Privacy Policy

iConsult Health, Inc.

Last Updated: March 2026

1. Introduction

iConsult Health, Inc. ("iConsult Health," "we," "our," or "us") is committed to protecting the privacy and security of personal information and protected health information (PHI) entrusted to us by our Users, their employees, and their patients.

This Privacy Policy describes how we collect, use, disclose, store, and protect information when you access or use the iConsult Health platform (the "Platform"), our websites, and related services. This Policy applies to all individuals who interact with our Platform, including healthcare providers, employer administrators, employees submitting health intake forms, and site visitors.

We are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and applicable state privacy laws. Where PHI is involved, our HIPAA Notice of Privacy Practices provides additional detail on how we use and disclose PHI.

By using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. Information We Collect

We collect the following categories of information in connection with our Services:

Account Information

  • Full name, email address, and phone number
  • Job title, professional credentials, and license numbers (for Providers)
  • Organization name and role within the organization
  • Authentication credentials (passwords are stored as bcrypt hashes; plaintext passwords are never stored)

Employment Information

  • Job title, department, work location, and employment status
  • Employee ID, hire date, and supervisor information
  • Demographic data (age, gender) when provided for occupational health purposes
  • HRIS data synchronized from connected human resource information systems

Health Information

  • Injury and illness narratives submitted via intake forms
  • Body part and symptom descriptions
  • Photographs of injuries or workplace conditions
  • Return-to-work restrictions and clearance documentation
  • Pre-employment physical examination data and job demand analyses
  • Wellness screening biometrics (blood pressure, BMI, etc.)
  • Provider clinical notes, assessments, and case dispositions

Usage Data

  • Pages visited, features used, and actions taken within the Platform
  • Session duration and navigation patterns
  • Search queries and filter selections

Device & Technical Information

  • Browser type and version, operating system, and device type
  • IP address (used for GeoIP resolution; raw IP is not retained long-term after geolocation)
  • Referring URL and landing page
  • Approximate geographic location (city and country level, derived from IP)

3. How We Collect Information

We collect information through the following methods:

  • Directly from you: When you create an account, submit a health intake form, complete a wellness screening, upload documents or photographs, or communicate with us via the Platform or email.
  • From your employer: When your employer uploads employee roster data via CSV import, connects an HRIS system (such as BambooHR, Workday, ADP, Paylocity, or UKG), or manually enters employee information.
  • From AI processing: When our AI systems generate classification results, urgency assessments, OSHA recordability determinations, and other analytical outputs based on data you or your employer have provided.
  • Automatically: Through cookies, server logs, and analytics tools that collect usage data, device information, and approximate location when you access the Platform.
  • From healthcare providers: When Providers enter clinical notes, case dispositions, corrections to AI classifications, and other professional assessments into the Platform.

4. How We Use Information

We use collected information for the following purposes:

  • Providing Services: Processing health intakes, managing cases, facilitating Provider-patient interactions, generating documents, and operating the Platform's core functionality.
  • AI Triage and Classification: Using artificial intelligence to classify injury types, assess urgency, determine OSHA recordability, identify body parts involved, and flag potential red-flag conditions for Provider review.
  • OSHA Compliance: Generating OSHA 300 logs, 300A summaries, 301 incident reports, TRIR calculations, and other regulatory compliance documentation.
  • Analytics and Reporting: Producing dashboards, trend analyses, and operational reports for Providers and Employer Administrators to support informed decision-making.
  • Service Improvement: Analyzing aggregate usage patterns and de-identified data to improve Platform features, AI accuracy, and user experience.
  • Security Monitoring: Detecting and preventing unauthorized access, fraud, abuse, and security threats through audit logging, rate limiting, and anomaly detection.
  • Communication: Sending transactional emails (case updates, security alerts, account notifications), system announcements, and, where opted-in, informational reports.
  • Legal Compliance: Meeting obligations under HIPAA, OSHA, state privacy laws, and other applicable regulations.

5. AI & Machine Learning Processing

Transparency Notice: How AI Processes Your Data

Our Platform uses artificial intelligence (powered by Anthropic's Claude models) as a core component of its Services. We believe in transparency about how AI interacts with your data:

  • Intake Text Processing: When a health intake is submitted, the narrative text is sent to our AI system for classification. The AI analyzes the text to determine injury type, body parts involved, urgency level, OSHA recordability, and potential red-flag conditions.
  • Photo Analysis: When photographs are uploaded with an intake, they are analyzed by AI (Claude Vision) to supplement the text-based classification. Photo analysis results include an authenticity score and visual assessment notes.
  • AI Copilot: The Platform includes an AI assistant that can answer questions about specific cases. The copilot's responses are grounded in the case data and a curated knowledge base of occupational health regulations and guidelines (RAG-augmented).
  • Provider Corrections (Gold Standard): When a Provider corrects an AI classification, the correction is stored and used as training signal to improve future classification accuracy. This creates a continuous learning loop specific to your organization's case patterns.
  • De-identified Improvement: Aggregated, de-identified data (with all individually identifiable information removed per HIPAA Safe Harbor or Expert Determination methods) may be used to improve the Platform's AI models, benchmark occupational health trends, and enhance classification accuracy across all Tenants.
  • No Sale of Individual Data: We never sell, rent, or license individual User data or PHI to any third party for their own purposes, including for AI model training by third parties.

