results, prescription management, eligibility checks, prior authorization, claims submission, utilization management, quality measurement, and population health activities.
4.2 Authorizations. Where an API-enabled disclosure is not otherwise permitted by HIPAA or applicable law, we will obtain a valid patient authorization before disclosing PHI. Authorizations can be revoked prospectively as permitted by law.
4.3 Special Protections. We will not disclose SUD treatment records protected by 42 C.F.R. Part 2 through APIs without obtaining patient consent/authorization, or as otherwise expressly allowed by law. Additional restrictions may apply to other sensitive categories (e.g., certain behavioral health, reproductive health, genetic data) under applicable law.
4.4 Minimum Necessary. Except when disclosing for treatment or otherwise exempt, we strive to limit API payloads to the minimum necessary for the stated purpose.
4.5 Patient Rights. Subject to verification and legal limits, patients may have rights to access, amend, and obtain an accounting of certain disclosures of their PHI. Requests may be submitted using the contact information in Section 15.
5.1 Due Diligence. Vendors are risk-assessed commensurate with data sensitivity, including review of security controls, regulatory posture, and incident history.
5.2 BAAs & DPAs. Where required, we execute Business Associate Agreements (and, where applicable, Data Processing Agreements) that allocate responsibilities for safeguarding PHI/PII and for breach notification.
5.3 Access Provisioning. API keys, client secrets, certificates, or tokens are provisioned following least-privilege principles and are rotated periodically or upon compromise.
5.4 Subprocessors. Vendors must disclose subprocessors where relevant and ensure comparable security controls.
5.5 Termination. Upon termination or change in services, vendors must return or securely destroy PHI/PII consistent with contractual and legal requirements.
6.1 Encryption. We use TLS 1.2+ for data in transit and AES-256 (or comparable modern algorithm) for data at rest, where feasible and appropriate.
6.2 Identity & Access Management. RBAC, strong authentication, session management, and periodic access reviews are enforced. Administrative access requires multifactor authentication.
6.3 Network Security. We employ firewalls, network segmentation, intrusion detection/prevention, and hardened endpoints.
6.4 Endpoint & Key Management. Secrets and keys are stored in hardened secret-management systems with rotation and monitoring.
6.5 Vulnerability & Patch Management. We conduct vulnerability scanning, track CVEs, and apply risk-based patching consistent with documented SLAs.
6.6 Secure Logging & Monitoring. We maintain immutable, time-synchronized logs adequate to support auditing, incident investigation, and regulatory inquiries.
6.7 Backups & Business Continuity. We maintain encrypted backups and implement business continuity and disaster recovery processes, including periodic testing.
6.8 Training & Awareness. Workforce members receive HIPAA privacy and security training, phishing awareness, and role-specific instruction.
6.9 Physical Safeguards. Facilities and devices handling PHI are subject to access controls, secure disposal, and device/media re-use standards.
7.1 Data Minimization. API integrations are configured to collect only data necessary to fulfill the relevant purpose.
7.2 Retention. Records are retained consistent with applicable federal and New Mexico requirements for medical records and payer documentation, and in accordance with our internal retention schedule.
7.3 De-Identification & Limited Data Sets. Where feasible, we use HIPAA-compliant de-identification and may share limited data sets under a data use agreement (DUA) for health care operations, quality improvement, or research as permitted by law.
8.1 Detection & Triage. We maintain an incident response plan that addresses suspected or confirmed security incidents involving APIs, EMRs, or vendors.
8.2 Containment & Eradication. Upon detection, we isolate affected systems, rotate credentials, and implement corrective measures.
8.3 Assessment. We assess whether an incident constitutes a reportable breach under HIPAA, HITECH, or applicable New Mexico breach notification laws.
8.4 Notification. If notification is required, we will provide timely notices to affected individuals, regulators, and (as applicable) the media and business associates, consistent with statutory and contractual timelines.
8.5 Post‑Incident Review. We perform root cause analysis, adopt remediation plans, and update controls to prevent recurrence.
9.1 Communication Channels. To streamline care, we may use APIs that enable secure messaging, scheduling, telehealth, e-prescribing, prior authorization, and care-coordination features. We do not require unsecure channels for PHI.
9.2 Preferences. Patients may request preferred communication methods (e.g., phone, patient portal, secure email). Certain requests may be subject to feasibility and legal constraints.
9.3 Consent & Revocation. Where consent or authorization is required (e.g., for Part 2 data), we will seek documented consent. Consents may be withdrawn prospectively as permitted by law, which may impact our ability to deliver services.
10.1 Healthcare Vendors. APIs may connect to labs, imaging centers, pharmacies, payers, clearinghouses, and population health tools to support ordering, results retrieval, eligibility, and claims.
10.2 Operational Vendors. We may use APIs for billing, accounting, document management, e-fax, notifications (SMS/voice/email), remote patient monitoring (RPM), and device integrations.
10.3 Infrastructure & Security Vendors. We may use cloud service providers, managed security services, identity providers, and observability platforms with appropriate contracts and safeguards.
10.4 Research & Analytics. Where permitted, we may use de-identified data, limited data sets, or aggregated analytics for quality improvement, outcomes research, and operational analytics.
We do not knowingly collect PHI from children without required consents/authorizations from parents or legal guardians. Pediatric records processed through APIs are protected consistent with applicable law.
Our services are intended for use in the United States. We do not knowingly transfer PHI outside the United States except as permitted by law and contract, and with appropriate safeguards.
Content delivered via APIs or on our website is for informational purposes only and does not constitute medical advice. Clinical decisions should be made by licensed professionals considering the patient’s specific circumstances.
