HealthCompass MA — Privacy & Compliance Statement
Version 2026.05.02 — Effective 2026
Reviewed by: Privacy Office and Legal
healthcompass.cloud/privacy
Privacy & Compliance Statement
Effective 2026 · Version 2026.05.02
Overview#
HealthCompass MA is an AI-powered software platform designed for use by MassHealth Navigators and Certified Application Counselors (CACs). The platform helps Navigators and CACs automate and streamline portions of the ACA-3 and SACA-2 application workflows when assisting Massachusetts applicants for MassHealth and ConnectorCare coverage.
HealthCompass is a technology platform. It is not a Navigator entity, an enrollment broker, an insurer, a health plan, MassHealth, the Massachusetts Health Connector, or any other Covered Entity. HealthCompass does not make eligibility determinations and does not interact directly with the Massachusetts HIX/IES system. The Navigator or CAC is always the authorized human-in-the-loop who executes work in MassHealth's official systems.
On the surfaces where HealthCompass handles Protected Health Information (PHI) on behalf of a Navigator organization or other Covered Entity, HealthCompass operates as a Business Associate as defined in 45 C.F.R. §160.103. On other surfaces (the marketing site and Navigator account management surfaces), HealthCompass operates as a consumer-data controller subject to Massachusetts law. The surface-by-surface table in Section 6 explains which role applies where.
This Privacy & Compliance Statement describes the categories of information HealthCompass collects, how it uses that information, the legal frameworks that govern it, and the rights available to applicants and Navigator users.
For questions about this statement, contact the HealthCompass Privacy Office at privacy@healthcompass.cloud.
Who Uses the Platform#
HealthCompass has two distinct user populations, each governed by different legal frameworks:
Navigator and CAC users ("Authorized Users") — Individuals who have been awarded a Massachusetts Health Connector Navigator grant or who hold an active MassHealth CAC certification, and who use the platform in the course of their certified duties. Authorized Users access the platform under their employer's subscription or grant-funded license. Authorized Users register, authenticate, and use HealthCompass on behalf of the applicants they assist.
Applicants ("Assisted Individuals") — Massachusetts residents who are seeking assistance with MassHealth or ConnectorCare enrollment through a Navigator or CAC. Assisted Individuals do not have their own HealthCompass accounts. Their personal information enters the platform only when an Authorized User inputs it for the purpose of preparing an ACA-3 or SACA-2 application.
HealthCompass is available only to Authorized Users who are credentialed Navigators or CACs serving Massachusetts residents. Assisted Individuals are always Massachusetts residents; the platform is not used to assist individuals from other states or outside the United States.
Data We Collect#
HealthCompass collects two broad categories of information: Authorized User information (about the Navigator or CAC) and Assisted Individual information (about the applicant being assisted). Each item below is tagged with its classification under federal and Massachusetts law.
Authorized User Information
- Account data (PII) — name, work email, phone number, login credentials, and Navigator or CAC certification details
- Organization data (PII) — employer organization, role, supervisor, and grant or subscription identifier
- Device and usage telemetry (PII; IP address is treated as personal information under 201 CMR 17.00) — browser type, IP address, pages visited, session duration, and feature interaction logs
Assisted Individual Information (entered by Authorized Users)
- Identifiers and demographic data (PII; PHI when collected on a Business Associate surface) — name, date of birth, address, household composition, and contact information
- Eligibility data (PII / PHI on Business Associate surfaces) — income, household size, residency, citizenship or qualified-immigrant status, and the specific verifications required by the ACA-3 or SACA-2 application
- Health and clinical eligibility data (PHI on Business Associate surfaces) — disability status, long-term care clinical information, and other health information collected for the SACA-2 long-term care eligibility assessment
- Financial data (PII / PHI on Business Associate surfaces) — income sources, assets relevant to SACA-2 asset assessments, and document references supporting verifications. HealthCompass does not store payment card numbers or bank account numbers
- Application work product (PHI on Business Associate surfaces) — pre-populated form drafts, document checklists, MAGI calculations, asset look-back calculations, and Navigator notes generated during the assistance session
What HealthCompass Does Not Collect
HealthCompass does not collect Social Security Numbers as a stored data element except as transiently required to populate ACA-3 and SACA-2 forms; SSNs are not retained after the assistance session ends (see Section 11, Data Retention).
HealthCompass does not collect biometric identifiers, precise geolocation data, or genetic information. M.G.L. c. 111 §70G and related genetic privacy provisions are not engaged at this time. If a future feature involves genetic data, this statement will be updated before that feature launches.
HealthCompass does not knowingly collect data from individuals under 18 except where the Authorized User is preparing a household application and the data subject is a child member of the applicant household. Children are not direct users of the platform; COPPA obligations are not engaged.
How We Use Data#
HealthCompass uses information for the purposes listed below. On Business Associate surfaces, each purpose is mapped to a permitted use under the HIPAA Privacy Rule. On non-Business Associate surfaces, each purpose is governed by Massachusetts law.
| Purpose | Description | HIPAA Basis (BA surfaces) |
|---|---|---|
| Application workflow automation | Prepare and pre-populate ACA-3 and SACA-2 application drafts; calculate MAGI income; generate document checklists; flag missing verifications. | Payment / Health Care Operations of the Covered Entity, performed by the Business Associate under 45 C.F.R. §164.504(e). |
| Eligibility guidance | Present informational summaries of likely eligibility categories using safe-harbor language. HealthCompass does not make determinations. | Treatment, Payment, or Health Care Operations (TPO) of the Covered Entity. |
| Decision support for Authorized Users | Surface relevant program rules, verification requirements, and document templates to assist the Navigator's or CAC's work. | Health Care Operations of the Covered Entity. |
| Account management | Authenticate Authorized Users, manage subscriptions, and communicate with Navigator organizations. | Business Associate's own management and administration, permitted under 45 C.F.R. §164.504(e)(2)(i)(A). |
| Platform improvement | Use de-identified or aggregated data, consistent with 45 C.F.R. §164.514, to improve workflows. Identifiable PHI is not used for model training without an executed BAA permission and, where required, individual authorization. | Permitted use of de-identified information; otherwise governed by the BAA. |
| Legal compliance | Meet obligations under HIPAA, Massachusetts law, and other applicable legal requirements. | 45 C.F.R. §164.512 disclosures and parallel state-law obligations. |
| Security | Detect and prevent unauthorized access, fraud, and other security threats. | 45 C.F.R. §§164.308, 164.310, and 164.312 safeguards. |
HealthCompass does not sell Authorized User information or Assisted Individual information. The term "sell" is used here as defined in the California Consumer Privacy Act / CPRA (Cal. Civ. Code §1798.140(ad)) to ensure the commitment is durable as HealthCompass expands beyond Massachusetts.
HealthCompass does not use PHI for marketing, and does not use or disclose PHI for purposes that would require an authorization under 45 C.F.R. §164.508 unless that authorization has been validly obtained.
AI Use, Boundaries, and Limitations#
HealthCompass uses artificial intelligence and machine learning components to support Authorized Users. The following commitments govern AI use on the platform.
AI Assists; Authorized Users Decide
HealthCompass' AI components produce drafts, checklists, calculations, and informational summaries that the Authorized User reviews, edits, and approves before any use or submission. The AI does not act autonomously on behalf of the applicant, the Navigator, or any Covered Entity. The Navigator or CAC is always the human-in-the-loop who executes work in MassHealth's official systems.
No Eligibility Determinations
AI-generated outputs that touch eligibility use safe-harbor language such as: "Based on the information provided, the applicant may be eligible for [program]. Actual eligibility will be determined by MassHealth after the application is submitted." AI-generated outputs do not state "qualifies for" or "is eligible for" any MassHealth program. Only the HIX/IES system and MassHealth caseworkers have legal authority to make eligibility determinations under 130 CMR.
No Plan Recommendations
AI components present plan information, provider network data, and factual comparisons. They do not recommend or direct an Assisted Individual toward a specific plan. This constraint applies because Navigators themselves are required to be impartial under 45 C.F.R. §155.215.
No Legal Advice
For SACA-2 long-term care workflows, AI components calculate, organize, and display information about asset look-back, spend-down gaps, and program requirements. AI components do not recommend specific asset restructuring strategies, trust formation, or other Medicaid planning techniques. Workflows that touch asset planning surface a built-in referral pathway to elder law attorneys and Certified Medicaid Planners.
Model Training
HealthCompass does not use identifiable PHI to train, fine-tune, or evaluate AI models unless (i) the Business Associate Agreement with the Covered Entity expressly permits such use, or (ii) the data has been de-identified consistent with 45 C.F.R. §164.514. The default model-training corpus uses de-identified or synthetic data only.
Human Review and Error Reporting
Authorized Users can flag AI-generated outputs they believe are incorrect. Flagged outputs are reviewed by the HealthCompass quality team and used to improve the platform under the controls described above.
HIPAA Compliance#
Surface-by-Surface Role Declaration
HealthCompass operates under different HIPAA roles depending on which platform surface is being used. The classification governs which framework applies to a given data interaction. A single Authorized User may move between surfaces during a session.
| Surface | HIPAA Role | Framework |
|---|---|---|
| Marketing site and public landing page | Neither Covered Entity nor Business Associate | General privacy commitments and Massachusetts law (201 CMR 17.00, M.G.L. c. 93H, c. 93A). |
| Navigator account management (sign-up, billing, settings) | Neither Covered Entity nor Business Associate | Massachusetts law; account data is PII, not PHI. |
| ACA-3 application assistance surfaces | Business Associate | BAA with the relevant Covered Entity (Navigator organization or MassHealth) governs the relationship. |
| SACA-2 application assistance surfaces | Business Associate | BAA with the relevant Covered Entity governs the relationship. |
| Any surface handling PHI from a Covered Entity | Business Associate | Upstream BAA; downstream BAAs bind all subprocessors that touch PHI. |
Privacy Rule
On Business Associate surfaces, HealthCompass applies the minimum-necessary standard when using or disclosing PHI, consistent with 45 C.F.R. §164.502(b) and §164.514(d). PHI is used only as permitted by the applicable Business Associate Agreement and the HIPAA Privacy Rule. PHI is not used for marketing and is not sold absent a HIPAA-compliant authorization under 45 C.F.R. §164.508(a)(3)–(4). The minimum-necessary standard does not apply to disclosures to the individual or for treatment.
Security Rule
HealthCompass maintains administrative, physical, and technical safeguards to protect PHI on Business Associate surfaces, consistent with the HIPAA Security Rule (45 C.F.R. §§164.308, 164.310, 164.312). High-level safeguards are summarized in the Security section. Specific control configurations are documented internally and are not published in this statement to avoid aiding an attacker.
Breach Notification Rule
In the event of a breach of unsecured PHI, HealthCompass will notify the relevant Covered Entity without unreasonable delay and no later than 60 days after discovery, as required by 45 C.F.R. §164.410. HealthCompass supports the Covered Entity's obligations to notify affected individuals and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
Business Associate Agreements
All subprocessors that access, store, or transmit PHI on behalf of HealthCompass are bound by downstream Business Associate Agreements with terms at least as protective as the upstream BAA, consistent with 45 C.F.R. §164.502(e)(1)(ii) and §164.504(e)(5). A current list of subprocessors and their BAA status is published at healthcompass.cloud/subprocessors.
Patient Rights Under HIPAA
Because HealthCompass operates as a Business Associate (not a Covered Entity), the Covered Entity remains the party responsible for fulfilling individual rights requests under HIPAA. Through the Authorized User or directly through the HealthCompass Privacy Office, an Assisted Individual may exercise the following rights:
- Access — the right to request access to their PHI, including a copy in electronic form when maintained electronically (45 C.F.R. §164.524(c)(2)(ii))
- Amendment — the right to request correction of inaccurate PHI
- Accounting of disclosures — the right to receive an accounting of certain disclosures of their PHI
- Restrictions — the right to request restrictions on certain uses and disclosures
HealthCompass acknowledges access requests within 30 days, consistent with the timing in 45 C.F.R. §164.524(b)(2). The 30-day commitment is an acknowledgement timeline; the substantive response is provided by the Covered Entity through HealthCompass's support.
