Patient Access API Privacy Addendum
This Patient Access API Privacy Addendum ("Addendum") supplements and forms part of Bindbee's Privacy Policy, publicly available at bindbee.dev/policies/privacy-policy. It governs the collection, use, processing, and disclosure of health information accessed through Bindbee's Patient Access API services and is issued in accordance with the requirements of the CARIN Alliance Code of Conduct and the ONC Model Privacy Notice framework.
To the extent of any conflict between this Addendum and the general Privacy Policy with respect to Patient Access API data, this Addendum controls.
Definitions
Capitalized terms not otherwise defined in this Addendum have the meanings ascribed to them in the Agreement and the Privacy Policy. As used in this Addendum:
Scope and Application
2.1 This Addendum applies solely to the processing of Patient Health Data by Bindbee acting as a Business Associate and data processor on behalf of a Data Controller in connection with the Patient Access API.
2.2 This Addendum does not apply to Bindbee's processing of customer personal data under the general Data Processing Addendum (available at bindbee.dev/policies/data-processing-addendum), which continues to govern Bindbee's B2B data processing activities unrelated to Patient Access APIs.
2.3 The Data Controller is solely responsible for ensuring that any patient consent, authorization, or other lawful basis required for Bindbee to process Patient Health Data on the Data Controller's behalf has been obtained prior to activating any Patient Access API integration.
Bindbee's Role and Obligations
3.1 Bindbee acts exclusively as a HIPAA Business Associate and data processor with respect to Patient Health Data. Bindbee does not determine the purposes or means of processing Patient Health Data and does not act as a data controller or Covered Entity with respect to such data.
3.2 Bindbee shall process Patient Health Data only: (a) pursuant to documented instructions from the applicable Data Controller; (b) to the minimum extent necessary to fulfil an authorized Patient Access API request; and (c) in strict accordance with the applicable BAA.
3.3 Bindbee shall not sell, lease, exchange, or otherwise transfer Patient Health Data to any third party for monetary or other consideration.
3.4 Bindbee shall not use Patient Health Data for advertising, marketing, product development, internal analytics, or any secondary purpose not expressly authorized by the Data Controller in writing.
3.5 Bindbee shall immediately notify the Data Controller if, in Bindbee's reasonable opinion, a Data Controller instruction would cause Bindbee to violate HIPAA, the CARIN Code of Conduct, or any applicable law.
Data Architecture and Security
4.1 Zero-Persistence Architecture. Bindbee operates a pass-through architecture for Patient Health Data. All Patient Health Data is processed exclusively in volatile memory during the active API transit window and is permanently destroyed upon completion of payload delivery. Bindbee does not write Patient Health Data to persistent storage, databases, or backup systems at any point.
4.2 Operational Audit Logs. Bindbee retains operational audit logs as required by 45 C.F.R. § 164.312(b) and Bindbee's SOC 2 Type II obligations. These logs are restricted to API access timestamps, system-generated request identifiers, HTTP status codes, and system event records. Audit logs do not contain, and are expressly designed to exclude, any Patient Health Data or PHI payload content. Audit logs are retained for twelve (12) months and then hard-deleted on a defined schedule.
4.3 Security Safeguards. Bindbee implements and maintains administrative, physical, and technical safeguards consistent with HIPAA Security Rule requirements and Bindbee's SOC 2 Type II controls, including: (a) TLS 1.3 encryption for data in transit; (b) AES-256 encryption for data at rest; (c) OAuth 2.0 authorization with short-lived scoped tokens; (d) Role-Based Access Control and Multi-Factor Authentication for all infrastructure access; and (e) annual third-party penetration testing and vulnerability assessments.
CARIN Code of Conduct Compliance
5.1 Attestation. Bindbee has attested to the CARIN Alliance Code of Conduct. The following clauses describe Bindbee's implementation of each CARIN principle with respect to the Patient Access API.
5.2 Transparency. Bindbee publicly discloses its data handling practices for Patient Access APIs in this Addendum and the general Privacy Policy. Data Controllers are required by contract to make these disclosures accessible to their end users.
5.3 Data Use Limitation. Patient Health Data is processed solely for the specific purpose for which the Data Controller authorized the applicable API integration. Use for advertising, sale, secondary analytics, or any purpose not authorized at integration activation is prohibited under Section 3 above and contractually binding on all Bindbee personnel and sub-processors.
5.4 Data Minimization. Bindbee's zero-persistence architecture, described in Section 4.1, constitutes the technical implementation of data minimization. Only data specifically requested in the authorized API call is routed, and such data is destroyed immediately upon delivery.
