Serif Health Privacy Policy
Last Updated: March 18, 2025
1. Introduction
Serif Health is committed to protecting the privacy of the personal information we handle. This Privacy Policy explains how we collect, use, store, and disclose personal data, particularly information related to healthcare providers, in compliance with applicable U.S. state privacy laws. These laws include the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws such as Virginia’s Consumer Data Protection Act (CDPA), Colorado’s Privacy Act (CPA), and Connecticut’s Data Privacy Act (CTDPA). We also anticipate and incorporate provisions of the proposed New York Health Information Privacy Act (NY HIPA) to the extent it may apply to our services.
Scope: This policy covers personal information about healthcare providers that we collect and process through our services. It does not cover patient health records or medical information. In other words, the provider-related data we handle is not Protected Health Information (PHI) governed by HIPAA (Health Insurance Portability and Accountability Act). Instead, it is managed as “personal data” under state privacy laws. By using Serif Health’s website or services, providers and other users acknowledge that their information will be handled as described in this Policy. We strive to be transparent and lawful in our data practices at all times.
2. Information We Collect
We collect and maintain provider-related information to power our healthcare transparency services. Below is an overview of the categories of personal data we collect about providers, based on our data schemas and business needs:
- Identification and Contact Information: For example, providers’ full names, business addresses, phone numbers, and professional email addresses This helps identify providers in our system and facilitate communications.
- Professional Identifiers and Details: Unique identifiers and professional information such as National Provider Identifier (NPI) numbers and group Employer Identification Numbers (EIN), as well as taxonomy classifications (e.g. NUCC taxonomy codes that indicate a provider’s specialty like “Orthopedic Surgery”) We also collect associated specialty descriptions and other credentials or license information relevant to the provider’s practice.
- Associated Metadata: Additional data related to the provider records, such as internal record IDs, timestamps of when the information was added or last updated, and other metadata. For instance, we may note the source of the data (e.g. public databases or provider submissions) or track version history for data accuracy. This metadata helps us manage data quality and transparency.
The personal information we collect about providers is often obtained from public or authoritative sources (for example, official healthcare directories, public payer data releases, or directly from the providers themselves). We do not collect sensitive personal information about providers beyond the scope described above. Specifically, we do not collect patient personal data or any medical records through our services.
3. How We Use Provider Information
Serif Health uses the collected provider data to deliver and improve our services in a transparent and lawful manner. The uses of this information include:
- Providing Services: We use provider information to power our healthcare price transparency platform and related services. For example, provider names, addresses, NPIs, and specialties are used to create searchable directories or datasets so that our customers can find providers and understand in-network rates and other transparency data.
- Maintaining Data Accuracy: Provider data (and associated metadata) is used for validating and updating our databases. We may cross-reference information (e.g., using NPI registry data) to ensure accuracy and to enrich the datasets with correct provider details.
- Communication: We may use contact information to communicate with providers or their authorized representatives. For instance, if a provider contacts us to correct their information or to inquire about our services, we will use their provided contact details to respond. We may also send administrative or service-related communications, such as notices about updates to this Privacy Policy or our terms. We do not send marketing emails to providers unless they have a relationship with us or have opted in to such communications.
- Product Improvement and Analytics: Internally, we may analyze the provider data (in aggregate form) and usage patterns to improve our services. This can include troubleshooting issues, testing new features, ensuring data is presented clearly, and researching trends (for example, analyzing aggregate provider network data). When we perform analytics, we typically use de-identified or aggregated information that does not directly identify individual providers.
- Legal and Compliance Purposes: We may process and retain provider information as needed to comply with applicable laws and regulations (such as state data privacy laws mentioned in this policy), to respond to valid legal requests or orders, and to enforce our Terms of Use or other agreements. If necessary, we will use provider data to investigate and prevent security incidents, fraud, or misuse of our services, in keeping with our legal obligations.
