Privacy Policy
Preliminary draft. This document is a preliminary draft for review by legal counsel before launch and does not constitute legal advice. Last updated June 10, 2026.
This Privacy Policy explains how SMB Operations Inc. ("SMB Operations Inc.," "we," "us") handles information in connection with the NEPA inpatient application and the hospitals.care website (together, the "Service").
Our role: business associate to your hospital
NEPA is provided to patients on behalf of the hospital where they are receiving care. For protected health information ("PHI") processed through the Service, your hospital is the "covered entity" and SMB Operations Inc. acts as its "business associate" under HIPAA. We process PHI under a Business Associate Agreement with each hospital and only as that agreement and applicable law permit.
Information we process
- Identity and account data: your name and email address used to create and secure your account.
- Encounter context from your hospital: your name, medical record number (MRN), and facility, unit, room, and bed, received from your hospital's authorized admit/discharge/transfer (ADT) and approved FHIR channels.
- Information you enter: meal preferences and appetite; daily check-in scores for pain, sleep, appetite, and comfort, with any notes; and feedback you submit (type, tone, rating, comment, and any staff/time/location context you choose to add).
How we use information
We use this information solely to provide the Service to you and your hospital: to display your stay context, deliver your preferences to the dietary team, route your check-ins to your care team for review during routine rounds, and convey feedback to your hospital. Where your hospital has configured it, check-in responses may be written back to your hospital's EHR as a structured questionnaire response.
What we do not do
We do not sell your information, use it for advertising, or use it for research unrelated to your care. We do not retain reusable hospital or EHR credentials for routine access to hospital systems.
Confidential feedback
Feedback you submit through NEPA is treated as confidential. It is not written into your clinical chart, and frontline staff cannot see your ratings or comments.
How we protect information
The Service is hosted on HIPAA-targeted AWS infrastructure. Information is encrypted in transit and at rest, access is restricted by role, and security-relevant actions are recorded in append-only audit logs maintained under database-level role separation. NEPA is an early-stage product; formal third-party certifications such as SOC 2 or HITRUST are on our roadmap and are not yet in place.
Data sharing
We share information with your hospital and its authorized personnel as needed to provide the Service, and with service providers (such as our cloud host) acting on our behalf under appropriate agreements. We may disclose information where required by law.
Retention and your choices
We retain information for as long as needed to provide the Service and as required by your hospital's instructions, our agreements, and applicable law. Because your hospital directs how PHI is handled, requests to access, correct, or delete PHI are generally fulfilled through your hospital. You may contact us at the address below and we will work with your hospital as appropriate.
Children
The Service is offered through hospitals and is not directed to children for independent sign-up. Where a minor is a patient, the hospital governs use in accordance with applicable law.
Changes
We may update this Policy. Material changes will be reflected by the "last updated" date above.
Contact
Questions about this Policy: privacy@hospitals.care. SMB Operations Inc., Toronto, Ontario, Canada.