Skip to content

Legal Documents

All policies and documents related to doing business with Softbrik can be found here. Should any information be missing - drop us a Voice Message.

HIPAA Declaration for US Patient Records

Last revised on 28th December 2022, effective as of January 1, 2023.

Softbrik works hard to respect your privacy, starting with being transparent about what data we collect and how we use it. If you are a natural person in the United States, this HIPAA policy describes the information Softbrik OÜ, registry code 14597527, address Hobujaama tn 4, 10151 Tallinn, Harju County, and/or its wholly owned subsidiary. Softbrik Health S.a.rl., registry code B245839, address 21 Rue Glesener, L-1631, Luxembourg, common email id [], (“we” or “us”) collect from End Users (“you”) via our digital forms (the “Forms”) for health care purposes and the information we collect on behalf of our clients (“Controllers”) who employ our technology to use our messaging, analytics, and other services (the “Services”), in adherence to the Federal Privacy Regulations of the Government of United States.

1. General

Softbrik is required by the maintain the privacy of Protected Medical Information as stipulated in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) by the Federal Government of the United States for health records of all United States residents. With regard to sensitive patient information, we are required to abide by the terms of this legislation so long as it remains in effect.

If all Softbrik guidelines are followed, there should never be Protected Medical Information/Private Health Information displayed on any part of the Softbrik’s public facing website. Only bona fide users from the Controller teams can get access to your health care information. To understand how the Data is processed, please refer to the comprehensive Softbrik Data Processing Agreement

If a user belonging to any Data Controller wilfully violates our Terms of Service by sharing or posting such sensitive information, Softbrik will actively regulate such activity as appropriate and required by law, including remedial measures to address the damage.

We are committed to protecting your data, especially as it relates to your health services. Some examples of protected information include:

  • Information about your or a child’s health conditions;
  • Information about health care services you or a child have received or may receive in the future;
  • Information about you or a child’s healthcare benefits under an insurance plan;
  • Geographic information;
  • Demographic information;
  • Unique numbers that may identify you or a child; and
  • Other types of information that may identify an individual.

2. Your Rights

You have the following rights, subject to certain limitations, regarding protected medical information that CCF may maintain about you or a child under your guardianship:

2.1 Right to Inspect and Copy
You have the right to request and receive a copy of your protected medical information as long as that is not anonymized that may be used to make decisions about your care or payment for your care, including information contained within your electronic medical record and services where the data has been captured by our platform. Softbrik is strictly a data capture and bi-directional communication platform between you and your care-giver and has no direct or implicit role in any healthcare decision making.

Softbrik reserves the complete right to deny your request to inspect or receive copies in certain circumstances including projects with data anonymization, regulations around mass release of data, protected client insights and valid medical or clinical conclusions that are yet not prepared for external release. All requests must be made in writing, include the reason(s) for the request, and must be signed with bona fide verification of your identification. Once we have internally reviewed your request and approved, we will check if we have the necessary technical means to extract the data. If both approval and technical extraction means are available, we will query the information and send to you in a secure manner once your receiving identity has been verified against fraud or imposters.

2.2 Right to Amend and Correct
You have the right to request amendment and/or corrections to the protected medical information maintained by Softbrik subject to data consent policy set up for the project by the clients as Controllers of data. Often in most projects, depending on how clients set up Softbrik’s data capture mechanisms, you often have the ability yourself to submit updated information.

Softbrik is not obligated to make all requested amendments/corrections, but will give each request careful consideration. Requests can be denied if the protected medical information was not created by Softbrik, is not part of the protected medical information maintained by or for Softbrik; is not part of the protected medical information to which you have a right to access; and/or is accurate and complete as determined by Softbrik. All requests must be made in writing, include the reason(s) for the request, and must be signed.

2.3 Right to an Accounting of Disclosures
You have the right to receive an accounting of certain unusual disclosures made by Softbrik of your protected medical information for a time period of five years prior to the date of the request of accounting. Examples of disclosures include protected medical information to insurance departments, pursuant to valid legal proceedings or for law enforcement purposes. This does not include data captured for the specific clinical project by the client (controller). Any additional data sharing done by data controllers are in scope of their disclosure and accounting practices. All accounting disclosure requests must be in writing and signed.

2.4 Right to Request Restrictions
You have the right to request a restriction or limitation on the protected medical information that we use or disclose for treatment, payment or medical care initiatives. This does not include data captured for the specific clinical project by the client (controller) as the patient wilfully gives data for such project with prior knowledge. Any usage of the data prior to the request cannot be overturned and will not be retrospectively seen by this clause as a violation of the clause. All requests to restrict information must be in writing and signed.

2.5 Right to Request Confidential Communications
You have the right to request how we communicate with you about your protected medical information in a certain way or at a certain location. For example, you can ask that we contact you only by mail or at work. We will accommodate reasonable requests. Requests for confidential communications must be made in writing and signed.

2.6 Notification of Privacy Practices
You can read Softbrik’s entire privacy practices in the Legal Document section of the website. We are also always happy to answer questions using our voice message link [Below the menu on the left hand side of the website].

2.7 Use and/or Disclosure of Your Protected Medical Information

As Softbrik is a Data Capture and Communication platform used by clients for different project, it is the Controller who decides on shareability and disclosure of your Protected Medical Information. Kindly read the Privacy Policy of the Project to ascertain and consent to the Controller’s Data Disclosure mechanisms. Some usual practices of information disclosure are:

Treatment: Controller may use or disclose your protected medical information to arrange for your treatment or the coordination of your care. For example, a treating physician/psychiatrist at another facility may request your protected medical information to ensure continuity of care (i.e., transferring of service supports).

Health Care Operations: Controller may use and disclose your protected medical information for certain facility operations. These uses/disclosures are necessary to manage the facility and to monitor and improve our quality of care. For example, Controller may use/disclose your protected medical information for quality reviews, accounting, legal, risk management, insurance services, and compliance and audit functions.

Study Results: As Softbrik is a data capture platform for many different types of clinical / direct patient activities, controllers use the platform for clinical data capture and sharing. Kindly read the privacy document or consent form available with the project to understand exactly how your data will be used, stored ands shared by the controllers.

Reminders and Other Information: Softbrik may use your protected medical information to contact you to remind you about giving timely health feedback, diarisation of health routines, appointments, tracking and other necessary and convenient tasks.

Softbrik may also use or disclose your protected medical information, in most cases without your permission for the following reasons listed below:

Required by Law: Softbrik may use or disclose your protected medical information when and to the extent we are required by local, state and federal law to do so for United States based natural person residents.

Victims of Abuse/Neglect/Domestic Violence: If Softbrik participates in a project that has a component of abuse, safety or domestic violence tracking and is working with a client who is a mandated reporting agency, and therefore required by law to disclose protected medical information of any client whom we reasonably believe is a victim of abuse or neglect.

Judicial and Administrative Proceedings: Softbrik may disclose your protected medical information in response to a court order, subpoena or administrative request. Efforts will be made to contact you about the request or to obtain an order agreement protecting the information.

Commitment Proceedings: As part of any involuntary commitment proceedings, the judge may direct that the court or mental medical review officer assigned under the Mental Medical Procedures Act have access to your protected medical information for purposes of conducting the hearing.

To Avert Serious Threat to Medical/Safety: Softbrik may use or disclose information when necessary to prevent a serious threat to your or a child’s medical/safety or the medical/safety of another person or the public. Any disclosure, however, will be made to someone who may be able to help prevent the threat.

Public Health Activities: Softbrik may disclose your protected medical information for public health purposes to an authority (i.e., Centres for Disease Control, Food and Drug Administration) that is legally authorized to collect or receive your protected medical information for the purpose of preventing or controlling disease, injury or disability, including but not limited to the reporting of a communicable disease, births, and deaths.

Health Oversight Activities: Softbrik may disclose your protected medical information to a health oversight agency for activities authorized by law such as audits, investigations, licensing, and inspections. These activities are necessary for government oversight of the health care system, government payment or regulatory programs, and compliance with civil rights laws.

Research: Softbrik may use or disclose your protected medical information for research purposes provided that the researcher adheres to certain privacy protections and only after special approval process that protects safety/confidentiality.

Coroners, Funeral Directors and Organ Donation: Softbrik may disclose your protected medical information to a coroner or medical examiner for identification purposes, cause of death determinations, organ donation, and related reasons. Protected medical information may also be disclosed to funeral directors as needed to in order that may carry out their duties.

Disaster/Emergency Relief: Softbrik may disclose your protected medical information to an organization assisting in a disaster/emergency relief effort(s) to assist in notification and general condition to family as others involved in your care (i.e., Red Cross, City of New York Emergency Management Team).

De-identifying Information: CCF may use your medical health information by removing any information that could be used to readily identify you.2

2.8   Use and Disclosures that Require Your Written Consent

Softbrik will not use or disclose any of your protected medical information unless you sign a written authorization for a particular client who as the Data Controller gives us, the Data Processor, permission to do so, with the exception of those instances listed above. The following list contains the types of uses and disclosures that require your written authorization:

Marketing Communications: Softbrik will not disclose your protected medical information for marketing purposes to 3rd parties or sell your protected medical information without your authorization. Softbrik will use and disclose protected medical information other than described in this Notice only with your written authorization. In some situations, federal and state laws provide special protection for certain kinds of health information such as information about drug and/or alcohol abuse treatment, mental health or illness, HIV/AIDS, and sexually transmitted diseases. Softbrik will not use or disclose that specifically protected information without your written consent as required by law.

2.9      Revocation of Authorization

You may revoke your prior authorizations to use or disclosed protected medical information in writing, at any time, depending on the Privacy clause of that project. If you revoke your authorization, the Data Controller will no longer use or disclose your protected medical information with the exception of information has already been used or disclosed or any action taken before receipt of the revocation. Authorization for purposes related to obtain insurance may not be revoked.

2.10      Exercising Your Rights

If you have questions about this HIPAA declaration, or wish to exercise any of the rights outlined herein, please contact us via voice message from the left tab or email at  If you believe your privacy rights have been violated, you may file a complaint with Softbrik within 180 days of a violation of your rights on the email mentioned above.

All complaints must be made in writing. There will be no retaliation for filing a complaint.

You can further submit your complaint to:
U.S. Department of Health and Human Services
Office of Civil Rights
200 Independence Avenue,
Washington, D.C. 20201


3. Which Other Privacy Laws do we cover?

Softbrik covers a host of European and international Privacy best practices.

3.1  Applicable data protection legislation – any applicable legislation relating to data protection and security, including the

  1. European Directive on Privacy and Electronic Communications (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
  2. General Regulation on the Protection of Personal Data or GDPR (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC) and their amendments, replacement, or extensions (hereinafter together referred to as “EU legislation”), These include health care related provisions and patient rights as termed as ‘Medical GDPR’.
  3. All binding national laws within European Union implementing EU law and other binding data protection or data security directives, laws, regulations, and decisions in force at the relevant time for general and healthcare specific situations.
  4. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) As per the Federal Government of the United States pertaining to healthcare data and patient rights for natural persons residing in the United States.

3.2 Softbrik participates in and complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Softbrik’s accountability for personal data that it receives under the Privacy Shield and subsequently transfers to a third party is described in EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks.

4. Contact US

For further understanding kindly read our Privacy Policy in details and contact us with any further questions by email: