Legal Document

Privacy Policy

This policy explains how Apex Care Compliance collects, uses, stores, protects, and discloses personal information from facility clients, healthcare workers, and website visitors.

Effective Date: April 2, 2026
Version: 1.0
Jurisdiction: Pennsylvania, USA
INTROIntroduction and Overview

Apex Care Compliance, a division of Apex Growth Solutions Inc., provides workforce compliance management services to healthcare facilities. This Privacy Policy explains how we collect, use, store, protect, and disclose personal information from three groups:

  • Facility Clients: Administrators, Directors of Nursing, and authorized representatives of healthcare facilities that engage our services.
  • Workers: Healthcare professionals (RNs, LPNs, CNAs, HHAs, DSPs, MAs, RTs) whose compliance documentation is managed on behalf of Client facilities.
  • Website Visitors: Individuals who visit apexcarecompliance.com.
By using our services or submitting information through our website, you acknowledge that you have read and understood this Privacy Policy. This Policy operates alongside our HIPAA Business Associate Agreement (BAA), which governs handling of Protected Health Information (PHI).
ARTICLE IKey Definitions
Personal Information Any information that identifies or could reasonably identify a specific individual, including name, contact details, professional credentials, employment history, and health screening records.
PHI Protected Health Information as defined under HIPAA (45 C.F.R. § 160.103), including TB test results, health screening records, and immunization documentation submitted as part of workforce credential management.
Credential Documents Compliance documentation including background checks, PA Act 33/34 clearances, professional licenses, TB tests, CPR cards, government IDs, and resumes.
Client A healthcare facility or organization that has entered into a Managed Service Agreement with Apex Care Compliance.
Worker A healthcare professional whose compliance documentation is submitted to and managed by Apex Care Compliance on behalf of a Client facility.
HIPAA The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160 and 164).
ARTICLE IIInformation We Collect
2.1 From Facility Clients
  • Facility identification: Legal name, license/CMS number, facility type, physical address.
  • Contact information: Name, professional title, direct phone, and work email of the designated compliance contact.
  • Roster information: Names, roles, and employment details of workers to be enrolled.
  • Service agreement data: Signed Managed Service Agreement, BAA, and onboarding documentation.
  • Payment information: Processed through secure third-party processors; not stored on Apex Care Compliance systems.
2.2 From Workers
  • Identity documents: Government-issued photo identification.
  • Professional credentials: Licenses, certifications, license numbers, issuing boards, and expiration dates.
  • Background check records: FBI criminal background, PA Act 33 Child Abuse Clearance, PA Act 34 Criminal History.
  • Health documentation (PHI): TB test results, health screening records, immunization records, and physical examination results.
  • CPR certifications: Issuing organization and expiration date.
  • Employment history: Resume and verified work history.
Important: Health documentation including TB tests, health screenings, and immunization records constitutes PHI under HIPAA. This information is governed by both this Policy and our executed BAA with the applicable Client facility. Apex Care Compliance does not collect this information directly from workers — it is submitted by or through the Client facility, which is responsible for obtaining all required worker consents.
2.3 From Website Visitors

When you visit apexcarecompliance.com, we may collect browser type, operating system, IP address, pages visited, time on pages, and referring URL. We do not use tracking pixels, behavioral advertising cookies, or third-party advertising networks.

ARTICLE IIIHow We Use Your Information
3.1 Data Practices Summary
Data Category Purpose Legal Basis Retention
Worker Credentials Compliance monitoring, expiry tracking, audit reporting Contract performance Service + 3 years
PHI (Health Records) Workforce credential compliance per healthcare regulations Legal obligation + Contract Per BAA (min. 6 yrs)
Client Contact Data Service delivery, alerts, account management, billing Contract performance Service + 3 years
Website Analytics Website improvement Legitimate interests 12 months rolling
Consultation Requests Responding to inquiries Consent / Pre-contract 18 months
Payment Information Invoice processing Contract performance 7 years (tax compliance)
3.2 What We Do Not Do
We do not sell, rent, or trade personal information to any third party.
We do not use worker credentials for any purpose outside compliance management.
We do not use personal information for marketing without explicit consent.
We do not share facility or worker data with competing businesses.
We do not use health screening PHI beyond workforce credential compliance.
We do not retain personal information beyond periods specified in this Policy.
ARTICLE IVHow We Share Information
4.1 Within the Service

Each Client's compliance data is isolated within a dedicated account environment. No facility can access another facility's worker data. Worker information submitted by one Client is never shared with, disclosed to, or made visible to any other Client.

4.2 Third-Party Service Providers

Apex Care Compliance may engage trusted service providers bound by written data processing agreements, limited to: secure cloud storage providers, encrypted email service providers, payment processors (operating under their own PCI-DSS compliance), and background check verification services where applicable.

4.3 Legal Disclosures

Apex Care Compliance may disclose personal information if required by valid legal process, court order, or a request from a government regulatory agency with jurisdiction (including Pennsylvania Department of Health or U.S. HHS). Where legally permissible, we will notify the affected Client prior to disclosure.

ARTICLE VHIPAA Compliance and Protected Health Information
5.1 Our Role Under HIPAA

Apex Care Compliance acts as a Business Associate as defined under HIPAA (45 C.F.R. § 160.103) when handling PHI on behalf of Client facilities that are Covered Entities. We are subject to HIPAA's Privacy Rule and Security Rule with respect to all PHI we receive, process, or maintain.

5.2 BAA Required Before PHI Sharing
A signed HIPAA Business Associate Agreement (BAA) must be executed before any Client facility shares PHI with Apex Care Compliance — including worker TB test results, health screening records, or immunization documentation.
5.3 Minimum Necessary Standard

Apex Care Compliance applies the HIPAA Minimum Necessary Standard — we use, disclose, or request only the minimum amount of PHI needed for the specific compliance management purpose.

5.4 Breach Notification

In the event of a breach of Unsecured PHI, Apex Care Compliance will notify the affected Client facility within sixty (60) calendar days of discovery, per HIPAA Breach Notification Rule requirements (45 C.F.R. Part 164, Subpart D).

ARTICLE VIData Security
  • Encryption in transit: All PHI transmitted via email is encrypted using S/MIME and TLS protocols.
  • Encrypted storage: Credential documents stored in access-controlled, encrypted cloud storage with audit logging.
  • Access controls: Access restricted to personnel based on job function on a minimum-necessary basis.
  • Audit logging: Access to PHI and sensitive credential records is logged and auditable.
  • Security reviews: Periodic reviews of data security practices and safeguards.

No data transmission or electronic storage system can be guaranteed completely secure. While we work diligently to protect your information, we cannot guarantee absolute security.

ARTICLE VIIData Retention and Deletion
Data Type Retention Period
Worker Credential Documents (non-PHI) Service + 3 years after termination
Protected Health Information (PHI) Per BAA — minimum 6 years (HIPAA)
Client Facility Records Service + 3 years, or as required by law
Service Agreements & BAAs 7 years from execution date
Payment & Billing Records 7 years (IRS / PA tax requirements)
Website Analytics 12 months rolling, then deleted
Consultation Request Data 18 months or until resolved
Security & Access Logs 12 months, unless needed for investigation
7.1 Deletion Upon Termination

Upon termination of a Managed Service Agreement, Apex Care Compliance will return all Client and worker data in a standard exportable format within thirty (30) days, or securely destroy it and provide written certification. PHI deletion follows BAA terms.

ARTICLE VIIIRights of Workers and Individuals
8.1 Right to Access

Workers may request access to their personal information (excluding PHI, which must be requested through the employing facility). Contact jephthe@apexcarecompliance.com or your employing facility's compliance administrator.

8.2 Right to Correction

Workers may request correction of inaccurate personal information by submitting updated documentation through their employing facility or directly to Apex Care Compliance. We will process correction requests within thirty (30) days.

8.3 Right to Deletion

Workers may request deletion of their personal information, subject to limitations: we cannot delete information required by law (including HIPAA-governed PHI), necessary for active services under a current Managed Service Agreement, or subject to a pending legal matter. We will respond within thirty (30) days.

8.4 How to Exercise Your Rights
Email jephthe@apexcarecompliance.com
Phone (717) 388-9330
Mail Apex Care Compliance, Attn: Privacy, 50 N Queen St #54, Lancaster, PA 17603
Response Time Acknowledged within 5 business days · Resolved within 30 days
ARTICLE IXCookies and Website Tracking

The Apex Care Compliance website uses only essential technical cookies necessary to operate the website. We do not use:

  • Third-party advertising or tracking cookies.
  • Behavioral targeting or retargeting cookies.
  • Social media tracking pixels.
  • Cross-site tracking technologies of any kind.

Apex Care Compliance respects Do Not Track (DNT) signals from browsers.

ARTICLE XChildren's Privacy

Apex Care Compliance's services are directed exclusively to healthcare facilities and healthcare professionals. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have collected information from a minor, please contact us immediately at jephthe@apexcarecompliance.com.

ARTICLE XIGoverning Law and Jurisdiction

This Privacy Policy is governed by the laws of the Commonwealth of Pennsylvania and applicable federal law, including HIPAA, HITECH, and the Pennsylvania Breach of Personal Information Notification Act (73 P.S. §§ 2301–2329). Any dispute shall be resolved in a court of competent jurisdiction in Lancaster County, Pennsylvania.

Pennsylvania Breach Notification: In the event of a breach involving personal information of Pennsylvania residents (excluding PHI), Apex Care Compliance will provide notice as required under Pennsylvania's data breach notification law.

ARTICLE XIIChanges to This Privacy Policy

Apex Care Compliance reserves the right to update this Privacy Policy at any time. When we make material changes, we will update the "Last Updated" date, notify active Client facilities by email at least thirty (30) days before the effective date, and post the updated Policy at apexcarecompliance.com/privacy.

ARTICLE XIIIContact Information

For questions, concerns, or requests related to this Privacy Policy:

Privacy Contact Jephthe Joseph, Founder & President
Organization Apex Care Compliance — A Division of Apex Growth Solutions Inc.
Email jephthe@apexcarecompliance.com
Phone (717) 388-9330
Address 50 N Queen St #54, Lancaster, PA 17603
Website apexcarecompliance.com