We do not use provider personal information for purposes that are unrelated to our healthcare transparency mission. In particular, we do not use provider data for advertising or marketing to consumers, nor do we process this data for any automated profiling that produces legal or significant effects regarding the individual provider. If we ever need to use provider information for a new purpose not described above, we will update this Privacy Policy and, if required by law, request the provider’s consent or provide an appropriate notice.
4. Data Sharing and Disclosure
Serif Health understands the importance of protecting provider data and we are cautious about how we share it. Below we outline our current practices regarding third-party data sharing, and we include a placeholder for future updates in this area:
- Service Providers: We may share provider personal data with trusted third-party service providers who perform functions on our behalf. Examples include cloud hosting services, database management, data analytics tools, customer support platforms, and other IT service providers. These third parties are contractually bound to process personal data only for our specified purposes and to protect it under confidentiality and security obligations. When we engage service providers to help us run our services (for example, a cloud database to store information), they do not have the right to use the provider data for their own purposes. Any processing by service providers is governed by contracts that meet the requirements of applicable laws (for instance, service provider agreements that ensure your data is only used for our business purposes and to help fulfill individuals’ privacy rights requests as needed).
- Business Transactions: If Serif Health is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, provider personal information may be transferred as part of that transaction. In such cases, we would ensure the receiving party is bound to respect the personal data in a manner consistent with this Privacy Policy.
- Legal Requirements and Safety: We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to comply with legal obligations (for example, responding to subpoenas or court orders). We may also share data when we believe it’s necessary to protect our rights, protect the safety of providers or others, investigate fraud, or respond to a government request.
- Third-Party Data Sharing: Currently, we do not share provider personal data with third parties for purposes other than those stated above. In particular, we do not sell personal information for monetary consideration, and we do not disclose provider data to data brokers or marketing companies. If our practices change in the future, we will update this section to describe the new data sharing arrangements and provide any required opt-out or consent mechanisms. For example, if we plan to share provider information with a new partner or for a new service, we will modify this Privacy Policy and notify users as required by law.
No Sale of Personal Data: In alignment with the CCPA and other state laws, Serif Health does not sell provider personal information as that term is defined under those laws (meaning we do not exchange the data for money or other valuable consideration for the third party’s independent use). Because we do not engage in sales of personal data, we do not offer a “Do Not Sell My Info” link at this time. If that ever changes, we will implement appropriate opt-out mechanisms and update this Policy. We also do not share provider personal information for targeted advertising purposes. Should our data sharing practices expand to include activities that could be considered a “sale” or “sharing” under applicable law, we will provide clear notice and the opportunity to opt out, in accordance with regulations.
5. Your Privacy Rights
Serif Health respects the privacy rights granted to individuals (“consumers”) under various state laws. Because we handle personal data (including provider information) in several jurisdictions, we extend appropriate rights and choices to the affected individuals. If you are a resident of California, Virginia, Colorado, Connecticut, or another state with a comprehensive privacy law, you may have some or all of the following rights regarding your personal information:
- Right to Know / Access: You have the right to request that we disclose the personal information we have collected about you. This includes the right to obtain a copy of the specific pieces of information we maintain, as well as additional details such as the categories of data, the sources of that data, the purposes for collecting it, and the categories of third parties with whom we have shared it. In practice, for a healthcare provider, this means you can ask us to confirm if we have your data in our system and request a detailed report of that data.
- Right to Deletion: You have the right to request that we delete personal information we have collected from you. Upon a verified request, we will delete your personal data from our records (and direct our service providers to do the same), unless a legal exception applies. For example, we may retain certain information if it is required for ongoing business relationships, to comply with a legal obligation, or if the data is publicly available information that we are using for a lawful purpose. We will inform you of any such exception if we cannot fulfill a deletion request in full.
- Right to Correction: You have the right to request that we correct inaccurate personal information that we hold about you. If you discover or believe that any provider information in our database is incorrect or outdated (for instance, an address or specialty that has changed), you can request a correction. We will take reasonable steps to verify and rectify the data as needed, and will confirm once the correction is made.
- Right to Opt Out of Certain Processing: You have the right to opt out of the sale of your personal data, and in some states, the sharing of your data for targeted advertising or certain types of profiling. As noted above, Serif Health does not sell personal information, nor do we use provider data for targeted advertising. However, if you still wish to formally record an opt-out request, you may contact us and we will honor that request. If in the future we consider engaging in any activity deemed a “sale” or “sharing” of personal data, we will provide a clear opt-out mechanism (such as a “Do Not Sell or Share” link on our website) as required by CCPA/CPRA.
- Right to Data Portability: Where applicable, you have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format. We will provide the information in a common file format (for example, CSV or PDF) that allows you to transmit the data to another entity if you so choose. This right is typically fulfilled in tandem with an access request.
- Right to Limit Use of Sensitive Information: (California residents) If we collected any information deemed “sensitive personal information” under California law, you would have the right to limit the use or disclosure of that information to certain permitted purposes. In our case, we do not collect sensitive personal data (such as social security numbers, financial account info, or precise geolocation of individuals) in the provider data context, so this right may not be applicable. If that changes, we will provide an appropriate mechanism to exercise this right.
- Right to Non-Discrimination: We will never discriminate against you for exercising any of your privacy rights. This means we will not deny you services, charge you different prices, or provide a different level of service because you made a privacy request, as prohibited by applicable law. Serif Health’s provision of its services to healthcare providers or other users will remain fair and equal, whether or not you choose to exercise the above rights.
These rights are subject to certain limitations and exceptions under the law. For example, the right to deletion does not require us to erase information that we are legally required to keep, and the right to access is limited to information collected in the 12 months prior to the request (under CCPA). Additionally, some state laws (such as Virginia’s CDPA, Colorado’s CPA, and Connecticut’s DPA) only apply to individuals acting in a personal or household context, and may exempt business-to-business data or publicly available information. Given that much of our provider data is drawn from public sources and relates to individuals in their professional capacity, certain data elements might not be subject to these consumer rights in all cases. However, Serif Health will honor valid privacy requests to the extent required by applicable law and will strive to accommodate requests regarding provider information whenever possible. Our goal is to maintain trust and transparency with the provider community.
6. Exercising Your Rights
How to Submit a Request: If you wish to exercise any of the privacy rights described above, you may contact us using the information provided in the Contact Us section of this Policy. To ensure we process your request correctly, please include your name, contact information, and a detailed description of the request (e.g., “I am a California resident requesting access to my personal information”). For deletion or correction requests, specify the data in question if possible. You can submit requests by:
- Email: Send an email to us at hello@serifhealth.com with the subject line “Privacy Rights Request” and detail your request in the body.
- Mail: You may send a written request to our postal address (provided below in Contact Us). Please indicate that you are making a "Data Subject Request" and include the same information (name, contact, request details).
- Authorized Agent: If you are a California resident, you may designate an authorized agent to make a request on your behalf. We will require the agent to provide proof of your written permission and may also ask you to verify your identity directly with us, as permitted by law, to ensure the security of your data.
Verification: For your privacy and security, we will need to verify your identity (or the authority of an authorized agent) before processing a substantive request (access, deletion, correction, etc.). The verification steps may vary depending on the nature of the request and your relationship with us. Typically, we will match information you provide in the request (such as email address, phone number, NPI, or other details) with our records. In some cases, we might ask for additional information or a declaration to confirm your identity. We will only use the information you provide in a request to verify and fulfill that request.
Response Time: We will respond to your request within the timeframe required by law. Under most state laws, we have up to 45 days to respond, which may be extended by an additional 45 days (total of 90 days) if reasonably necessary and with notice to you. California law allows 45 days (with a possible 45-day extension) as well, and we will endeavor to meet these timelines. If we need more time, we will inform you of the reason and extension in writing. Our response will typically cover the 12-month period preceding your request, unless you specifically request data beyond that (California allows going beyond 12 months in some cases, or if rules are updated). We will deliver our response electronically via email by default (or through mail if you prefer and provide a mailing address).
