Physician Founder SpotlightView Article
OpenScope

OpenScope Health, Inc. — Privacy Policy

Effective Date: March 14, 2026

This Privacy Policy describes how OpenScope Health, Inc. ("OpenScope," "we," "us," or "our") collects, uses, discloses, and protects information when you use our practice management and telemedicine platform (the "Platform"). OpenScope operates as a Management Services Organization ("MSO") providing technology and administrative services to independent healthcare providers ("Providers").

1. Our Role

OpenScope is a technology company that provides software tools enabling independent healthcare Providers to deliver telemedicine and direct primary care services. OpenScope does not itself provide medical care, establish doctor–patient relationships, or make clinical decisions.

As a Business Associate under HIPAA, we handle Protected Health Information ("PHI") only as necessary to provide our technology services to Providers, and we do so in accordance with our Business Associate Agreements ("BAAs") with each Provider.

2. Information We Collect

A. Patient Information (Collected on Behalf of Providers)

When you use the Platform as a patient of a Provider, the following information may be collected and maintained by your Provider through our Platform:

  • Identity Information: Name, date of birth, gender, photograph
  • Contact Information: Email address, phone number, mailing address
  • Health Information: Medical history, symptoms, diagnoses, treatment plans, prescriptions, lab results, clinical notes, and other PHI
  • Insurance and Billing Information: Insurance carrier and policy details, payment card information, billing records
  • Telehealth Session Data: Audio, video, and chat communications during virtual visits

Your Provider is the "Covered Entity" under HIPAA responsible for this information. OpenScope processes it solely on the Provider's behalf under our BAA. For questions about how your health information is used, please contact your Provider directly or refer to their Notice of Privacy Practices.

B. Provider Information

When healthcare Providers use the Platform, we collect:

  • Professional Information: Name, NPI number, medical license details, DEA registration, specialty, practice information
  • Account Information: Login credentials, contact information, billing and payment details
  • Usage Data: Platform feature usage, session logs, and support interactions

C. Website Visitor Information

When you visit our marketing website or request a demo, we collect:

  • Contact Information: Name, email, phone number, practice name
  • Technical Data: IP address, browser type, device information, cookies, and session data
  • Analytics Data: Page views, click patterns, and referral sources

3. How We Use Information

A. Patient PHI (On Behalf of Providers)

We process patient PHI only as directed by the Provider and as permitted under our BAA, including to:

  • Operate and maintain the telemedicine platform
  • Enable scheduling, messaging, and virtual visit functionality
  • Process prescriptions and lab orders
  • Generate billing and claims documentation
  • Provide technical support to the Provider
  • Maintain audit logs as required by law

B. Provider and Business Information

We use Provider information to:

  • Create and manage Platform accounts
  • Verify professional credentials and licensure
  • Process subscription payments
  • Provide customer support and training
  • Send service-related communications
  • Improve Platform features and functionality
  • Comply with legal and regulatory requirements

C. Website Visitor Information

We use website visitor information to:

  • Respond to demo requests and inquiries
  • Send marketing communications (with consent)
  • Analyze website traffic and improve our marketing site
  • Personalize your browsing experience

4. How We Share Information

We do not sell personal information or PHI. We share information only in the following circumstances:

  • With Providers: Patient data is accessible to the Provider who maintains the patient relationship
  • Service Providers: We use trusted vendors to operate the Platform (see Section 7). These vendors are bound by contractual obligations and, where applicable, BAAs
  • Legal Requirements: We may disclose information when required by law, subpoena, court order, or government request
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, information may be transferred to the successor entity, subject to the same privacy protections
  • De-Identified Data: We may use and share fully de-identified, aggregated data for analytics, benchmarking, and research purposes. This data cannot be used to identify any individual

5. HIPAA Compliance

OpenScope is a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"). We maintain BAAs with all Providers who use our Platform and with all downstream vendors who may access PHI. Our HIPAA compliance program includes:

  • Designated Privacy and Security Officers
  • Workforce training on HIPAA requirements
  • Written policies and procedures for PHI handling
  • Regular risk assessments and security audits
  • Breach notification procedures in compliance with the HIPAA Breach Notification Rule
  • Minimum necessary standard for PHI access and use

6. Data Security

We implement administrative, technical, and physical safeguards to protect information, including:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication, and unique user identification
  • Audit Logging: Comprehensive logging of all access to PHI
  • Infrastructure Security: SOC 2-compliant hosting, network segmentation, intrusion detection
  • Incident Response: Documented breach response and notification procedures
  • Business Continuity: Regular backups, disaster recovery planning, and uptime monitoring

No system is 100% secure. If you believe your information has been compromised, contact us immediately at security@openscopehealth.com.

7. Third-Party Services

We rely on trusted third-party services to operate the Platform:

| Category | Purpose | | --- | --- | | Cloud Hosting & Infrastructure | Application hosting, database services, content delivery | | Payment Processing | Subscription billing and payment card processing | | Communication Services | Email delivery, SMS notifications, video conferencing | | Analytics | Anonymized website analytics and product usage metrics | | Credential Verification | Provider license and NPI verification |

All vendors with access to PHI are bound by BAAs. A current list of sub-processors is available upon request.

8. Data Retention

  • Patient PHI: Retained for the duration of the Provider's use of the Platform and in accordance with the Provider's retention policies and applicable state medical record retention laws. Upon termination of a Provider's account, PHI is returned or securely destroyed in accordance with our BAA
  • Provider Account Data: Retained for the duration of the Provider's subscription and for a reasonable period afterward for legal and audit purposes
  • Website Visitor Data: Marketing and analytics data is retained for up to 24 months

9. Your Rights

Patients

Your rights regarding your health information are governed by HIPAA and applicable state law. You may exercise these rights by contacting your Provider directly. These rights may include:

  • Access to your medical records
  • Request corrections to your health information
  • Request restrictions on certain uses or disclosures
  • Receive an accounting of disclosures
  • File a complaint with your Provider or the U.S. Department of Health and Human Services

California Residents

Under the California Consumer Privacy Act ("CCPA"), California residents have additional rights regarding personal information that is not PHI, including the right to know, delete, and opt out of the sale of personal information. Note that PHI handled under HIPAA is exempt from the CCPA.

Website Visitors

You may opt out of marketing communications at any time by clicking "unsubscribe" in any marketing email or by contacting us at legal@openscopehealth.com.

10. Children's Privacy

The Platform is not intended for use by individuals under the age of 18 except as patients under the care of a Provider who has obtained appropriate parental or guardian consent. We do not knowingly collect personal information from children without such consent.

11. SMS and Phone Communications

If you communicate with us or your Provider via phone or text message through the Platform, we may collect the phone number, message content, and related metadata. Patients may opt out of SMS notifications at any time by replying STOP. Message and data rates may apply.

12. International Users

The Platform is operated in the United States and is intended for use by Providers licensed to practice in the United States. By using the Platform, you consent to the processing and storage of information in the U.S., where privacy laws may differ from those in your jurisdiction.

13. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be communicated to Providers via email or in-Platform notification. The updated policy will be posted with a new Effective Date. Continued use of the Platform after changes constitutes acceptance.

14. Contact Information

For privacy inquiries:

  • Email: legal@openscopehealth.com
  • Security Issues: security@openscopehealth.com
  • Mail: OpenScope Health, Inc., 1900 Gough St #701, San Francisco, CA 94109