Overview#

LEGAL REVIEW: Plain-language overview — who HealthCompass is, what the platform does, who it serves, and the purpose of this privacy statement. Include contact information for the Privacy Office.

HealthCompass MA is a social health technology platform that helps Massachusetts residents navigate MassHealth enrollment, benefits eligibility, and health coverage options. This Privacy & Compliance Statement describes how we collect, use, and protect your information when you use our platform.

For questions about this statement or your privacy, contact the HealthCompass Privacy Office at privacy@healthcompass.cloud.

LEGAL REVIEW: Review and finalize the above summary. Ensure it accurately reflects the platform's current service offering.

Data We Collect#

LEGAL REVIEW: Enumerate the categories of personal information collected. Distinguish PII from PHI. Include all categories listed below and add any others as appropriate.

HealthCompass may collect the following categories of information depending on which platform surfaces you interact with:

• Account data — name, email address, phone number, login credentials
• Profile and demographic data — date of birth, household size, residency information
• Health and wellness inputs — self-reported health information provided during eligibility screening or benefit applications
• Social interactions — messages exchanged with social workers or support staff through the platform
• Device and usage telemetry — browser type, IP address, pages visited, session duration
• Payment metadata — transaction identifiers (HealthCompass does not store full payment card numbers)

HealthCompass does not collect, process, or store genetic information. This category of data is explicitly out of scope for Phase 1 of the platform. If a future feature involves genetic data, this section will be updated before that feature launches, and M.G.L. c. 111 §70G and related provisions will be addressed at that time.

LEGAL REVIEW: Review and confirm all categories are accurate. Add or remove categories as needed based on current data inventory.

How We Use Data#

LEGAL REVIEW: Map purposes to permitted uses under HIPAA (for BA surfaces) and MA law. Describe each purpose plainly.

We use the information we collect for the following purposes:

• Eligibility determination — to evaluate your potential eligibility for MassHealth and other Massachusetts benefit programs
• Application assistance — to help you complete and submit benefit applications
• Account management — to maintain your account, authenticate your identity, and communicate with you
• Platform improvement — to analyze usage patterns and improve the platform experience
• Legal compliance — to meet our obligations under HIPAA (on Business Associate surfaces) and Massachusetts law
• Security — to detect and prevent fraud, unauthorized access, and other security threats

We do not sell your health data or personal information.

LEGAL REVIEW: Confirm the above purposes are accurate and complete. Ensure alignment with any data processing agreements in place.

Sharing & Disclosure#

LEGAL REVIEW: Describe subprocessors, BAA requirements, no-sale commitment, and law enforcement disclosure standard.

HealthCompass may share your information in the following circumstances:

• With MassHealth and benefit program administrators — as necessary to process your applications and manage your benefits, subject to applicable BAAs on Business Associate surfaces
• With subprocessors — service providers who assist in operating the platform. Subprocessors that handle PHI are bound by downstream Business Associate Agreements
• As required by law — in response to lawful requests from government authorities, including law enforcement, courts, or regulatory bodies
• With your consent — when you direct us to share information with a third party

We do not sell your personal information or health data.

LEGAL REVIEW: Provide a list or link to a summary of current subprocessors. Confirm BAA coverage for each subprocessor that touches PHI.

HIPAA Compliance#

LEGAL REVIEW: Review the entire HIPAA section. Ensure the surface-role distinction, Privacy Rule, Security Rule, Breach Notification Rule, and patient rights descriptions are accurate.

Surface-by-Surface Role Declaration

HealthCompass operates under different HIPAA roles depending on which platform surface you are interacting with:

Privacy Rule

LEGAL REVIEW: Describe minimum-necessary use of PHI, authorization vs. permitted disclosure. Applies only to BA surfaces.

On Business Associate surfaces, HealthCompass applies the minimum-necessary standard when using or disclosing Protected Health Information. PHI is used only as permitted by the applicable Business Associate Agreement and the HIPAA Privacy Rule.

Security Rule

LEGAL REVIEW: Describe administrative, physical, and technical safeguards at a high level. Applies to BA surfaces.

HealthCompass maintains administrative, physical, and technical safeguards to protect PHI on Business Associate surfaces, consistent with the HIPAA Security Rule requirements.

Breach Notification Rule

HealthCompass is committed to notifying the relevant Covered Entity without unreasonable delay, and no later than 60 days after discovery of a breach of unsecured PHI. HealthCompass supports the Covered Entity's obligations to notify affected individuals and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Business Associate Agreements

LEGAL REVIEW: Link to or summarize the list of subprocessors with BAAs. Confirm all subprocessors that touch PHI have executed BAAs.

All subprocessors that access, store, or transmit PHI on behalf of HealthCompass are bound by downstream Business Associate Agreements.

Patient Rights Under HIPAA

Individuals whose PHI is handled on Business Associate surfaces have rights under HIPAA, including:

• Access — the right to request access to your PHI
• Amendment — the right to request correction of inaccurate PHI
• Accounting of disclosures — the right to receive an accounting of certain disclosures of your PHI
• Restrictions — the right to request restrictions on certain uses and disclosures

Because HealthCompass operates as a Business Associate (not a Covered Entity), the Covered Entity remains the responsible party for fulfilling these requests. To exercise these rights, contact the HealthCompass Privacy Office, and we will help route your request to the appropriate Covered Entity.

Data-Rights SLA

Access requests are acknowledged within 30 days, aligned with HIPAA's 30-day requirement. Massachusetts-specific requests are honored on the same 30-day timeline.

Massachusetts Law#

LEGAL REVIEW: Review the entire Massachusetts section. Confirm all statutory references are accurate and the descriptions align with current legal requirements.

