Notice of Privacy Practices

This document is provided for informational purposes and will be reviewed by qualified legal counsel prior to launch.

Effective Date: March 19, 2026 | HIPAA Compliance Document

IMPORTANT: CareSwaps Role Under HIPAA

CareSwaps is a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), 45 CFR Parts 160 and 164. CareSwaps does NOT directly provide healthcare services and is NOT a Covered Entity.

CareSwaps processes Protected Health Information (PHI) on behalf of families seeking skilled nursing facility transfers and in coordination with facilities that are Covered Entities under HIPAA. CareSwaps functions as a technology platform providing algorithmic matching and transfer matching software services only. All clinical decisions are made independently by licensed facility staff.

This Notice applies when you submit personal or health information to CareSwaps through our intake forms or platform.

1. Overview: CareSwaps as a HIPAA Business Associate

CareSwaps, LLC ("Company," "we," "us," or "our") is a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164. We handle Protected Health Information (PHI) on behalf of families and loved ones seeking to explore transfer options for their family members in skilled nursing facilities and related care settings.

This Notice of Privacy Practices describes:

How we use and disclose health information you submit
Your privacy rights under HIPAA
How we protect your health information
What to do if you believe your privacy rights have been violated

Important: CareSwaps handles health information that you provide or authorize us to use. When you submit intake forms through CareSwaps, you are directing us to use that information to help explore transfer options. This Notice explains how we protect and use that information.

2. Definitions

2.1 Protected Health Information (PHI)

PHI is any information that can identify your loved one and relates to their healthcare, including:

Name, date of birth, address, phone number, email
Medical record numbers or patient identifiers
Health conditions, medical history, and diagnoses
Insurance information and payment details
Any other identifier that could identify the patient

2.2 Business Associate

A Business Associate is a service provider that handles health information on behalf of patients or their families. CareSwaps is a Business Associate because you direct us to use your loved one's health information to explore transfer options.

3. Uses and Disclosures of Your Health Information

3.1 How CareSwaps Uses Your Information

CareSwaps uses health information you submit for:

Transfer Matching: Processing information through the matching algorithm to identify facilities that may meet your loved one's needs
Facility Communication: Sharing information with destination facilities you select to facilitate transfer discussions
Account Management: Maintaining your profile, monitoring transfer progress, and providing customer support
Security and Compliance: Logging all access to information to ensure HIPAA compliance and detect unauthorized access

3.2 How CareSwaps Shares Your Information

CareSwaps discloses your health information:

To Facilities You Select: When you identify a destination facility through the platform, we share relevant information with that facility to facilitate their assessment of your loved one
To Our Service Providers: Vendors that help us operate the platform have signed agreements to protect your information (see Section 7)
As Required by Law: When required by court order, subpoena, or legal obligation

3.3 What CareSwaps Does NOT Do With Your Information

CareSwaps does not:

Use health information for marketing or advertising
Sell your health information to any third party
Use information for research without explicit authorization
Share information for any purpose other than those you authorize

4. Your HIPAA Privacy Rights

4.1 Right to Access Your Information (45 C.F.R. § 164.524)

You have the right to request a copy of the health information that CareSwaps maintains about your loved one.

To request access, contact [email protected]. We will provide a copy within 30 days. Exceptions may apply to certain types of information (such as psychotherapy notes or information compiled for legal proceedings).

4.2 Right to Amendment (45 C.F.R. § 164.526)

You have the right to request that inaccurate or incomplete health information be corrected.

To request an amendment, submit a written request to [email protected] specifying what information you believe is inaccurate. We will respond within 60 days.

4.3 Right to an Accounting of Disclosures (45 C.F.R. § 164.528)

You have the right to receive a list of all times your health information was shared with other facilities or entities.

The accounting will include the date, recipient, and reason for each disclosure. To request an accounting, contact [email protected]. We will provide it within 60 days. The accounting covers the past 6 years unless you request a shorter period.

4.4 Right to Restrict Use or Disclosure (45 C.F.R. § 164.522)

You have the right to request that CareSwaps limit how your information is used or disclosed.

For example, you may request that we not share your information with certain facilities. To request a restriction, contact [email protected]. While CareSwaps is not required to agree, if we do agree, we must honor the restriction.

4.5 Right to Confidential Communication (45 C.F.R. § 164.522)

You have the right to request alternative methods of communication.

You may request that we communicate with you only through email, at a specific address, or using another method. To request confidential communication, contact [email protected].

4.6 Right to Notification of Breach (45 C.F.R. § 164.404)

If your health information is accessed or disclosed without authorization, you will be notified within 60 days.

The notification will explain what happened, what information was involved, steps to protect yourself, and how CareSwaps is preventing future breaches.

