CareSwaps, LLC d/b/a PatientSwaps ("Company," "we," "us," or "our") respects the privacy of all users of the PatientSwaps Platform and is committed to protecting personal information and Protected Health Information (PHI) in accordance with applicable federal and state privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Colorado Privacy Act (CPA), and the California Consumer Privacy Act (CCPA).
This Privacy Policy describes the types of information we collect, how we use it, our security practices, and the rights you have regarding your information. This policy applies to all facilities, authorized users, and individuals whose information is processed through the PatientSwaps Platform.
We collect information in two primary categories: Protected Health Information (PHI) and Non-Protected Information.
PHI is information that can identify a specific patient and relates to healthcare treatment, payment, or operations. We collect PHI only as necessary to provide Platform services on behalf of facilities. PHI includes:
When PHI is Collected: PHI is collected when a facility submits a matching algorithm query that includes patient information to identify appropriate transfer options. We do not proactively collect PHI. Facilities determine what information to share with the Platform.
We collect operational and facility information that does not identify patients or protected individuals:
When facility staff create PatientSwaps user accounts, we collect:
We automatically collect information about how users interact with the Platform:
We use PHI exclusively to provide the Platform services on behalf of facilities that authorize PHI sharing. Permitted uses include:
No Secondary Uses: We do not use PHI for marketing, research, analytics, or any purpose other than providing the Platform services, unless the facility provides explicit additional authorization.
Non-PHI facility and operational data is used to:
User account information is used to:
Technical data is used to:
For facilities covered by HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164), PatientSwaps is a Business Associate of the facility and maintains a Business Associate Agreement (BAA) with each facility client. The BAA is incorporated by reference and governs the handling of PHI.
Under our BAA, PatientSwaps may disclose PHI to destination facilities as instructed by the referring facility. All disclosures are:
PatientSwaps may use Sub-Business Associates (vendors and service providers) to support Platform operations. All Sub-Business Associates execute Business Associate Agreements with PatientSwaps or the facility and are subject to the same HIPAA restrictions.
Current Sub-Business Associates (as of March 2026):
| Service Provider | Service Type | PHI Access | BAA Status |
|---|---|---|---|
| Google Workspace (Gmail, Sheets, Drive, Apps Script) | Email, cloud storage, automation | Yes — PHI for email communication | BAA executed |
| Jotform | Form processing and data collection | Yes — PHI intake forms | HIPAA Gold, BAA executed |
| Paubox | Encrypted email transmission | Yes — Outbound PHI email | BAA executed |
| Airtable | De-identified database | No — De-identified only | Not required |
| Make.com | Workflow automation | No — De-identified IDs only | Not required |
| Stripe | Payment processing | No — Limited to subscription ID | Exempt |
Note on De-Identification: Airtable and Make.com do not maintain BAAs because they receive only de-identified data. Under HIPAA (45 CFR § 164.514(b)), de-identified data is not Protected Health Information and is not subject to HIPAA requirements. Data provided to these platforms includes facility names, swap IDs, bed counts, and dates — but never resident names, contact information, diagnoses, or other individual identifiers. De-identification controls are verified through quarterly audits.
We maintain a current list of all Sub-Business Associates. You may request this list by contacting privacy@patientswaps.com.
All PatientSwaps data, including PHI, is stored on servers located in the United States. We do not transfer PHI outside the United States without explicit facility authorization and compliance with HIPAA transfer requirements.
We protect all information using industry-standard security measures:
PatientSwaps de-identifies data for purposes that do not require patient-level information. De-identified data is derived by removing or obscuring all identifiers and is used for:
De-Identification Standard: Data is de-identified under the HIPAA de-identification standard, 45 C.F.R. § 164.502(b), by removing all 18 HIPAA identifiers and ensuring that the risk of re-identification is very small.
De-identified data is not subject to HIPAA restrictions and may be used and disclosed by PatientSwaps without facility authorization.
PatientSwaps retains information only as long as necessary to provide services or as required by law:
Facilities may request deletion of their data at any time. PatientSwaps will delete requested data within 30 days, except as required by law or unless a legal hold is in place.
The PatientSwaps Platform uses cookies and similar tracking technologies to:
We use Google Analytics to understand how users interact with the Platform. Google Analytics collects anonymized data about page views, feature usage, and user engagement. Google does not use this data to identify individual users and does not have access to PHI or user account information.
Users can control cookie settings through their browser. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling essential cookies may prevent you from using the Platform.
PatientSwaps uses third-party services to operate the Platform. Each vendor is subject to a Business Associate Agreement (if they process PHI) or a Data Processing Agreement (if they process non-PHI data). Vendors include:
All third-party vendors are prohibited from using data for their own purposes and are bound by confidentiality agreements.
Facilities may request integration with their existing Electronic Health Records (EHR) or healthcare information systems. PatientSwaps can facilitate these integrations and will execute appropriate data sharing agreements with the facility's vendor.
PatientSwaps operates as a HIPAA Business Associate, not a Covered Entity. Individual HIPAA rights with respect to Protected Health Information are exercised through the referring healthcare facility (the Covered Entity), which is the entity responsible for responding to individual rights requests under HIPAA. To exercise an individual HIPAA right, contact the facility's privacy officer or medical records department. To file a complaint regarding HIPAA privacy practices, contact the HHS Office for Civil Rights at ocrmail@hhs.gov or 1-800-368-1019.
Under the Colorado Privacy Act (CPA), Colorado residents have the following rights:
Under the CCPA, California residents have rights similar to the CPA, including rights to know, access, delete, and opt-out of the sale of personal information.
To exercise any of these rights, contact us at privacy@patientswaps.com or submit a request through our web form at patientswaps.com/privacy-request. We will respond to all verified requests within 30 days (45 days for HIPAA access requests).
The PatientSwaps Platform is designed for use by healthcare facilities and facility staff only. We do not intentionally collect information from children under the age of 13. If we become aware that a child under 13 has provided information through the Platform, we will delete that information promptly. Parents or guardians who believe their child has provided information to PatientSwaps should contact privacy@patientswaps.com immediately.
Colorado residents have the following rights under the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.):
PatientSwaps does not "sell" or "share" (as defined by the CPA) personal information without explicit facility authorization. Facilities may request a full accounting of data handling practices at any time.
California residents have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including rights to know, access, delete, correct, and opt-out of sale of personal information.
To exercise privacy rights under Colorado or California law, submit a verified request to privacy@patientswaps.com. We will respond to all verified requests within 30-45 days and will not discriminate against individuals for exercising their privacy rights.
PatientSwaps reserves the right to modify this Privacy Policy at any time. Material changes will be communicated to facilities with 30 days' written notice. Continued use of the Platform following notification of changes constitutes acceptance of the modified policy.
PatientSwaps maintains a version history of this Privacy Policy with effective dates. The current version is always available at patientswaps.com/privacy. Facilities may request prior versions by contacting privacy@patientswaps.com.
This Privacy Policy is governed by federal law including HIPAA (45 CFR Parts 160 and 164) and applicable state law including the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) and Colorado Medicaid Anti-Kickback provisions (C.R.S. § 24-31-809).
For questions or concerns regarding privacy practices, contact PatientSwaps' Privacy Contact:
If you believe your privacy rights have been violated, you may file a complaint with: