Rosegard Health

Privacy Policy

Last updated: April 22, 2026

SMS / Mobile information sharing: Rosegard Health does not sell or share mobile phone numbers, SMS opt-in data, or text-messaging consent information with third parties or affiliates for marketing or promotional purposes. Mobile opt-in data and consent will not be shared with any third parties, except with messaging service vendors strictly to deliver the SMS messages you have agreed to receive. No mobile information is shared for marketing purposes under any circumstances.

1. Overview

Healthcare Venture Group Inc., doing business as Rosegard Health ("we," "us," or "our"), operates PATFlow™, a clinical decision support platform for preoperative coordination (the "Service"). This Privacy Policy describes how we collect, use, store, and protect information — including Protected Health Information ("PHI") — when you use the Service. This policy applies to all users of PATFlow, including healthcare professionals, facility administrators, and patients who interact with the Service through intake forms or communications.

Rosegard Health operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") when processing PHI on behalf of Covered Entities. Our obligations regarding PHI are governed by the HIPAA Privacy Rule, the HIPAA Security Rule, the HITECH Act, and the terms of our Business Associate Agreements ("BAAs") with Covered Entities.

2. Information We Collect

Account Information

When a facility administrator creates user accounts, we collect the user's name, email address, professional role, and facility assignment. User passwords are cryptographically hashed using bcrypt and are never stored in plaintext.

Protected Health Information (PHI)

In the course of providing preoperative clinical decision support, PATFlow processes PHI entered by authorized clinical users on behalf of their facility (the Covered Entity). This may include patient demographics, medical history and ICD-10 diagnoses, current medications, laboratory values and vital signs, surgical procedure details and risk classification, specialist clearance documentation, and phone numbers for care coordination. All PHI is processed and stored in accordance with HIPAA requirements and the terms of our BAA with the applicable Covered Entity.

Usage and Technical Data

We collect technical data necessary for operating and securing the Service, including session identifiers, IP addresses (for audit logging and security monitoring), browser user agents, and aggregate usage metrics. Error reports are logged with PHI-safe redaction applied automatically.

3. How We Use Information

We use the information we collect to provide and operate the Service, process preoperative assessments using our deterministic, guideline-based clinical rule engine, send transactional emails and SMS messages related to clinical coordination, maintain audit trails as required by HIPAA, monitor for security incidents, and respond to support inquiries from authorized facility users.

We use PHI only as permitted or required by our BAAs and applicable law. We do not sell, rent, or share PHI or personal information with third parties for marketing purposes. We do not use PHI or clinical case data for advertising, profiling, or model training. All communications sent via email or SMS are strictly transactional and related to healthcare coordination — we do not send marketing or promotional messages.

4. HIPAA Compliance and PHI Safeguards

As a Business Associate, Rosegard Health implements administrative, technical, and physical safeguards to protect PHI in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C):

For a detailed description of our security controls, see our Security & Compliance Overview.

5. Business Associate Agreements

Rosegard Health executes a Business Associate Agreement (BAA) with each Covered Entity prior to processing PHI through the Service. The BAA establishes the permitted uses and disclosures of PHI, our safeguard obligations, breach notification requirements, and the rights and responsibilities of both parties in accordance with 45 CFR §164.504(e). We also maintain BAAs with our sub-processors who may have access to PHI, including Amazon Web Services. To request a BAA, contact security@rosegard.com.

6. Clinical Processing (No Third-Party AI)

PATFlow's preoperative clinical decision support is entirely deterministic and guideline-based. A logical rule engine evaluates structured inputs against published guidelines and facility-configured policy. PATFlow does not use artificial intelligence, machine learning, or large language models to infer clinical conclusions, modify rule logic, or influence care pathways. Patient data and clinical case information are not sent to third-party AI or generative-AI services for processing, summarization, or training.

7. Third-Party Service Providers (Sub-Processors)

We use the following third-party service providers to operate the Service:

Sub-processors who may access PHI are bound by BAAs or data processing agreements. A current list of sub-processors and their BAA status is maintained internally and is available to Covered Entities upon request. No sub-processor is authorized to use phone numbers, mobile information, or SMS opt-in data for marketing or promotional purposes.

8. Communications and Consent

SMS / Text Messages

PATFlow may send SMS (text) messages to patients and healthcare providers for care coordination purposes, including intake invitations, pre-procedure reminders, and pre-operative instructions. All SMS communications are strictly transactional and related to healthcare coordination — no marketing or promotional messages are sent.