4.7 Role-Based Access Controls (Minimum Necessary)

How We Limit Access to Your Information

CareSwaps implements role-based access controls to ensure that only authorized personnel can access your health information, and only for purposes required by their job function:

Platform Administrator ([email protected]): Full PHI access for client support, compliance, and breach response
Google Apps Script Automation: Resident name, contact information (for personalized email notifications via Gmail only)
Make.com Workflows: De-identified data only — swap IDs, facility names, dates, operational status flags (no resident names or contact information)
Jotform Integration: Intake form responses you submit directly (stored in HIPAA-compliant environment, not exported to non-BAA services)
Stripe Payment Processing: No PHI — payment method and transaction amounts only
Airtable: De-identified data only — facility names, swap IDs, bed counts, operational status (no resident-identifiable information)

All access is logged and restricted to authorized job functions.

5. How CareSwaps Protects Your Information

5.1 Administrative Safeguards

CareSwaps implements these administrative controls:

Access Control: Only authorized personnel can access your health information
HIPAA Training: All staff receive annual HIPAA compliance training
Incident Response: We have procedures to detect, report, and respond to breaches
Authorization Management: Access is limited to staff with a documented business need

5.2 Physical Safeguards

CareSwaps protects the physical security of systems containing your information:

Data Center Security: Our hosting facilities use controlled access and authentication
Workstation Protection: All computers with access to your information require passwords and multi-factor authentication
Device Security: Devices containing health information are encrypted
Secure Disposal: Hardware is securely destroyed when no longer needed

5.3 Technical Safeguards

CareSwaps uses these technical controls:

Encryption at Rest: All stored health information is encrypted using AES-256
Encryption in Transit: Data transmitted to or from CareSwaps is encrypted using TLS 1.3 or higher
Access Logging: All access to your information is logged for audit purposes
Integrity Monitoring: We detect if information has been altered or deleted
Regular Testing: We conduct security assessments and penetration testing

6. Business Associates and Service Providers

6.1 Who Are Our Business Associates?

CareSwaps uses service providers (Business Associates) to operate the platform. These vendors have signed agreements committing them to protect your health information.

6.2 Current Business Associates (as of March 19, 2026)

Service Provider	Service Type	Health Information Access	Agreement Type
Google Workspace (Email, Sheets, Drive, Apps Script)	Email, cloud storage, workflow automation	Yes	Business Associate Agreement
Jotform	Intake form collection	Yes	HIPAA Gold BAA
Paubox	Encrypted email transmission	Yes	Business Associate Agreement
Stripe	Payment processing	No (billing information only)	Data Processing Agreement

All Business Associates are contractually obligated to protect your health information with the same safeguards that CareSwaps maintains.

7. Breach Notification and Incident Response

7.1 What Is a Breach?

A breach is unauthorized access to, use of, or disclosure of your health information that compromises its security or privacy.

7.2 CareSwaps' Response to a Breach

If a breach occurs, CareSwaps will:

Immediately investigate the incident
Assess whether your information was actually compromised
Notify you within 60 days if a breach is confirmed
Provide information about what happened and steps to protect yourself
Implement measures to prevent future breaches

8. Complaints and Enforcement

8.1 Right to File a Complaint

You have the right to file a complaint if you believe CareSwaps has violated your HIPAA privacy rights. Filing a complaint will not affect your access to the platform or result in any retaliation.

8.2 How to File a Complaint with CareSwaps

To file a complaint with CareSwaps:

Email: [email protected]
Mail: CareSwaps, LLC, Denver, Colorado

Complaints must be submitted in writing. We will investigate and respond within 30 days.

8.3 How to File a Complaint with HHS

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:

Website: www.hhs.gov/ocr/privacy/hipaa/complaints
Email: [email protected]
Phone: 1-800-368-1019

9. Changes to This Notice

9.1 Right to Update

CareSwaps may revise this Notice at any time. The current version is always available at careswaps.com/hipaa. Any significant changes will be communicated to you.

10. Contact Information

10.1 Privacy Officer

CareSwaps has designated the following individual as its Privacy Officer and Security Officer, responsible for HIPAA compliance, privacy practices, and breach response:

Privacy Officer: Michael Ford, Founder
Email: [email protected]
Phone: (970) 306-7131
Address: CareSwaps, LLC, Denver, Colorado

10.2 Privacy Questions

For questions about this Notice or how CareSwaps handles your health information, contact the Privacy Officer using the information above.

Important Notice: This is a Notice of Privacy Practices provided for informational purposes. It supplements your Privacy Policy and these Terms of Service. This Notice describes CareSwaps' privacy practices and your HIPAA rights regarding health information you submit through the platform. For questions about how the healthcare facilities in our network handle your information, contact those facilities directly.