Privacy Policy &
Notice of Privacy Practices

This Privacy Policy and Notice of Privacy Practices ("Policy") describes:

• What information we collect and how we collect it
• How we use, disclose, and protect your information
• Your rights regarding your information
• How we comply with applicable federal and state privacy laws
• How to contact us with privacy concerns or complaints

This Policy applies to information collected through our nurse triage services, our website, and any other interactions you have with Tulq. By using our services, you acknowledge that you have read and understood this Policy.

Our Legal Obligations

Tulq Health Services functions as a Business Associate of the healthcare provider organizations that contract with us (each a "covered entity" under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, collectively "HIPAA"). As a Business Associate, we are required by law to:

• Maintain the privacy and security of your Protected Health Information ("PHI")
• Provide you with this Notice of Privacy Practices
• Notify the covered entity in the event of a breach of your unsecured PHI
• Follow the terms of this Notice currently in effect
• Comply with all applicable provisions of the HIPAA Privacy Rule (45 CFR Part 164), the HIPAA Security Rule, and the HITECH Act

We are also bound by the terms of the Business Associate Agreement we execute with each contracting provider organization, and by applicable state health-information privacy laws.

What Is Protected Health Information

Protected Health Information ("PHI") is any information we create, receive, maintain, or transmit that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the past, present, or future payment for your healthcare, and that identifies you or could reasonably be used to identify you.

How We Use and Disclose Your PHI

• Treatment

  We use and disclose your PHI to provide you with nurse triage, clinical advice, and healthcare guidance. This includes creating encounter documentation, transmitting clinical notes back to the contracting provider organization and your care team, and communicating with that care team to ensure continuity of care.

• Healthcare Operations

  We use your PHI for internal operations including quality assurance review, nurse competency evaluation, protocol compliance monitoring, staff training, and service improvement. These activities are conducted solely to improve the quality and safety of the care we provide.

• Required by Law

  We will disclose your PHI when required to do so by federal or state law, including but not limited to responses to court orders, subpoenas, law enforcement requests made in accordance with applicable law, mandatory reporting obligations, and public health activities.

• Emergency Situations

  If you or another person is in imminent danger, we will disclose PHI as necessary to prevent serious and imminent harm, including directing callers to emergency medical services and disclosing relevant clinical information to first responders.

• Business Associates

  We may share your PHI with subcontractors and service providers who assist in the delivery of our services, including clinical decision support software providers and secure documentation transmission services. All such parties are required by contract (a Business Associate Agreement) to protect your PHI to the same standard we are.

• Reporting to the Provider Organization

  As a contracted nurse triage provider, we transmit encounter documentation to the contracting provider organization, typically within 24 hours of each clinical encounter, using secure transmission methods. Utilization and performance reports provided to the organization will not include unnecessary PHI.

Special Protections: Behavioral Health & Substance Use

Information related to mental health treatment and substance use disorder treatment may be entitled to additional protections beyond standard HIPAA requirements, including protections under 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records).

Your Rights Regarding Your PHI

You have the following rights with respect to your PHI that we maintain. Requests must be made in writing to our Privacy Officer unless otherwise noted.

You also have the right to receive a paper copy of this Notice at any time, regardless of whether you have agreed to receive it electronically.

Breach Notification

In the event of a breach of your unsecured PHI, we will notify the affected provider organization and, where required, you and the U.S. Department of Health and Human Services Office for Civil Rights, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Minimum Necessary Standard

We make reasonable efforts to limit the use and disclosure of your PHI to the minimum amount necessary to accomplish the intended purpose of the use or disclosure.

Privacy Officer & Complaints

Our designated Privacy Officer is responsible for ensuring compliance with this Policy and applicable law.

Information We Collect

Information You Provide Directly. When you call our nurse triage line, we collect information you provide during the call, including your name, contact information, the provider organization or program you are calling through, chief concern, symptoms, relevant medical history, and any other information you choose to share with our nurses.

Automatically Collected Information. When you visit our website, we may automatically collect certain technical information including your IP address, browser type and version, operating system, referring URLs, pages viewed, and the date and time of your visit. This information is collected through standard web server logs and, where applicable, cookies or similar technologies.