How consent is obtained. SMS consent is obtained through documented verbal confirmation by the care team with the patient at the time the patient is enrolled in pre-admission coordination. The care team reads a disclosure script that identifies Rosegard Health / PATFlow as the sender, describes the type and purpose of the messages, states that message and data rates may apply, and explains how to opt out. The patient's verbal consent (or refusal) is recorded in the system with timestamp and audit trail before any messages are sent. Providing a mobile phone number does not by itself imply consent to receive SMS messages.

Message frequency. Message frequency varies based on the patient's scheduled procedure and care needs (typically 1–6 messages per surgical episode).

Message and data rates. Standard message and data rates from the recipient's wireless carrier may apply.

Opt out. Recipients may opt out of SMS messages at any time by replying STOP to any message. After opting out, no further SMS messages will be sent to that number unless consent is renewed. For help, recipients may reply HELP or contact support@rosegard.com.

No sharing of mobile information. Phone numbers and SMS opt-in / consent data are stored securely and are used solely for transactional healthcare communications. Phone numbers may be transmitted to HIPAA-eligible messaging service providers (covered under applicable BAAs) solely for the purpose of delivering SMS messages you have consented to receive. Mobile information, including phone numbers and SMS opt-in / consent data, will not be sold, rented, shared, or disclosed to third parties or affiliates for marketing or promotional purposes under any circumstances.

Email Communications

Transactional emails related to account activity, clinical coordination, and pre-operative instructions are sent to registered users and patients as part of the Service. These are not marketing communications and are necessary for the operation of the Service. Email delivery is handled by a HIPAA-eligible email provider, covered under an applicable BAA.

9. Breach Notification

In the event of a breach of unsecured PHI, Rosegard Health will notify affected Covered Entities without unreasonable delay and no later than five (5) business days after discovery, as required by our Business Associate Agreements and in accordance with the HIPAA Breach Notification Rule (45 CFR §§164.400-414) and the HITECH Act. For security incidents or concerns, contact security@rosegard.com.

10. Data Retention

Clinical case data is retained in accordance with the applicable BAA and the Covered Entity's data retention requirements. The default retention period is 7 years, consistent with standard medical record retention guidelines. Audit logs are retained for a minimum of 6 years, consistent with 45 CFR §164.530(j). Upon termination of a BAA, PHI is returned or destroyed in accordance with 45 CFR §164.504(e)(2)(ii)(I), except where retention is required by law.

11. Data Security

We implement administrative, technical, and physical safeguards to protect PHI in accordance with the HIPAA Security Rule, including encrypted connections (TLS/HTTPS), encryption at rest (AES-256), hashed passwords (bcrypt), role-based access controls, facility-level data isolation, multi-factor authentication, session management controls, rate limiting, CSRF protection, and Content Security Policy headers. While we implement comprehensive security measures consistent with industry standards and HIPAA requirements, no method of electronic transmission or storage is 100% secure.

12. Individual Rights

Under HIPAA, individuals have rights regarding their PHI. Because Rosegard Health processes PHI as a Business Associate on behalf of Covered Entities, requests to exercise these rights should be directed to the applicable Covered Entity (the healthcare facility using PATFlow). We will cooperate with Covered Entities to fulfill individual rights requests as required by our BAAs and applicable law, including right of access, right to request amendment, right to an accounting of disclosures, right to request restrictions, and right to receive confidential communications.

13. Cookies and Session Data

We use essential session cookies to maintain your authenticated state while using the Service. These cookies are HttpOnly, Secure, and SameSite=Strict. They are necessary for the operation of the platform and are not used for tracking or advertising. We do not use third-party advertising cookies or analytics trackers.

14. Children's Privacy

PATFlow user accounts are intended for use by healthcare professionals and authorized clinical staff. The Service is not directed at individuals under the age of 18. While PATFlow may process clinical data for pediatric patients as part of preoperative coordination (entered by authorized clinical staff on behalf of the Covered Entity), we do not knowingly collect personal information directly from children.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify Covered Entities and registered users of material changes via email or through the Service at least 30 days before the changes take effect.

16. Contact

Rosegard Health Privacy Office
Healthcare Venture Group Inc. DBA Rosegard Health
Email: privacy@rosegard.com
Security inquiries: security@rosegard.com
General support: support@rosegard.com