Eligibility and Plan Recommendation Boundaries#
Only the Massachusetts HIX/IES system and MassHealth caseworkers have legal authority to make eligibility determinations under 130 CMR. HealthCompass's outputs are informational and decision-supportive; they are not eligibility determinations.
All eligibility outputs use safe-harbor framing such as "Based on the information you have provided, the applicant may be eligible for [program]. Actual eligibility will be determined by MassHealth after the application is submitted." The platform does not state "You qualify for" or "You are eligible for" any MassHealth program.
HealthCompass also does not recommend specific health plans. The platform presents plan information, provider network data, and factual comparisons. Navigators using HealthCompass are required to be impartial under 45 C.F.R. §155.215, and a tool used by Navigators inherits this constraint.
HIX/IES System Interaction Boundaries#
HealthCompass does not script, scrape, automate, or otherwise programmatically interact with the Massachusetts HIX/IES system, MAhealthconnector.org, or any CMS-operated marketplace system. The platform's role is preparation; the Authorized User executes within the official system.
This boundary is consistent with the regulatory intent behind 45 C.F.R. §155.220, which prohibits scripting and automation of CMS systems absent prior written CMS approval, and with the operational rules governing the Massachusetts HIX/IES architecture. If HealthCompass at any point seeks to integrate directly with the HIX/IES system, this statement will be updated to reflect the applicable authorizations.
Conflict of Interest#
HealthCompass operates under a clean revenue model designed to preserve Navigator and CAC impartiality:
- HealthCompass charges Navigator organizations a B2B SaaS subscription fee, or distributes the platform under a grant-funded license. Navigator organizations do not charge Assisted Individuals for the use of HealthCompass.
- HealthCompass does not accept referral fees, marketing payments, or any other remuneration from health insurance issuers, health plans, stop-loss insurers, or any of their subsidiaries.
- HealthCompass does not display advertisements for, or otherwise promote, specific health insurance issuers or plans within the platform.
These commitments support compliance with the conflict-of-interest standards in 45 C.F.R. §155.210(d) and §155.215 that apply to the Navigators and CACs who use HealthCompass.
Language Access#
Under ACA Section 1557 and Title VI of the Civil Rights Act of 1964, Navigator and CAC consumer-assistance functions must provide meaningful access to individuals with limited English proficiency (LEP). Because HealthCompass produces outputs that Authorized Users share with Assisted Individuals — such as document checklists, eligibility guidance summaries, and rights notices — HealthCompass supports the Navigator's language-access obligations.
HealthCompass produces applicant-facing outputs in the following languages, which together cover the largest LEP populations in Massachusetts: English, Spanish, Brazilian Portuguese, Chinese (Traditional), Haitian Creole, and Vietnamese. Applicant-facing outputs for critical eligibility and rights information use professionally verified translations. AI translation may be used to support Navigator-facing internal content (e.g., research and decision support); applicant-facing critical content is not relied upon as AI-only output.
Authorized Users can request additional languages through the HealthCompass Privacy Office. HealthCompass will expand language coverage as needed to align with MassHealth's Language Access Plan, which currently designates 18 vital-document languages.
