Privacy Policy

1. Introduction

iAM-PT (“iAM-PT,” “we,” “us,” or “our”) provides a cloud-based software-as-a-service platform that assists physical therapy practices with clinical documentation, goal writing, diagnostic coding, billing optimization, and related practice workflows (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website, register for an account, or use the Service.

This Privacy Policy applies to: (a) visitors to our website; (b) clinicians, administrators, and staff of physical therapy practices that subscribe to the Service (“Customers” and “Authorized Users”); and (c) information about patients that Customers submit to the Service in the course of using it (“Patient Data”).

Important: iAM-PT is a business-to-business service. We do not provide healthcare and we do not have a direct treatment relationship with patients. If you are a patient whose information has been entered into the Service by your physical therapy provider, please direct privacy questions and requests to that provider, which controls your health records.

2. Our Role Under HIPAA

Physical therapy practices that use the Service are typically “covered entities” under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). When a Customer submits protected health information (“PHI”) to the Service, iAM-PT acts as a “business associate” of that Customer.

Our handling of PHI is governed by HIPAA and by the Business Associate Agreement (“BAA”) we execute with each Customer. If there is any conflict between this Privacy Policy and an applicable BAA with respect to PHI, the BAA controls. We use and disclose PHI only as permitted by the BAA and HIPAA, including to provide the Service, for our own proper management and administration, and as required by law.

3. Information We Collect

3.1 Account and Business Information

  • Name, professional credentials, license numbers, job title, and clinic affiliation
  • Email address, phone number, and business mailing address
  • Login credentials (passwords are stored in hashed form only)
  • Billing and subscription information, including payment details processed by our payment processor (we do not store full card numbers)

3.2 Patient Data Submitted by Customers

In the course of using the Service, Customers and their Authorized Users may submit Patient Data, which may include PHI such as:

  • Patient demographics and contact information
  • Clinical documentation, including evaluations, SOAP notes, progress notes, treatment goals, and outcome measures
  • Diagnoses, ICD-10 codes, CPT codes, and billing and claims information
  • Insurance and payer information
  • Appointment scheduling information and, where enabled, patient communications such as appointment reminders

Customers determine what Patient Data is submitted to the Service and are responsible for having an appropriate legal basis (including any required notices, authorizations, or consents) to do so.

3.3 Usage and Technical Information

  • Log data such as IP address, browser type, device identifiers, operating system, pages viewed, and timestamps
  • Feature usage and interaction data used to operate, secure, and improve the Service
  • Cookies and similar technologies on our website (see Section 9)

4. How We Use Information

  • To provide, operate, maintain, and secure the Service
  • To generate AI-assisted outputs requested by Authorized Users, such as draft documentation, SMART goals, coding suggestions, and reimbursement analyses (see Section 5)
  • To set up and administer accounts, process subscription payments, and provide customer support
  • To communicate with Customers about the Service, including service announcements, security alerts, and updates
  • To monitor, troubleshoot, and improve the Service, including analyzing de-identified or aggregated usage data
  • To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activity
  • To comply with legal obligations and enforce our agreements

We do not sell personal information, and we do not use Patient Data or PHI for advertising or marketing purposes.

5. AI-Assisted Processing

The Service uses artificial intelligence, including large language model technology provided by third-party AI providers such as Anthropic (the developer of Claude), to generate draft clinical documentation, goal language, coding suggestions, and billing analyses based on information submitted by Authorized Users.

With respect to AI processing:

  • Data is transmitted to AI providers solely to generate the outputs requested by Authorized Users, under contractual terms that restrict the provider’s use of the data, including, where PHI is involved, terms consistent with HIPAA business associate requirements.
  • We do not permit our AI providers to use Customer Data or PHI submitted through the Service to train their general-purpose models.
  • AI-generated outputs are drafts and decision-support aids only. They are not medical advice and do not replace the professional judgment of the licensed clinician. The treating clinician remains solely responsible for reviewing, editing, and approving all documentation, coding, and billing submissions.