14.1 AS‑IS / AS‑AVAILABLE. To the maximum extent permitted by law, our website, APIs, and integrated services are provided on an “AS IS” and “AS AVAILABLE” basis, without warranties of any kind, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, title, and non‑infringement.
14.2 No Guarantee of Uninterrupted Service. We do not warrant that integrations will be uninterrupted, timely, secure, or error‑free; that defects will be corrected; or that the systems are free of viruses or other harmful components.
14.3 Limitation of Liability. To the fullest extent permitted by law, we shall not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, data, goodwill, or use, arising out of or related to our APIs, integrations, or this Policy, even if advised of the possibility of such damages. Our aggregate liability for direct damages shall not exceed the greater of (a) the amount paid by you for services giving rise to the claim during the twelve (12) months preceding the event, or (b) one hundred dollars (US $100). Some jurisdictions do not allow certain limitations; those limitations apply only to the extent permitted by law.
14.4 Indemnification. You agree to indemnify, defend, and hold harmless our clinic, affiliates, officers, directors, employees, contractors, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys’ fees) arising out of or in any way connected with your misuse of our services or violation of this Policy or applicable law. This section does not limit any rights or defenses available to us under law.
Patients may submit requests to access, amend, or receive an accounting of disclosures of their PHI, or to ask questions about this Policy, to:
Privacy Officer
[Clinic Name]
[Mailing Address]
[City, State, ZIP]
Phone: [Phone Number]
Secure Email/Portal: [Contact URL or Portal Instructions]
We may require identity verification before responding.
16.1 Governing Law. This Policy and any disputes arising from or related to it shall be governed by federal law and the laws of the State of New Mexico, without regard to conflict‑of‑laws principles.
16.2 Informal Resolution. Before initiating formal proceedings, the parties agree to attempt to resolve disputes informally by notifying the other party in writing and allowing thirty (30) days for a response.
16.3 Arbitration. Except for matters that may be brought in small claims court or that seek injunctive relief, disputes shall be resolved by binding arbitration administered by a reputable arbitration provider under its then‑current rules. The seat of arbitration shall be New Mexico. Each party bears its own costs and fees unless otherwise required by law.
16.4 Venue. For matters not subject to arbitration, the exclusive venue shall be the state or federal courts located in New Mexico, and you consent to personal jurisdiction therein.
17.1 Version Control. This Policy is subject to versioning and change control. Material changes will be reflected by updating the “Effective Date” above.
17.2 Continued Use. Continued use of our website or services after changes are posted constitutes acceptance of the revised Policy. If you do not agree, you should discontinue use.
18.1 HIPAA & HITECH. We maintain administrative, physical, and technical safeguards designed to comply with HIPAA Security and Privacy Rules, and we follow HITECH breach notification requirements.
18.2 New Mexico Requirements. We follow applicable New Mexico privacy, security, and breach‑notification laws, as well as professional licensing and medical record retention requirements, to the extent they apply to our operations. Where New Mexico law imposes stricter standards than federal law, we apply the stricter standard as required.
18.3 Part 2 Programs. Where we operate a program covered by 42 C.F.R. Part 2, we implement heightened consent and redisclosure restrictions and technical safeguards to prevent unauthorized disclosures through APIs.
18.4 Telehealth. For telehealth services, we use secure platforms and adhere to applicable federal and New Mexico requirements concerning patient consent, privacy, and security.
While our services are intended for U.S. residents, if you are located in another jurisdiction with additional data rights, you may contact us. We will evaluate and respond to your request to the extent required by applicable law.
20.1 Transport & Payload Security. All API calls to and from approved EMRs and vendors are transmitted over encrypted channels using modern cipher suites. Where feasible, we implement certificate pinning, DNSSEC, HSTS, and anti‑replay protections.
20.2 Content Controls. We sanitize and validate inputs to mitigate injection risks; we apply output encoding and content security policies (CSP) for web components interacting with APIs.
20.3 Rate Limiting & Throttling. We apply rate limits and quotas to reduce risks of abuse and service degradation.
20.4 Segregation of Duties. Deployment, monitoring, and key‑management duties are separated to reduce insider risk.
20.5 Third‑Party Assessments. We perform risk-based security assessments, and may engage independent auditors or penetration testers. Summaries may be made available to regulators or payers under confidentiality.
21.1 Collection. We collect data directly from patients, providers, devices, payers, and other integrated systems for legitimate health care purposes.
21.2 Use. We use data for TPO and other permitted purposes, including quality improvement, patient safety, compliance, and required reporting.
21.3 Disclosure. Disclosures through APIs are restricted to authorized recipients with a legitimate need-to-know, and are tracked where feasible.
21.4 Storage & Archiving. We store data in secure environments with access controls, backup, and media handling standards.
21.5 Destruction. When retention periods expire, we securely dispose of data/media in accordance with NIST and industry guidelines.
22.1 Marketing & Sale of PHI. We do not sell PHI and do not use PHI for marketing without required authorizations.
22.2 Redisclosure Limits. Recipients of PHI via APIs may be prohibited from redisclosure under HIPAA and, where applicable, 42 C.F.R. Part 2. Contracts require recipients to comply with redisclosure restrictions.
We strive to make this Policy and our services accessible. Upon request and subject to feasibility, we can provide auxiliary aids or language assistance consistent with applicable law.
If any provision of this Policy is found unenforceable, the remaining provisions remain in full force and effect. This Policy constitutes our entire public statement on API integrations and security practices and supersedes prior statements on the same subject. Our failure to enforce any provision is not a waiver of our rights.
If you believe your privacy rights have been violated, you may submit a complaint to us using the contact information in Section 15. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate for filing a complaint.
By using our services, portal, or website, you acknowledge that you have read and understood this API Integration & Data Security Notice and agree to its terms to the extent permitted by law.