201 CMR 17.00 — Standards for Protection of Personal Information

HealthCompass maintains a Written Information Security Program (WISP) as required by 201 CMR 17.00. The WISP addresses:

• Encryption of personal information on portable devices and during electronic transmission
• Oversight of third-party service providers with access to personal information
• Employee training on information security policies and procedures
• Ongoing monitoring and review of the security program

LEGAL REVIEW: Confirm the WISP is current and covers all required elements of 201 CMR 17.00.

M.G.L. c. 93H — Security Breaches

In the event of a breach involving personal information of Massachusetts residents, HealthCompass will:

• Notify affected MA residents as soon as practicable and without unreasonable delay
• Notify the Massachusetts Attorney General
• Notify the Office of Consumer Affairs and Business Regulation

A "breach" under Massachusetts law includes the unauthorized acquisition or use of unencrypted data, or encrypted data together with the means to decrypt it, that creates a substantial risk of identity theft or fraud.

LEGAL REVIEW: Confirm breach notification commitments are accurate and align with current M.G.L. c. 93H requirements.

M.G.L. c. 93A — Consumer Protection

HealthCompass is committed to fair and honest business practices. We do not engage in unfair or deceptive acts in the conduct of trade or commerce. Any misrepresentation of our privacy practices would be actionable under M.G.L. c. 93A.

Genetic Information

HealthCompass does not collect, process, or store genetic information at this stage. M.G.L. c. 111 §70G and related genetic privacy provisions are therefore not engaged. If the platform later introduces a feature that involves genetic data, this section will be re-opened and updated before launch of that feature.

Massachusetts Health Information Exchange

LEGAL REVIEW: Describe how the platform interacts with Mass HIway or other MA HIE systems, if applicable. Reference applicable MA Department of Public Health and HIE interoperability rules.

Where HealthCompass integrates with the Massachusetts Health Information Exchange (Mass HIway), applicable MA Department of Public Health and HIE interoperability rules are followed.

LEGAL REVIEW: Confirm whether Mass HIway integration is active in Phase 1. If not, note that this section will be updated when integration is implemented.

Consumer Rights Posture (Phase 1)

Phase 1 does not extend CCPA-style rights as a blanket policy. Massachusetts residents receive:

• Rights conferred by HIPAA on Business Associate surfaces
• Protections under M.G.L. c. 93H (breach notification) and M.G.L. c. 93A (consumer protection)
• Protections under 201 CMR 17.00 (personal information security)
• The right to contact the HealthCompass Privacy Office or the Massachusetts Attorney General with concerns

Your Rights#

LEGAL REVIEW: Review the rights matrix. Confirm all rights listed are accurate for the applicable frameworks.

The following table summarizes the rights available to you as a Massachusetts resident using HealthCompass:

To submit a privacy request, visit our Data Subject Request page or email privacy@healthcompass.cloud.

Security#

LEGAL REVIEW: Review high-level security commitments. Do not include specifics that could aid an attacker.

HealthCompass employs industry-standard security measures to protect your information:

• Encryption at rest — data stored in our systems is encrypted using AES-256 or equivalent
• Encryption in transit — all data transmitted between your browser and our servers is protected by TLS 1.2 or higher
• Access controls — role-based access ensures that only authorized personnel can access sensitive information
• Audit logging — access to PHI and sensitive data is logged and monitored
• Data retention — personal information is retained only as long as necessary for the purposes described in this statement or as required by law
• Incident response — HealthCompass maintains an incident response plan with defined SLAs for detection, containment, and notification

LEGAL REVIEW: Confirm retention periods are defined and documented. Confirm incident response SLAs are accurate.

Age Eligibility#

HealthCompass is available only to users who are 18 years of age or older. The sign-up process enforces this requirement through a date-of-birth verification gate. Attempts to register by individuals under 18 are rejected, and no personal information is retained from such attempts.

This platform is not directed to children and does not knowingly collect data from anyone under 18. COPPA (Children's Online Privacy Protection Act) obligations are not applicable because the service excludes minors by design.

Changes to This Policy#

HealthCompass may update this Privacy & Compliance Statement from time to time. When we make material changes:

• The updated statement will be posted at healthcompass.cloud/privacy↗
• The "Last updated" date at the top of this page will be revised
• Registered users will be notified of material changes via email or in-app notification
• Prior versions are available at /privacy/v/{version-date} for reference

LEGAL REVIEW: Confirm the notification mechanism for material changes. Define what constitutes a "material change."

Contact#

HealthCompass Privacy Office

LEGAL REVIEW: Provide the full mailing address for the Privacy Office.

• Email: privacy@healthcompass.cloud
• Address: > LEGAL REVIEW: physical mailing address — to be provided by Privacy Office

Massachusetts Attorney General's Office

If you believe your privacy rights have been violated, you may also file a complaint with:

• Massachusetts Attorney General's Office, One Ashburton Place, Boston, MA 02108
• Phone: (617) 727-2200
• Website: mass.gov/ago↗

Service Region#

Phase 1 of HealthCompass is available to Massachusetts residents only.

Registration is restricted to individuals who reside in Massachusetts. Users from other U.S. states and from outside the United States are not able to create accounts at this time. The state-of-residence selection during sign-up enforces this restriction; residency is self-attested.

The rights and protections described in this Privacy & Compliance Statement apply only to Massachusetts residents using the service. Visitors from outside Massachusetts may read this page but should not infer that the protections described here apply to them.

HealthCompass expects to expand to additional states in subsequent phases. When that occurs, this statement will be updated to reflect the applicable privacy frameworks for each new jurisdiction.