Telephony Data. Call metadata including the date, time, duration, and originating number of calls to our nurse triage line may be retained for quality assurance, billing, and compliance purposes.

How We Use Your Information

We use the information we collect to:

• Provide nurse triage and clinical advice services
• Create and transmit encounter documentation to the contracting provider organization
• Comply with our services-agreement and applicable regulatory obligations
• Generate de-identified utilization and performance reports
• Improve the quality and safety of our services
• Train and evaluate clinical staff
• Respond to your inquiries
• Comply with applicable law
• Protect the safety of callers, staff, and the public

Cookies & Tracking Technologies

Our website may use cookies and similar tracking technologies to improve your browsing experience and analyze website traffic. You may configure your browser to refuse cookies or to alert you when cookies are being sent. Please note that some features of our website may not function properly if cookies are disabled.

We do not use tracking technologies to collect PHI through our website.

Third-Party Service Providers

We may share information with carefully selected third-party service providers who assist in the operation of our services. These include:

• Clinical decision support software providers
• HIPAA-compliant cloud storage and documentation providers
• Telephony and toll-free number service providers
• Secure file transmission service providers

All third-party service providers who may access PHI are required to execute a Business Associate Agreement and are prohibited from using your information for any purpose other than providing services to us. We require all service providers to maintain appropriate administrative, physical, and technical safeguards.

Government-Funded Program Obligations

Where we provide services to or on behalf of a provider organization that participates in a government-funded program — for example, a Federally Qualified Health Center, Rural Health Clinic, Critical Access Hospital, hospice, or a Medicaid-funded program — additional contractual and regulatory privacy obligations may apply to the handling of information collected in connection with that program.

In those cases we handle information in accordance with the contracting organization's Business Associate Agreement, applicable program requirements, and applicable federal and state law, in addition to the HIPAA obligations described in this Policy.

Security

We maintain comprehensive administrative, physical, and technical safeguards to protect the information we collect and maintain, including PHI and personally identifiable information ("PII"). Our security measures include:

• Encryption of PHI in transit and at rest
• Access controls limiting PHI access to authorized personnel only
• Regular workforce training on privacy and security obligations
• Incident response and breach notification procedures
• Business Continuity and Disaster Recovery planning
• Vendor management and Business Associate Agreement enforcement

No method of data transmission or storage is 100% secure. While we employ industry-standard security measures, we cannot guarantee absolute security. In the event of a security incident affecting your information, we will notify you as required by applicable law.

Retention of Information

We retain PHI and personal information for the minimum period necessary to fulfill the purposes for which it was collected and to comply with applicable legal, regulatory, and contractual obligations. Upon termination or expiration of a services agreement, we will return or securely dispose of all data as directed by the contracting provider organization and in accordance with HIPAA and applicable law.

Children's Privacy

Our nurse triage line serves patients of all ages, including minors. We collect health information about minors only in the course of providing triage services and only as necessary to assess and address the health concern for which the call was made. We comply with all applicable laws governing the privacy of minors' health information, including applicable state minor consent laws.

Our website is not directed to children under the age of 13 and we do not knowingly collect personal information from children under 13 through our website. If you believe we have inadvertently collected such information, please contact our Privacy Officer immediately.

State Privacy Rights

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies independently. Our website does not currently respond to Do Not Track signals. We do not track users across third-party websites.

Changes to This Policy

We reserve the right to modify this Policy at any time. Material changes will be posted on our website with a revised effective date. Your continued use of our services following the posting of changes constitutes your acceptance of those changes. We encourage you to review this Policy periodically.

Governing Law

This Policy is governed by and construed in accordance with applicable federal law, including HIPAA, and applicable state law. The laws of the State of Washington govern matters related to our principal place of business, without regard to conflicts of law principles. Where services are delivered under a provider organization's program, the laws applicable to that organization and program may also apply.

Severability

If any provision of this Policy is found to be unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.

Contact Us

For questions, concerns, or to exercise any rights described in this Policy: