HIPAA Privacy Policy

Last updated: April 2025

CME Trail Inc. ("we", "our", "us") is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the HITECH Act.

This HIPAA Privacy Policy applies only to information that constitutes PHI and is submitted through our Services by Covered Entities or their authorized workforce members, in connection with our role as a Business Associate.

  1. Scope of This Policy

This Policy applies solely to our activities as a Business Associate when we receive, store, process, or transmit PHI on behalf of Covered Entities (e.g., healthcare providers, health plans, and their business associates).

  1. Our Role as a Business Associate

We operate as a Business Associate under HIPAA and have entered into Business Associate Agreements (BAAs) with applicable Covered Entities and our subcontractors (e.g., AWS, OpenAI, Eleven Labs (pending)).

We only access and use PHI as necessary to provide our Services and as permitted by our BAAs.

  1. How We Use PHI

We may use PHI for the following purposes:

- To provide, maintain, and improve our Services

- For internal operations (e.g., support, development, and testing)

- As required by law

- As permitted by the applicable Business Associate Agreement

  1. How We Disclose PHI

We do not disclose PHI except:

- To the Covered Entity that provided the PHI

- To subcontractors undersigned BAAs

- When required by law, regulation, or court order

- In response to a request by the Secretary of HHS for HIPAA compliance

  1. Safeguards

We implement appropriate administrative, physical, and technical safeguards to protect PHI, including:

- Encrypted data transmission and storage

- Access controls and audit logs

- Regular risk assessments and staff training

  1. Individual Rights

As a Business Associate, we do not handle individual requests for access, amendment, or restrictions related to PHI. These requests should be directed to the Covered Entity with whom you have a direct relationship.

  1. Breach Notification

In the event of a breach of unsecured PHI, we will notify the applicable Covered Entity in accordance with the terms of our Business Associate Agreement and as required under HIPAA.

  1. Questions & Contact

If you are a Covered Entity and have questions about this HIPAA Privacy Policy or your BAA with CME Trail Inc., please contact us at:

  • Name of the Data Protection Officer – Rahul Sah 
  • Email: support@cmetrail.com
  • CME Trail Inc.  
  • 8 The Green Street STE A, Dover, DE, 19901  

This Policy is in addition to our general Privacy Policy located at General Privacy Policy, which applies to all other personal data we process.