Privacy Policy

1. Overview

Vinician is a clinical triage and patient engagement platform operated by Omnentis LLC (“we,” “us,” or “our”). This Privacy Policy describes how we collect, use, store, protect, and handle information in connection with our platform, including information about patients, clinical staff, and clinic administrators.

Vinician is designed for use by licensed outpatient behavioral health and substance use treatment programs. We are committed to protecting the privacy of all individuals whose information is processed through our platform, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) and 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records).

2. Information We Process

We process the following categories of information on behalf of our clinic partners:

• Patient information: First and last name, phone number, program enrollment, and check-in responses including mood, cravings, sleep, stress levels, substance use disclosures, and mental health screening responses (including PHQ-9).
• Staff information: Name, email address, role, and activity logs within the platform.
• Usage data: Timestamps of check-in submissions, link open events, and system access logs for audit and compliance purposes.

We do not collect payment information from patients. We do not sell, rent, or share any information with third parties for advertising or marketing purposes.

3. How We Use Information

Information processed through Vinician is used solely to: (a) deliver clinical triage and patient engagement services to our clinic partners; (b) generate risk scores and escalation alerts for clinical staff; (c) maintain audit logs for compliance and legal documentation; and (d) improve platform functionality and reliability.

We do not use patient data to train machine learning models or artificial intelligence systems. We do not access patient data except as necessary to provide technical support, investigate system issues, or comply with legal obligations.

4. HIPAA Compliance

Vinician operates as a Business Associate under HIPAA. We enter into a Business Associate Agreement (BAA) with each clinic partner before any Protected Health Information (PHI) is processed. We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule, including encryption of data at rest and in transit, access controls, and audit logging.

All substance use disorder patient records processed through Vinician are handled in accordance with 42 CFR Part 2, which imposes strict confidentiality requirements beyond standard HIPAA protections. Patient consent is captured and logged at enrollment.

5. Data Security

We implement the following security measures to protect all information processed through Vinician:

• Encryption in transit: All data transmitted between users and our platform is encrypted using TLS (HTTPS).
• Encryption at rest: All patient data stored in our database is encrypted at rest.
• Access controls: Role-based access ensures that clinical staff can only access patient records within their own program. Platform developers do not have access to a patient-facing data browsing interface.
• Audit logging: Every access, modification, and action taken on patient records is logged with a timestamp and user identifier.
• Token-based patient access: Patients access check-in forms via one-time, time-limited links. No patient accounts or passwords are created or stored.

6. Data Retention

Patient data is retained for the duration of the clinic’s active agreement with Omnentis LLC and for any period required by applicable law or regulation thereafter. Upon termination of a clinic’s agreement, patient data will be securely deleted or returned to the clinic as specified in the Business Associate Agreement.

7. Third-Party Services

Vinician uses the following third-party services in the delivery of our platform:

• Twilio: Used to deliver SMS messages to patients. Twilio processes phone numbers and message content. Twilio is a HIPAA-eligible service provider. SMS messages sent by Vinician do not contain Protected Health Information.
• Neon (PostgreSQL): Used for encrypted database storage of platform data.
• Vercel: Used for platform hosting and deployment.

Each third-party provider is subject to appropriate data processing agreements.

8. Patient Rights

Patients whose information is processed through Vinician may have rights under HIPAA and applicable state law, including the right to access, amend, or request restrictions on their health information. These rights are administered by the clinic partner, who is the Covered Entity under HIPAA. Patients should direct such requests to their clinic.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify clinic partners of material changes. Continued use of the platform after notice of changes constitutes acceptance of the updated policy.

10. Contact

For questions about this Privacy Policy or our data practices, contact us at:

Omnentis LLC / Vinician

Email: noahfong1@gmail.com / pedroc.montes@icloud.com

Website: vinician.com