5.5 Individual Access and Control. Because Bindbee does not store Patient Health Data, individual access, correction, and deletion rights with respect to underlying health records must be exercised with the Data Controller. Bindbee supports the exercise of such rights by: (a) immediately revoking all API access credentials and authentication tokens upon notification of consent withdrawal or account closure by the Data Controller; and (b) providing written confirmation of revocation to the Data Controller within forty-eight (48) hours.
5.6 Accountability. Kunal Tyagi, Chief Technology Officer, serves as Bindbee's Data Protection Officer and is accountable for compliance with this Addendum and the CARIN Code of Conduct ([email protected]). Bindbee's compliance posture is reviewed annually by an independent third-party auditor as part of the SOC 2 Type II audit cycle.
5.7 Change of Control. In the event of an acquisition, merger, or sale of substantially all assets that would materially affect how Patient Health Data is processed, Bindbee will: (a) provide formal written notice to all Data Controllers no later than thirty (30) days prior to the effective date; and (b) offer each Data Controller the election of: (i) secure data transfer to the Data Controller or its designated successor; (ii) written certification of permanent destruction of all associated data; or (iii) account closure with immediate revocation of all API credentials, consistent with CARIN Code of Conduct requirements.
Patient-Facing Disclosures (ONC Model Privacy Notice)
The following disclosures are provided in plain language per the ONC Model Privacy Notice framework for the benefit of patients and plan members whose health information may be processed through the Patient Access API.
What information does Bindbee process?
Bindbee processes health information that your health plan, TPA, or benefits provider has authorized it to retrieve on your behalf. This may include enrollment and eligibility data, claims and Explanation of Benefits data, clinical information, and benefits cost and coverage data. Bindbee does not collect health information directly from patients.
How is it used?
Solely to route your health information from its source system to your benefits provider's application, as instructed by your provider. Bindbee does not use your health information to build profiles, serve advertisements, conduct research, or improve its own services.
Who does Bindbee share it with?
Only with the specific benefits platform or TPA that your health plan has authorized, and only for the purpose for which you authorized the connection. Bindbee does not share your health information with advertisers, data brokers, or other Bindbee clients.
How long does Bindbee keep it?
Your health information is not stored. It is processed in memory and destroyed upon delivery. Operational metadata (timestamps, request IDs — no health content) is retained for twelve (12) months then permanently deleted.
How can you access, correct, or delete your health information?
Bindbee does not hold your health records. Requests to access, correct, or delete your underlying health data must be directed to your health plan, TPA, or benefits provider. To inquire about any operational data Bindbee may hold, submit a Data Subject Rights request to [email protected]. Bindbee will respond within thirty (30) days.
How does Bindbee protect your information?
Through TLS 1.3 encryption in transit, AES-256 encryption at rest, OAuth 2.0 authorization, Role-Based Access Control, and annual independent security assessments aligned with HIPAA Security Rule and SOC 2 Type II requirements.
How will you be notified of policy changes?
Bindbee will update this Addendum with a revised effective date and notify all affected Data Controllers by email. Data Controllers are contractually required to notify their end users of any material change. If a change would alter how already-collected data is processed, renewed consent will be required before continued processing.
How can you contact Bindbee?
Kunal Tyagi, Data Protection Officer — [email protected] — Bindbee Inc., 8 The Green, Ste A, Dover, DE 19901.
Breach Notification
7.1 In the event of a Security Incident or Breach of Unsecured PHI as defined under HIPAA (45 C.F.R. §§ 164.400–414), Bindbee shall notify the affected Data Controller without unreasonable delay, and in no event later than thirty (30) calendar days following discovery, with the information required under 45 C.F.R. § 164.410.
7.2 Bindbee shall cooperate fully with the Data Controller in fulfilling the Data Controller's HIPAA breach notification obligations to affected individuals, the Department of Health and Human Services, and, where applicable, the media.
7.3 Bindbee shall provide meaningful remedies to address harms caused by unauthorized access, use, or disclosure of Patient Health Data, including indemnification obligations as specified in the applicable BAA.
8.1 Updates. Bindbee may update this Addendum from time to time. Material changes will be communicated to Data Controllers no less than thirty (30) days before taking effect. Continued use of the Patient Access API after the effective date of an update constitutes acceptance of the updated Addendum by the Data Controller.
8.2 Revalidation. Any material change to Bindbee's application version, this Addendum, the Privacy Policy, Terms of Service, or data security practices will require resubmission of any active carrier developer portal application for revalidation, as required by the applicable carrier or payer.
8.3 Relationship to Other Agreements. This Addendum supplements and does not replace the BAA or the Data Processing Addendum. In the event of a conflict among these documents with respect to Patient Health Data, the order of precedence shall be: (i) the BAA; (ii) this Addendum; (iii) the Data Processing Addendum; (iv) the Privacy Policy.
8.4 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles, except to the extent superseded by applicable federal law (including HIPAA).