Appeals: If for some reason we cannot fulfill your request, we will provide an explanation. Certain state laws (e.g., Virginia’s CDPA) grant you the right to appeal our decision if we decline to take action on your request. We will include instructions on how to appeal in our response, if it is applicable to you. Generally, an appeal request should be submitted to us within a reasonable time after our decision, and we will reconsider and respond to appeals within the timeframe required by law (usually 60 days). If an appeal is denied, some states allow you to contact your state Attorney General to submit a complaint. We will provide those details as required in our appeal denial, in accordance with each state’s law.
7. Data Retention
Serif Health retains personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required or permitted by law. Given that our services involve maintaining an up-to-date repository of provider information for transparency purposes, we generally keep provider data until it is no longer required for those purposes or until we receive a valid request to delete it. Key points regarding our data retention practices:
- Retention Period: In the absence of a deletion request, we may retain provider information for the duration that the provider remains active in the healthcare field or listed in our datasets, plus a reasonable period for backup, archival, or audit purposes. For example, if we have a provider’s practice details, we will keep that information while it remains relevant to our price transparency database. If a provider is no longer practicing or the information becomes outdated, we may remove or update it as part of our routine data maintenance.
- Legal Requirements: We may retain certain information for longer periods if required by applicable law, regulation, or government order. For instance, if a law enforcement authority lawfully requests certain data, or if record-keeping laws mandate retention for a set time, we will comply with those requirements. We will also retain information as needed to resolve disputes or enforce our agreements.
- Deletion and Disposal: When personal data is no longer needed for the purpose for which it was collected, we will take steps to delete, de-identify, or securely dispose of it. Serif Health has procedures in place to periodically review the data we hold and to purge records that are not required for any legitimate business or legal purpose.
- Provider Requests: If you (as a provider) exercise your right to deletion, we will delete your personal information from our active databases and inform our service providers to do the same, except to the extent retention is permitted or required as noted above. We maintain records of deletion requests and how we responded to them, as required for compliance. Keep in mind that after deletion from our systems, residual copies might persist temporarily in backups – but we will ensure such backups are also eventually purged or overwritten in the normal course of business.
Overall, our retention approach is designed to minimize the storage duration of personal data and to avoid retaining information longer than necessary. By doing so, we reduce the risk associated with long-term data storage and honor the principle of data minimization embedded in privacy laws.
8. Data Security
We take the security of personal data seriously and implement reasonable security measures to protect provider information from unauthorized access, use, or disclosure. In accordance with best practices and legal requirements, Serif Health employs administrative, technical, and physical safeguards to secure the data we maintain
- Administrative Safeguards: Our team members are trained on privacy and security procedures to ensure personal data is handled appropriately. We limit access to personal information to employees and contractors who need the data to perform their duties (principle of least privilege). We have internal policies and incident response plans to address potential security incidents swiftly. Regular audits and assessments may be conducted to ensure compliance with this Privacy Policy and applicable security standards.
- Technical Safeguards: We use industry-standard encryption and security technologies to protect data. For example, any personal information transmitted to or from our platform is protected via Transport Layer Security (TLS/SSL) encryption during transit. Data stored in our databases is protected by access controls, encryption at rest (where feasible), firewalls, and network security measures to prevent unauthorized access. We continuously monitor our systems for vulnerabilities and keep our software and frameworks up-to-date to guard against security threats.
- Physical Safeguards: The servers and facilities where personal data is stored are secured. We rely on reputable cloud service providers that maintain strong physical security controls at their data centers (including 24/7 monitoring, access badges, biometric controls, etc.). Within our own offices, any hard copies of data or local servers are kept in secure environments with restricted access.
- Assessments and Certifications: We periodically review our security practices and may undergo third-party audits or certifications to validate our controls. (For instance, our platform’s Security & Compliance information is available and demonstrates our commitment to safeguarding data, as indicated on our website’s security page.) We align our security program with frameworks that meet or exceed the requirements of the state laws referenced in this policy, and we remain vigilant as new threats or regulations emerge.
Despite our robust security measures, it’s important to note that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. However, we will continue to update and improve our security practices over time. In the unlikely event of a data breach that affects personal information, we will follow all applicable breach notification laws to inform affected individuals and authorities in a timely manner.
9. Compliance with State Privacy Laws
This Privacy Policy is designed to meet the disclosure requirements of the state laws mentioned (CCPA/CPRA, CDPA, CPA, CTDPA) and to reflect our compliance efforts. Here is how we address some specific state law requirements within this policy:
- California (CCPA/CPRA): We have outlined the categories of personal information collected, the business purposes for use, and the rights California residents have (access, deletion, correction, opt-out, limit use of sensitive info, non-discrimination). We also confirm that we do not sell or share personal information as defined under California law, and provide contact methods for submitting requests. This policy serves as our notice at collection and privacy policy for California consumers (in this context, healthcare providers can be “consumers” under CCPA if they are California residents). If needed, California residents can contact us through an authorized agent and we will process such requests per CCPA regulations. To reiterate, we do not sell any personal information under CCPA.
- Virginia, Colorado, Connecticut, Oregon, New Jersey and others: The privacy rights and principles in these laws (CDPA, CPA, CTDPA, etc) are very similar to those in California, with some differences. We have aligned our practices with these laws by providing rights to access, correction, deletion, and opt-out of sales/targeted advertising. We also implement Data Protection Assessments and obtain consent for processing sensitive data as required by these laws, although in our case we do not handle sensitive personal data of the type that typically triggers those provisions (e.g. we do not collect precise geolocation, health diagnoses, etc., about providers). Where these laws exclude data collected in a business-to-business context or publicly available data, we will apply those exemptions as appropriate. However, we extend core privacy rights to all individuals whose data we hold, to the extent feasible, as part of our commitment to privacy by design.
In case of any conflict between this Privacy Policy and the requirements of a specific state law as it applies to your data, we will follow the law. We continually review our privacy practices to ensure compliance with all current laws and to be ready for new regulations on the horizon. If you have questions about how we handle compliance with a particular law, you can contact us for more information.
10. Changes to this Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated Policy on our website and update the “Last Updated” date at the top. If the changes are significant, we will provide a more prominent notice (such as by email notification to registered users or a banner on our site) and obtain consent if required by law. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.
Your continued use of the Serif Health services after any changes to this Privacy Policy signifies your acceptance of the revised terms. If you do not agree with the changes, you should discontinue use of our services and exercise your data rights as described above.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. We are here to help and will respond as promptly as possible.
- Email: hello@serifhealth.com
- Address: Serif Health, Attn: Privacy Team, 2261 Market Street #4944 San Francisco, CA 94114
- Website: You may also reach us through our website’s contact page or support channels. If you are a registered user, you might use in-app support to communicate with us regarding privacy inquiries.
Effective Date: This revised Privacy Policy is effective as of March 18, 2025. If you would like to access a previous version of our Privacy Policy, or have questions about the differences between versions, please contact us and we will provide a copy or a summary of the changes.
Serif Health 21st Century Cures Act Compliance Addendum
Serif Health operates within a distinctly limited data environment compared to traditional entities within the healthcare ecosystem. Unlike typical covered entities and business associates under HIPAA, Serif does not actively collect, maintain, or exchange identifiable protected health information (PHI). Instead, Serif’s operational practices are explicitly designed around minimizing the acquisition of personal health data, thereby significantly reducing its compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA) and the 21st Century Cures Act (hereafter “Cures Act”).
Nevertheless, Serif’s data practices may still unintentionally capture incidental electronic health information (EHI), particularly through data sets involving healthcare provider identifiers. This Compliance Policy articulates Serif Health’s tailored obligations and proactive approaches to safeguarding incidental EHI, managing interoperability concerns, and ensuring compliance with information blocking provisions, in alignment with the Cures Act and associated regulatory requirements.