Data Retention#
HealthCompass uses a session-minimization architecture. The architecture is designed to keep persistent storage of Assisted Individual PHI to the minimum necessary to deliver platform functionality.
| Data Category | Retention | Basis |
|---|---|---|
| Authorized User account and authentication data | For the duration of the Navigator organization's subscription, plus the period required for audit and dispute purposes. | Contractual; recordkeeping. |
| Assisted Individual identifiers and eligibility inputs (working session) | Retained only for the active assistance session; purged on session close, unless the Navigator explicitly saves a case to a Navigator-organization workspace under an executed BAA. | Session-only design; HIPAA minimum-necessary; 201 CMR 17.00. |
| Saved cases (when enabled by BAA) | Retained for the period agreed in the BAA with the Navigator organization or Covered Entity; default 7 years to align with HIPAA documentation retention under 45 C.F.R. §164.530(j). | BAA terms; HIPAA documentation retention. |
| De-identified usage analytics | Retained for the duration necessary to operate and improve the platform; not subject to HIPAA after valid de-identification under §164.514. | 45 C.F.R. §164.514. |
| Security and audit logs | Retained for at least 6 years. | HIPAA documentation retention; 201 CMR 17.03. |
| Breach investigation records | Retained for at least 6 years from creation or last effective date. | 45 C.F.R. §164.530(j). |
Where HealthCompass is legally required to retain data longer than the periods stated above, the longer period applies.
Security#
HealthCompass employs industry-standard security measures to protect Authorized User and Assisted Individual information:
- Encryption at rest — data stored in HealthCompass systems is encrypted using industry-standard strong encryption (currently AES-256)
- Encryption in transit — data transmitted between the user's browser and HealthCompass servers is protected by modern transport security (currently TLS 1.2 or higher)
- Access controls — role-based access ensures that only authorized personnel can access PHI and other sensitive information
- Audit logging — access to PHI and sensitive data is logged and monitored
- Incident response — HealthCompass maintains a written incident response plan with defined SLAs for detection, containment, regulatory notification, and individual notification
- Workforce training — personnel with access to PHI complete HIPAA and Massachusetts privacy training before access is granted and annually thereafter
A material reduction in any of these commitments — for example, a downgrade in encryption strength or transport security — is treated as a material change to this statement (see Changes to This Statement).
Massachusetts Law#
201 CMR 17.00 — Standards for the Protection of Personal Information
HealthCompass maintains a Written Information Security Program (WISP) that addresses all elements required by 201 CMR 17.03(2), including: a designated responsible employee; risk identification and assessment; employee training; disciplinary measures; terminated-employee access controls; third-party service-provider oversight with contractual safeguards consistent with 201 CMR 17.03(2)(f); restrictions on physical access; monitoring; annual review; and post-incident documentation. Personal information transmitted over public networks or stored on portable devices is encrypted as required by 201 CMR 17.04.
M.G.L. c. 93H — Security Breach Notification
In the event of a breach of security involving personal information of Massachusetts residents, HealthCompass will:
- Notify affected Massachusetts residents as soon as practicable and without unreasonable delay, using a notice that does not include the nature of the breach (as required by M.G.L. c. 93H §3(b))
- Notify the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation, including the content elements required by M.G.L. c. 93H §3(b): nature of the breach, number of Massachusetts residents affected, and steps taken or planned in response
- Coordinate with the Covered Entity where the breach also triggers HIPAA breach notification obligations under 45 C.F.R. §164.410
A "breach" under Massachusetts law includes the unauthorized acquisition or use of unencrypted personal information, or encrypted data together with the means to decrypt it, that creates a substantial risk of identity theft or fraud.
M.G.L. c. 93A — Consumer Protection
HealthCompass is committed to fair and honest business practices. HealthCompass does not engage in unfair or deceptive acts in the conduct of trade or commerce. Any misrepresentation of HealthCompass's privacy practices would be actionable under M.G.L. c. 93A.
Genetic Information
HealthCompass does not collect, process, or store genetic information at this stage. M.G.L. c. 111 §70G and related genetic privacy provisions are not engaged. If the platform later introduces a feature that involves genetic data, this section will be re-opened and updated before that feature launches.
Massachusetts Health Information Exchange
HealthCompass does not currently integrate with the Massachusetts Health Information Exchange (Mass HIway). If integration is implemented in a future phase, this statement will be updated and applicable Massachusetts Department of Public Health rules will be addressed at that time.
Sharing & Disclosure#
HealthCompass may share Authorized User and Assisted Individual information in the following circumstances:
- With Navigator organizations and MassHealth — as necessary to perform the platform's preparation and decision-support function, subject to applicable BAAs on Business Associate surfaces
- With subprocessors — service providers that assist in operating the platform. Subprocessors that handle PHI are bound by downstream Business Associate Agreements with terms at least as protective as the upstream BAA. A current subprocessor list, including legal entity, function, data categories accessed, hosting region, and BAA status, is available at healthcompass.cloud/subprocessors
- As required by law — in response to valid legal process from government authorities (subpoena, court order, warrant, or other lawful demand). HealthCompass will assert applicable objections, narrow the scope of disclosure where permissible, and, where lawful, notify the affected individual or the Covered Entity before responding
- With your consent — when an Authorized User directs HealthCompass to share information with a specified third party, in the manner that user directs
HealthCompass does not sell Authorized User information or Assisted Individual information. "Sell" is interpreted broadly to include any disclosure for monetary or other valuable consideration, consistent with the CCPA / CPRA definition.
Changes to This Statement#
HealthCompass may update this Privacy & Compliance Statement from time to time. When HealthCompass makes a material change:
- The updated statement will be posted at healthcompass.cloud/privacy
- The "Effective" date at the top of this page will be revised
- Authorized Users will be notified of material changes by email and through an in-app notification at least 14 days before the change takes effect, except where a shorter period is required by law
- Prior versions are available at
/privacy/v/{version-date}for reference
A "material change" means a change that: (i) expands the categories of personal information collected; (ii) expands the purposes for which personal information is used or the categories of recipients with whom it is shared; (iii) reduces the rights or protections available to Authorized Users or Assisted Individuals; (iv) changes the HIPAA role classification of any platform surface; (v) changes the jurisdictions in which the service is offered; or (vi) materially changes the AI use commitments described in the AI Use section.
Your Rights#
The following table summarizes the rights available under the legal frameworks that apply to HealthCompass.
| Right | Who Exercises | Source | How to Exercise |
|---|---|---|---|
| Access to PHI | Assisted Individual | HIPAA (BA surfaces) | Contact Privacy Office or Authorized User; routed to Covered Entity. |
| Request amendment of PHI | Assisted Individual | HIPAA (BA surfaces) | Contact Privacy Office; routed to Covered Entity. |
| Accounting of PHI disclosures | Assisted Individual | HIPAA (BA surfaces) | Contact Privacy Office; routed to Covered Entity. |
| Request restrictions on PHI use | Assisted Individual | HIPAA (BA surfaces) | Contact Privacy Office; routed to Covered Entity. |
| Breach notification | Authorized User and Assisted Individual | M.G.L. c. 93H | Automatic — HealthCompass notifies if a breach occurs. |
| Fair business practices | Authorized User and Assisted Individual | M.G.L. c. 93A | File complaint with MA Attorney General. |
| Personal information security | Authorized User and Assisted Individual | 201 CMR 17.00 | Contact Privacy Office. |
To submit a privacy request, email privacy@healthcompass.cloud. Assisted Individuals may also contact their Navigator or CAC, who will route the request to HealthCompass.
Service Region#
HealthCompass is currently available only to credentialed Massachusetts Navigators and CACs assisting Massachusetts residents. Authorized Users from other U.S. states and from outside the United States cannot create accounts at this time. Residency is verified through the Navigator or CAC certification linkage.
The rights and protections described in this Privacy & Compliance Statement apply to Massachusetts residents whose information is handled through the platform. HealthCompass expects to expand to additional states in subsequent phases. When that occurs, this statement will be updated to reflect the applicable privacy frameworks for each new jurisdiction.
Contact#
HealthCompass Privacy Office
- Email: privacy@healthcompass.cloud
- Mail: HealthCompass Privacy Office, [physical mailing address pending Privacy Office confirmation prior to publication]
Massachusetts Attorney General's Office
If you believe your privacy rights have been violated, you may also file a complaint with:
- Massachusetts Attorney General's Office, One Ashburton Place, Boston, MA 02108
- Phone: (617) 727-2200
- Website: mass.gov/ago