6. Protected Health Information (PHI)

Health information collected through the Platform that meets the definition of Protected Health Information under HIPAA is subject to additional protections beyond those described in this general Privacy Policy.

The use and disclosure of PHI is governed by our HIPAA Notice of Privacy Practices, which provides detailed information about:

  • How we may use and disclose your PHI
  • Your rights regarding your PHI
  • Our legal duties with respect to PHI
  • How to file a complaint

Key PHI protections include:

  • BAA Requirement: We execute a Business Associate Agreement with all Covered Entity clients before processing any PHI.
  • Encryption: PHI is encrypted at rest using Fernet (AES-based) symmetric encryption and in transit using TLS 1.3.
  • Minimum Necessary: We apply the HIPAA Minimum Necessary standard, limiting access to PHI to only the information reasonably necessary for the purpose of the access.
  • Access Controls: Role-based access control ensures that Users can only view PHI relevant to their role and organizational scope.

7. Data Sharing

We may share information in the following circumstances:

  • With Your Employer: Employer Administrators receive case status information and aggregate analytics for their organization. Clinical details shared with the employer are limited to what is required for workplace health management, OSHA compliance, and workers' compensation purposes, as permitted by applicable law.
  • With Your Provider: Licensed healthcare Providers assigned to your case have access to the full case record, including intake details, photographs, AI classifications, and prior case history, as necessary to provide clinical services.
  • With Service Providers: We share data with third-party service providers who process data on our behalf under appropriate contractual safeguards:
    • Anthropic — AI classification processing (BAA in place)
    • Railway — Application hosting (BAA in place)
    • Daily.co — Telemedicine video (BAA in place)
    • Resend — Transactional email delivery (BAA in place; no PHI in email content)
    • Stripe — Payment processing (PCI DSS compliant; no PHI transmitted)
  • As Required by Law: We may disclose information to law enforcement, regulatory agencies, or courts when required by law, regulation, subpoena, court order, or other legal process.
  • In Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, User data may be transferred as part of the transaction, subject to the terms of any applicable BAA and with notice to affected parties.

We never sell personal information or PHI to third parties. We do not share data with advertising networks or data brokers.

8. Data Retention

We retain information for the following periods:

  • Active Account Data: Retained for the duration of the active subscription. Account profile information, preferences, and configurations are maintained as long as the Tenant subscription is active.
  • Case and Health Data: Retained in accordance with OSHA recordkeeping requirements, which mandate retention of OSHA 300 logs and related injury and illness records for a minimum of five (5) years following the end of the calendar year that the records cover. State laws may require longer retention periods.
  • Post-Termination: Following subscription termination, Tenant Data is available for export for ninety (90) days. After the export period, data is permanently deleted from primary systems and backups, except where retention is required by law.
  • Analytics Data: Aggregated, de-identified analytics data (e.g., industry benchmarks, platform usage trends) may be retained indefinitely as it contains no individually identifiable information.
  • Security Logs: Audit logs and security event records are retained for a minimum of one (1) year for incident investigation and compliance purposes.
  • AI Classification Cache: Cached AI classification results are retained to improve response times and reduce processing costs. Cache entries do not contain raw PHI and are linked to case records only by internal identifiers.

9. Data Security Measures

We implement a multi-layered security program to protect information processed through the Platform:

  • Encryption: PHI fields are encrypted at the application layer using Fernet (AES-128-CBC with HMAC-SHA256) symmetric encryption. Documents in cloud storage are encrypted using S3 server-side encryption with AWS KMS-managed keys. All network traffic is encrypted using TLS 1.3.
  • Content Security Policy: Strict CSP headers with cryptographic nonces prevent cross-site scripting (XSS) and code injection attacks across all 72 templates.
  • Rate Limiting: Per-tenant AI rate limiting (200 calls/hour) and per-IP request throttling protect against abuse and denial-of-service attacks.
  • Audit Logging: All security-relevant events are logged to a tamper-resistant audit trail, including login attempts, PHI access, rate limit triggers, and administrative actions.
  • Access Controls: Role-based access control (RBAC) with multi-tenant data isolation ensures Users can only access data within their organizational boundary.
  • Authentication: JWT-based authentication with bcrypt password hashing and optional TOTP multi-factor authentication. Session tokens include tenant scoping and version tracking for secure logout-all-devices functionality.
  • Document Security: Uploaded documents are stored with private ACLs and Content-Disposition attachment headers. Downloads validate content-type against an allowlist to prevent content-type spoofing.
  • Error Handling: The error handler redacts sensitive patterns (API keys, tokens, passwords, connection strings) before logging to prevent credential exposure in logs.

