Privacy Policy
Upstate Access
A Service of Upstate Healthcare Administration LLC
Effective Date: May 24, 2025 | Last Updated: May 24, 2026
1. Introduction
Upstate Healthcare Administration LLC ("Company," "we," "us," or "our") operates Upstate Access, a cloud-based credentialing and payer enrollment tracking platform available at https://access.upstatehealthcareadmin.com (the "Platform" or "Service"). This Privacy Policy describes how we collect, use, disclose, and protect information about users of the Platform, including healthcare providers, practice administrators, and group practice owners ("Users," "you," or "your").
By creating an account, accessing, or using the Platform, you agree to the terms of this Privacy Policy. If you do not agree, you must not access or use the Platform.
This Privacy Policy applies solely to the Platform and does not govern the data practices of any third-party websites or services, including any websites linked to or from the Platform.
2. Scope and Important Limitations
2.1 Administrative Platform — Not an EMR
Upstate Access is an administrative operations platform designed to assist healthcare providers and practice administrators with credentialing workflows, payer enrollment tracking, and related administrative tasks. The Platform is not an electronic medical records system (EMR), electronic health records system (EHR), or clinical documentation platform.
2.2 No Protected Health Information (PHI) Should Be Uploaded
The Platform is not designed, intended, or approved for the storage, transmission, or processing of Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"). Users are expressly prohibited from uploading, entering, or transmitting PHI through the Platform. See Section 10 (User Responsibilities) and Section 11 (No PHI Policy) for full details.
2.3 HIPAA Business Associate Agreement (BAA)
Exhibit A: HIPAA Business Associate Agreement (BAA), available in the Terms of Service at /terms#baa, applies to the extent Upstate Access creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity or Business Associate. Users remain responsible for using the Platform consistently with their own HIPAA obligations and for minimizing PHI wherever possible.
3. Information We Collect
We collect information in the following categories:
3.1 Account Registration Information
When you create an account, we collect:
- Full name
- Email address
- Professional title or role
- Practice or organization name
- Business address (state, ZIP, and related)
- Phone number
- Username and password (passwords are stored in hashed form and are not accessible in plain text)
- Subscription tier selection
3.2 Provider Demographic and Credentialing Information
As part of the Platform's core functionality, Users may enter and store:
- National Provider Identifier (NPI) number
- State license numbers and jurisdictions
- Taxonomy codes
- Credentialing application data
- Payer enrollment statuses and timelines
- CAQH profile references and related identifiers
- Specialty and practice type information
- Board certifications and professional affiliations
This information is administrative and professional in nature. It is entered at the User's discretion and is used solely to support the credentialing and payer tracking workflows provided by the Platform.
3.3 Uploaded Documents
Users may upload documents to the Platform, including but not limited to professional licenses, DEA certificates, malpractice insurance certificates, credentialing applications and supporting materials, and payer correspondence. Users are responsible for ensuring that documents uploaded to the Platform do not contain PHI or other categories of information prohibited under this Policy. See Section 11 (No PHI Policy).
3.4 Billing and Payment Information
We use Stripe, Inc. ("Stripe") to process all subscription payments. We do not collect, store, or transmit full credit card numbers, CVV codes, or other sensitive payment instrument data. When you initiate a payment, you are providing your payment information directly to Stripe through its secure payment processing infrastructure. We receive from Stripe only a tokenized reference and limited billing metadata such as the last four digits of a card, card type, and billing address, as necessary to manage your subscription. For details on how Stripe processes your data, please review Stripe's Privacy Policy at https://stripe.com/privacy.
3.5 Usage and Log Data
We automatically collect certain technical data when you access or use the Platform, including:
- IP address, browser type and version, and operating system
- Device type, pages or features accessed, and timestamps of access
- Referring URL, session duration, navigation patterns, and error logs
3.6 Cookies and Tracking Technologies
We use cookies and similar tracking technologies to operate and improve the Platform. These include strictly necessary cookies for authentication and security, functional cookies to remember settings, and analytics cookies to understand user interaction. You may control cookie settings through your browser, though disabling them may impair functionality.
3.7 Communications
If you contact us by email, support ticket, or through in-platform messaging features, we retain records of those communications, including the content of messages and your contact information, for account management and service improvement purposes.
4. How We Use Information
We use the information we collect for the following purposes:
- To provide, operate, and maintain the Platform.
- To support AI-assisted features including document extraction and workflow automation.
- To communicate with you regarding service updates, security alerts, and support.
- To process billing and subscription management via Stripe.
- To maintain system security, protect against technical vulnerabilities, and prevent fraud.
- To improve Platform design, performance, and functionality.
- To comply with regulatory and legal obligations.
We do not sell your personal information to third parties. We do not use your information for targeted advertising.
5. Account and Subscription Billing
Your subscription status, plan tier, billing history, and payment method metadata are stored in association with your account to determine your access level (active vs. archive/read-only), process renewals, and generate invoicing. All financial transactions are processed securely by Stripe; Upstate Healthcare Administration LLC does not have access to your full payment card data at any time.
6. AI-Assisted Features - Disclosure
The Platform includes features that use artificial intelligence or machine learning technology to assist with document review and data extraction from uploaded files ("AI Features"). Users must be aware that:
- AI extraction is not infallible and results may be incomplete or inaccurate. The Platform makes no representations regarding the accuracy of AI-generated extractions.
- Users are solely responsible for verifying all AI-extracted data before relying on it for credentialing submissions or payer enrollment applications.
- Uploaded documents processed by AI Features may be transmitted securely to third-party AI infrastructure infrastructure.
- Do not upload documents containing PHI for AI processing. Pipelines are not structured to manage PHI data workflows.
7. Email Communications
We send transactional emails (account verification, receipts, password resets) which are mandatory for service operations. We may also send operational notices and optional marketing updates. You can opt out of marketing emails at any time via the unsubscribe link provided.
8. Data Storage and Security
8.1 Storage Infrastructure
Data entered into and uploaded to the Platform is stored using secure cloud infrastructure provided by third-party hosting and infrastructure providers, which may include Supabase and Cloudflare. Data centers are located within the United States.
8.2 Security Measures
We implement safety protocols including data encryption in transit via TLS, encryption at rest, role-based database access control, secure password hashing, and row-level database security.
8.3 No Guarantee of Absolute Security
While we take industry-standard precautions, no digital system is entirely safe. Transmission over the web carries inherent risk. In the event of a material data breach, we will notify affected Users in accordance with applicable legal mandates.
9. Data Retention
Active subscription account data is retained for the duration of the account lifespan. Archive/Read-only tiers remain accessible inside the system database architecture. Upon receiving a valid account deletion request, identifiable information will be erased or anonymized within 30 days, subject to legal, tax, or audit compliance holding requirements. Technical diagnostic logs are cycled and deleted within 30 days.
10. User Responsibilities
By using the Platform, you represent and agree that:
- You will use the platform only for lawful administrative and operations workflows.
- You maintain sole responsibility for verifying data metrics, credentials entries, and AI extractions.
- You will not upload, store, or transmit PHI under any circumstances.
- You will protect account access details and notify security immediately if credentials are compromised.
11. No PHI Policy
11.1 PHI is Prohibited
Upstate Access is not designed to receive, store, or process Protected Health Information (PHI) as defined under HIPAA. You must not upload patient names combined with health status conditions, medical treatment profiles, clinical notes, or claim items detailing specific medical conditions.
11.2 Consequences of Uploading PHI
If you upload PHI in violation of this Policy, we are not equipped to protect such data in compliance with HIPAA requirements. We reserve the right to suspend or terminate accounts upon discovery of prohibited PHI data uploads.
11.3 Legitimate Administrative Information Permitted
Provider administrative metrics (NPI, state licensing numbers, CAQH metrics, business contacts, insurance tracking, payer timelines) do not constitute PHI and are explicitly permitted.
12. Third-Party Service Providers
We share technical telemetry and data points with underlying infrastructure vendors as noted below:
| Provider | Purpose | Privacy Link |
|---|---|---|
| Supabase | Database hosting and backend infrastructure | Link |
| Stripe, Inc. | Payment processing and subscription engine | Link |
| Cloudflare, Inc. | CDN, DDoS mitigation, web DNS safety scaling | Link |
| Anthropic, PBC | AI-assisted document text data extraction | Link |
13. Account Deletion
Account termination or data wiping requests can be sent via email to operations@upstatehealthcareadmin.com. Processing occurs securely within 30 days. Accounts cannot be recovered post-deletion.
14. California Privacy Rights (CCPA/CPRA)
California residents have explicit entitlements under CCPA/CPRA laws including the Right to Know, Delete, Correct, and Non-Discrimination. We do not sell or share private profile information. Contact our compliance email to make formal verified requests.
15. Other U.S. State Privacy Laws
We adhere strictly to developing consumer privacy protection regulations within individual states nationwide as the platform scales operations.
16. Children's Privacy
The Platform handles professional medical enterprise administrative tasks and is strictly limited to adult professional users. We do not knowingly compile or query tracking metrics from anyone under 13.
17. International Users
Platform operations are centered and maintained in the US for regional healthcare provider operations. It is not structured for international frameworks or GDPR parameters.
18. Service Availability and Disclaimers
The Platform is provided on an "as is" and "as available" basis. We reserve the right to modify, suspend, or change feature rules at any time to guarantee operational uptime, perform code patches, or handle compliance adjustments.
19. Limitation of Liability — Data and Security
TO THE FULLEST EXTENT PERMITTED BY LAW, UPSTATE HEALTHCARE ADMINISTRATION LLC DISCLAIMS LIABILITY FOR ANY DIRECT OR CONSEQUENTIAL DAMAGES LINKED TO DATA INTERRUPTIONS, AI INACCURACIES, SYSTEM OUTAGES, DATA LOSS, OR BREACHES STEMMING FROM USER-UPLOADED PROHIBITED PHI RECORDS.
20. Changes to This Privacy Policy
Modifications are tracked via the "Last Updated" text flag above. Continued use following update notifications reflects explicit policy terms acceptance.
21. Contact Information
Upstate Healthcare Administration LLC
418 Broadway, Suite N
Albany, NY 12207
Email: operations@upstatehealthcareadmin.com
Web: https://upstatehealthcareadmin.com
Privacy Policy Version 1.0. Archived & Verified.