Legal · Privacy
Privacy Policy
How we collect, use, store, and share information — including Protected Health Information (PHI) — across the MyOrbitHealth platform.
Last updated · June 1, 2026
Plain-language summary
MyOrbitHealth is a HIPAA-aware infrastructure provider. We process PHI only on behalf of our partner clinics under a Business Associate Agreement (BAA). We do not sell personal information. PHI is encrypted, US-resident, and access is logged.
01
Information we collect
We collect three categories of information: (i) account and billing information from partner organizations, (ii) telemetry from our platform (e.g. API usage, error logs), and (iii) PHI submitted by patients to our partner clinicians through our platform.
02
How we handle PHI
PHI is processed under a BAA with each partner clinic. We act as a Business Associate under HIPAA. PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256), stored in US-region infrastructure, and access is gated by role-based controls with audit logging. Non-PHI personal data we process on Customer's behalf is governed by our Data Processing Addendum.
03
Third-party processors
We use a limited set of subprocessors for hosting, observability, payments, and communications. Each is bound by a written data processing agreement and, where PHI is involved, a BAA. A current subprocessor list is available on request.
05
Your rights
Patients may exercise access, correction, and deletion rights through their provider clinic, which is the HIPAA Covered Entity. For non-PHI personal data (e.g. marketing contacts), you may contact us directly to access or delete your information.
06
Retention
PHI is retained according to the partner clinic's retention policy and applicable state law. Marketing and account data are retained for the life of the business relationship plus a reasonable tail for legal and audit purposes.
07
Contact for privacy requests
Privacy inquiries: privacy@myorbithealth.com. Security inquiries: security@myorbithealth.com.