10. Your Rights

Depending on your jurisdiction and the nature of the data involved, you may have the following rights:

  • Right to Access: You may request a copy of the personal information and/or PHI we hold about you.
  • Right to Correction: You may request that we correct inaccurate or incomplete personal information.
  • Right to Deletion: You may request deletion of your personal data, subject to legal retention requirements (e.g., OSHA recordkeeping mandates, workers' compensation records).
  • Right to Data Portability: You may request export of your data in a structured, machine-readable format (CSV or FHIR, where applicable).
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
  • Right to Opt Out: You may opt out of non-essential communications, analytics reports, and marketing emails at any time.
  • HIPAA Rights: If your data includes PHI, you have additional rights under HIPAA as described in our HIPAA Notice of Privacy Practices, including the right to an accounting of disclosures and the right to request restrictions on certain uses.

To exercise any of these rights, contact us at privacy@iconsult.health. We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law.

11. Cookies & Tracking

Our use of cookies and similar technologies is limited to what is necessary for Platform functionality and security:

  • Session Cookies: We use HttpOnly, Secure, SameSite=Lax cookies for authentication and session management. These cookies are essential for the Platform to function and cannot be opted out of while using the Platform.
  • CSRF Tokens: We use cookies to store Cross-Site Request Forgery tokens that protect against unauthorized form submissions.
  • Theme Preference: A localStorage value stores your light/dark mode preference for consistent display.
  • No Third-Party Tracking: We do not use third-party tracking cookies, advertising cookies, or social media tracking pixels.
  • No Advertising Cookies: We do not serve advertisements or share data with advertising networks.
  • GeoIP Analytics: We use IP-based geolocation to determine approximate visitor location (city and country) for aggregate analytics. Raw IP addresses are not stored long-term after geolocation resolution.

12. Children's Privacy

The Platform is designed for use by adult employees, healthcare providers, and employer administrators in occupational health settings. The Platform is not intended for use by individuals under the age of eighteen (18).

We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us at privacy@iconsult.health.

13. International Data Transfers

The Platform is hosted and operated in the United States. All data collected through the Platform, including personal information and PHI, is processed and stored on servers located in the United States.

If you access the Platform from outside the United States, you acknowledge and consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction. We apply the same security safeguards and privacy protections to all data regardless of the User's location.

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, please contact us to discuss appropriate data transfer mechanisms before using the Platform.

14. State-Specific Notices

California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (including legal retention requirements).
  • Right to Opt Out of Sale: We do not sell personal information. There is no need to submit an opt-out request, but you may contact us to confirm.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of your sensitive personal information to what is necessary to provide the Services.

Categories of Personal Information Collected: Identifiers, professional information, health information, internet/electronic activity information, geolocation data, and inferences drawn from the foregoing.

HIPAA Exception: PHI collected and maintained in accordance with HIPAA is exempt from the CCPA/CPRA. Our handling of such information is governed by our HIPAA Notice of Privacy Practices.

Other State Laws

Residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights to access, correct, delete, and port their personal data. To exercise these rights, contact privacy@iconsult.health.

15. Email Communications

We send the following types of email communications:

  • Transactional Emails (cannot be opted out): Case status updates, account security alerts (password changes, MFA events, suspicious login attempts), system alerts (service health notifications), and other communications essential to the operation of your account and the Services.
  • Reports and Summaries (can be unsubscribed): Daily analytics reports, weekly case summaries, and other informational emails. You may unsubscribe from these using the link provided in each email.

HIPAA-Safe Email: All emails sent by the Platform are designed to be HIPAA-safe. No PHI (patient names, case details, health conditions, or other individually identifiable health information) is included in email subject lines, body text, or preview text. Emails contain only generic notifications directing the recipient to log into the Platform for details.

16. Third-Party Links

The Platform may contain links to third-party websites, services, or resources that are not owned or controlled by iConsult Health. We are not responsible for the privacy practices, content, or security of any third-party sites.

We encourage you to review the privacy policies of any third-party sites you visit. Our inclusion of links does not imply endorsement of the linked site or its content.

17. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations.

For material changes that substantively alter how we collect, use, or disclose your information, we will provide at least thirty (30) days' advance notice via email to the address associated with your account and by posting a prominent notice on this page.

The "Last Updated" date at the top of this page will be revised whenever this Policy is modified. Your continued use of the Platform after the effective date of any change constitutes acceptance of the updated Privacy Policy.

18. Contact

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a data protection concern, please contact us:

iConsult Health, Inc.

Privacy Inquiries: privacy@iconsult.health

Security Issues: security@iconsult.health

General Support: support@iconsult.health

Contact us via email for mailing address.

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights regarding our handling of PHI. Information is available at www.hhs.gov/ocr.