1. Current Operational Landscape and Data Practices
1.1 Data Minimization Strategy
Serif Health maintains a rigorous, proactive data-minimization framework that intentionally restricts the collection of patient-level clinical data. Serif’s information systems predominantly process structured healthcare financial data, specifically focused on pricing transparency, negotiated payer-provider rates, and associated transactional data devoid of explicit patient-identifiable clinical information.
1.2 Incidental Data Capture
Notwithstanding Serif’s diligent avoidance of clinical data, incidental personal identifiers do emerge within its datasets due to healthcare industry naming conventions. Provider and practice names—such as "Dr. Jane Doe, Cardiologist"—occasionally appear, introducing indirect identifiers into the otherwise anonymized financial and administrative data sets. Serif’s obligations to the Cures Act thus differ considerably from entities actively handling comprehensive clinical records, requiring a distinct compliance approach centered around incidental rather than intentional health data management.
2. Compliance Obligations and Current Status under the 21st Century Cures Act
2.1 Interoperability Rules under the Cures Act
The Cures Act outlines comprehensive interoperability obligations, explicitly targeting healthcare entities that maintain clinical electronic health records (EHR) and certified EHR technologies (CEHRT). Serif’s deliberate lack of patient-level clinical records considerably reduces its obligations to implement these interoperability standards directly. Serif’s compliance focus thus shifts primarily to maintaining open, transparent practices regarding the financial and administrative healthcare data it holds.
2.2 Information Blocking Regulations
The information-blocking provisions under the Cures Act prohibit practices likely to interfere with the lawful access, exchange, or use of EHI. Serif’s current practices proactively align with the information-blocking provisions through systematic transparency and data accessibility policies. While information-blocking requirements primarily address entities maintaining direct patient health records, Serif must nonetheless ensure its practices facilitate transparency and avoid any actions perceived as restrictive or obstructive regarding incidental EHI.
2.3 Security and Privacy Measures
Serif’s existing infrastructure incorporates robust security controls compliant with industry-standard best practices. Encryption at rest and in transit, stringent access controls, and disciplined role-based authorization collectively mitigate risks related to incidental EHI exposure. These controls substantially satisfy the rigorous security standards underpinning Cures Act compliance.
3. Specific Compliance Measures
3.1 Rigorous Data Minimization Protocols
Serif Health maintains explicit internal protocols to systematically exclude patient-identifiable clinical data. Periodic internal audits confirm strict adherence to data schemas that capture only administrative and financial data such as billing codes, provider identifiers, and contractual pricing information, explicitly omitting clinical elements like diagnosis, treatments, or patient histories.
Serif proactively publishes its administrative and financial datasets in standardized formats accessible to relevant industry stakeholders. Through structured data-sharing practices, Serif ensures transparent access to provider pricing and related transactional information, affirmatively aligning with the interoperability principles embodied in the Cures Act.
3.2 Security Controls and Technical Safeguards
Serif’s robust technical safeguards—including encryption, secure cloud infrastructure, rigorous identity and access management (IAM), and role-based access controls—exceed baseline expectations for incidental EHI security. Regular independent security audits and adherence to NIST and other relevant standards ensure sustained protection.
4. Clarification of Inapplicable Regulatory Obligations
Given Serif’s specific data-minimization model and limited exposure to incidental identifiers, several significant obligations applicable to entities actively handling clinical patient data do not apply to Serif, notably:
- Patient Access APIs: Serif is not required to implement patient-facing APIs (e.g., HL7 FHIR) mandated under interoperability standards because it does not maintain certified EHR technologies or clinical records.
- Clinical Data Export Requirements: Serif does not generate or hold patient clinical records; thus, mandated clinical data exports are non-applicable.
- Real-Time Clinical Interoperability: Serif is exempt from obligations related to real-time patient data access due to the absence of clinical patient-level information within its databases.