6. How We Share Information

We share information only in the following circumstances:

  • Service providers and subprocessors. We use vetted third parties to host and operate the Service. Subprocessors that handle PHI are bound by business associate agreements or equivalent contractual safeguards.
  • Within the Customer’s organization. Information is visible to the Customer’s Authorized Users according to the roles and permissions the Customer configures.
  • Legal requirements. We may disclose information when required by law, subpoena, or court order, or when necessary to protect rights, safety, or the integrity of the Service, consistent with HIPAA where PHI is involved.
  • Business transfers. If iAM-PT is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Privacy Policy and applicable BAAs.
  • With consent or at the Customer’s direction. For example, transmitting claims to payers or clearinghouses, or sending appointment reminders to patients where the Customer has enabled those features.

Current categories of subprocessors:

CategoryPurposeExamples
Cloud hosting & database infrastructureHosting the Service, storing Customer Data and PHI in encrypted formEnterprise cloud providers (U.S. regions)
AI processingGenerating draft clinical documentation, goals, coding suggestions, and billing analyses from data submitted to the ServiceAnthropic (Claude API)
Patient communicationsAppointment reminders and patient messaging (SMS/email), where enabled by the CustomerHIPAA-eligible messaging vendors
Payment processingSubscription billing for Customer accountsPCI-DSS compliant payment processors
Analytics & supportProduct analytics, error logging, and customer support tooling (no PHI)Standard SaaS analytics and helpdesk tools

A current list of subprocessors is available upon request at the contact address in Section 13.

7. Data Security

We maintain administrative, physical, and technical safeguards designed to protect information against unauthorized access, use, alteration, and destruction, consistent with the HIPAA Security Rule. These include:

  • Encryption of data in transit (TLS) and at rest
  • Role-based access controls, unique user authentication, and support for multi-factor authentication
  • Audit logging of access to PHI within the Service
  • Network security controls, vulnerability management, and regular security reviews
  • Workforce confidentiality obligations and security training
  • Business associate agreements with subprocessors that handle PHI

No system can be guaranteed to be 100% secure. In the event of a breach of unsecured PHI, we will notify affected Customers without unreasonable delay in accordance with HIPAA, the HITECH Act, applicable BAAs, and state breach notification laws, including the Texas Identity Theft Enforcement and Protection Act.

8. Data Retention and Deletion

We retain Customer Data, including Patient Data, for as long as the Customer’s subscription is active and as needed to provide the Service. Upon termination of a subscription, we will return or delete Customer Data in accordance with the applicable BAA and service agreement, except where retention is required by law or where data has been de-identified in accordance with HIPAA standards.

Customers are reminded that healthcare providers have independent record-retention obligations (for example, Texas physical therapy records requirements and payer documentation rules). The Service is not intended to serve as a Customer’s sole system of record unless expressly agreed; Customers should export records they are required to retain before account closure.

9. Cookies and Website Analytics

Our public website uses cookies and similar technologies to operate the site, remember preferences, and understand how visitors use it. You can control cookies through your browser settings; disabling cookies may affect site functionality. We do not use advertising cookies that track users across third-party websites, and we honor applicable opt-out preference signals where required by law.

10. Your Privacy Rights

10.1 Patients

Patients’ rights with respect to their health records, including rights of access, amendment, and an accounting of disclosures under HIPAA, are exercised through the treating physical therapy practice. If we receive a request directly from a patient regarding PHI we process as a business associate, we will forward it to the relevant Customer and provide reasonable assistance as required by our BAA.

10.2 State Privacy Rights

Depending on your state of residence, you may have rights under state privacy laws, such as the Texas Data Privacy and Security Act or the California Consumer Privacy Act, including the right to know, access, correct, and delete personal information, and the right to opt out of certain processing. Note that PHI governed by HIPAA is generally exempt from these statutes; such information remains governed by HIPAA and the applicable BAA. To exercise applicable rights for non-PHI personal information (for example, website or account data), contact us using the information in Section 13. We will not discriminate against you for exercising your rights.

11. Children’s Privacy

The Service is intended for use by licensed professionals and their staff and is not directed to children. We do not knowingly collect personal information directly from children under 13. Patient Data relating to minors may be submitted by Customers in the course of providing care; such data is processed as PHI under the applicable BAA and in accordance with HIPAA and state law.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify Customers by email or through the Service and update the “Last Updated” date above. Continued use of the Service after the effective date of changes constitutes acceptance of the revised policy, except that no change will reduce our obligations under an executed BAA without the Customer’s agreement.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact:

iAM-PT – Privacy Officer
Interactive Advanced Medicine
701 N Grant Ave, Odessa, Texas 79761
Email: in**@ia****.com    |    Phone: 432-580-3300