Legal

METRIPORT HEALTH LLC

Privacy Policy

Effective Date: January 1, 2026 • Version 2026.1

1. Introduction and Scope

Metriport Health LLC ("Metriport Health," "we," "us," or "our") is a wholly-owned subsidiary of Metriport Inc., a health information technology company.

This Privacy Policy describes how Metriport Health will collect, use, disclose, and protect health information, including protected health information, in connection with its website at metriporthealth.com and its health information exchange operations. This Policy reflects Metriport Health's commitment to complying with applicable privacy and security standards, including the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

2. Information Processed Through the Health Information Network

Metriport Health will serve as a technical intermediary enabling the exchange of health information among network participants. Metriport Health will process health information primarily in transit and will not be a primary custodian of patients' medical records.

2.1 Health Information

Metriport Health will process health information, which includes:

  • Electronic Protected Health Information (ePHI), including patient clinical summaries, continuity of care documents (C-CDA), laboratory results and diagnostic reports, medication histories, encounter data and clinical notes, and other structured and unstructured clinical data.
  • Patient demographic and identity information used for patient matching and record location services.
  • Transaction and audit log metadata, including organizational identifiers.

2.2 Website Data

When you visit metriporthealth.com, Metriport Health may automatically collect standard web server log data, including IP addresses, browser type, operating system, referring URLs, and pages visited. This information is used to operate, maintain, and improve the website and is not combined with health information processed through the Health Information Network. Metriport Health's website may use cookies and similar tracking technologies to support website functionality. You may configure your browser to refuse cookies, though some website features may not function properly if cookies are disabled. Metriport Health's website does not currently respond to browser Do Not Track signals.

3. Permitted Purposes

Metriport Health's Health Information Network will support health information exchange for the following purposes as authorized under applicable law:

3.1 Treatment

Metriport Health's Health Information Network will initially focus on Treatment-purpose exchange. Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including consultation between health care providers and referral of patients, as defined at 45 CFR § 164.501. Only health care providers—or business associates, agents, or contractors acting on their behalf—may initiate or respond to exchange queries for treatment purposes.

3.2 Additional Purposes

Metriport Health may in the future support additional exchange purposes where applicable legal and regulatory requirements are satisfied. Any such changes will be reflected in an updated version of this Privacy Policy.

3.3 Prohibited Purposes

Health information processed by or through Metriport Health's Health Information Network may not be used or disclosed for purposes that are not authorized under applicable law. Specifically:

  • Health information may not be used or disclosed for purposes prohibited by the HIPAA Privacy Rule or other applicable law.
  • Health information may not be used to assert claims against individuals except for the collection of legitimate fees.
  • Health information may not be used for marketing or fundraising purposes without appropriate authorization.
  • Health information may not be sold to or shared with third parties for purposes inconsistent with the permitted purposes described in this Policy.

4. How We Use and Disclose Individually Identifiable Information

4.1 Uses Within the Health Information Network

Metriport Health will use health information solely as necessary to:

  • Facilitate health information exchange transactions among network participants in accordance with authorized purposes.
  • Perform patient matching and record location services to enable accurate routing of health information queries.
  • Operate, monitor, and maintain the security and integrity of the Health Information Network.
  • Comply with audit, logging, and reporting requirements under applicable law and technical standards.
  • Respond to and manage security incidents in accordance with applicable law.

4.2 Disclosures

Metriport Health will disclose health information only as permitted by applicable law, including:

  • To recipient networks and network participants in connection with an authorized health information exchange transaction.
  • To affiliated entities acting as technology subcontractors, subject to appropriate data protection and business associate agreements.
  • To third-party vendors with access to health information, each governed by appropriate business associate agreements and applicable contractual privacy and security obligations.
  • As required by applicable law, including pursuant to valid legal process, regulatory requirements, or public health and safety obligations.

4.3 Minimum Necessary Standard

Consistent with the HIPAA minimum necessary standard (45 CFR § 164.502(b)) and applicable law, Metriport Health will apply appropriate policies and technical controls to limit the use and disclosure of health information to the minimum necessary to accomplish the authorized purpose.

5. HIPAA Privacy Rule Compliance

Metriport Health will comply with applicable provisions of the HIPAA Privacy Rule with respect to health information it processes.

6. Security and Breach Notification

6.1 Security

Metriport Health will comply with applicable provisions of the HIPAA Security Rule and other applicable law with respect to health information it processes.

6.2 Breach Notification

In the event of a breach of unsecured protected health information, Metriport Health will provide notification to affected individuals, the Secretary of Health and Human Services, and, where required, to the media, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). Metriport Health's data breach response policy governs the internal procedures for breach detection, triage, escalation, and response.

7. Individual Rights

To the extent health information about patients will be held by Metriport Health in connection with its health information exchange activities, individuals will have the following rights under applicable law:

  • Right of Access — The right to inspect and obtain a copy of their protected health information in Metriport Health's designated record set, as applicable under 45 CFR § 164.524.
  • Right to Request Restrictions — The right to request restrictions on certain uses and disclosures of their information, as permitted under 45 CFR § 164.522.
  • Right to Request Confidential Communications — The right to request communications about their health information through alternative means or at alternative locations.
  • Right to an Accounting of Disclosures — The right to receive an accounting of certain disclosures of their protected health information, as applicable under 45 CFR § 164.528.
  • Right to Amend — The right to request amendment of their protected health information, where applicable.

Because Metriport Health will operate primarily as a technical intermediary and will generally not be the primary custodian of patients' medical records, many of these rights may need to be exercised directly with the healthcare provider or health plan that holds the relevant records. Patients wishing to exercise rights with respect to information held by Metriport Health should contact us using the information in Section 11.

Metriport Health does not offer direct patient access services. If such services are offered in the future, additional individual rights and protections will apply and will be described in a supplemental privacy notice.

8. Data Retention

8.1 Data Retention

Metriport Health will retain health information, including audit logs, only for as long as necessary to fulfill the purposes for which it was processed and to comply with applicable law. Audit logs are retained for the minimum period required by applicable law and standards.

8.2 Children's Data

Metriport Health does not knowingly collect or process health information from children under the age of 13. If Metriport Health becomes aware that it has inadvertently received health information relating to a child under 13 without appropriate authorization, it will take steps to address the matter in accordance with applicable law.

9. Governance, Oversight, and Complaint Procedures

9.1 Network Governance

Metriport Health's Health Information Network will be overseen by a governance body with authority to review and approve Metriport Health's governance policies. Pending formation of that body, governance functions are administered by Metriport Health's executive leadership.

9.2 Privacy Complaints

Individuals and organizations may submit privacy-related complaints to Metriport Health using the contact information in Section 11. Metriport Health will not retaliate against any individual or organization for filing a good-faith complaint. Complaints may also be filed with the U.S. Department of Health and Human Services Office for Civil Rights at https://www.hhs.gov/hipaa/filing-a-complaint/.

10. Changes to This Privacy Policy

Metriport Health will update this Privacy Policy as required to reflect changes in its operations, the purposes it supports, or applicable law. Material changes will be communicated to network participants and will be reflected in an updated version of this Privacy Policy. The effective date at the top of this Privacy Policy will be updated to reflect the date of the most recent revision. This Privacy Policy is not a contract and does not create any contractual rights or obligations.

11. Contact Information

For questions or complaints regarding this Privacy Policy or Metriport Health's privacy practices, please contact:

Metriport Health LLC
Attn: Legal Department
2261 Market Street #4818, San Francisco, CA 94114
Email: contact@metriporthealth.com
Website: https://www.metriporthealth.com