Privacy Policy
This Privacy Policy describes how [[SA-CONFIRM:legal-entity-name]] ("Sleep America," "we," "us," or "our") collects, uses, shares, and protects personal information. It covers two websites: our public website at sleep-america.com, and the secure provider portal at portal.sleep-america.com that referring health care providers use to submit patient referral orders to us.
Please read this policy carefully. If you have questions about anything in it, contact us using the information in the Contact us section below.
Information we collect
Website visitors (sleep-america.com)
When you visit our public website, we use Google Analytics 4, a service provided by Google, to understand how visitors use the site. Google Analytics sets cookies in your browser and collects usage data such as the pages you view, the approximate region you are visiting from, the type of device and browser you use, and how you arrived at our site. This information helps us understand which parts of the site are useful and how to improve them. You can learn more about your choices regarding analytics in the Cookies and analytics section below.
Provider portal users (portal.sleep-america.com)
The provider portal is for referring health care providers and their staff. Portal accounts are created by Sleep America; there is no public sign-up. When we set up your account and when you sign in, we collect and maintain professional identity information, including your name, email address, professional credential, National Provider Identifier (NPI), phone number, and your practice's name, address, phone, and fax numbers. Sign-in is handled through Auth0, our identity service provider, and every account is protected by multi-factor authentication.
When a provider submits a referral order through the portal, the order contains patient information: demographics, insurance details, and clinical information. This is protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). Our handling of PHI is governed by HIPAA and described in our Notice of Privacy Practices, which patients should read alongside this policy.
How we use information
We use the information described above to:
- Operate our websites — keep the public site and the provider portal running, secure, and available.
- Process referral orders — receive, store, and act on the referral orders providers submit, so patients receive the sleep care services their provider ordered.
- Communicate with providers — send order confirmation emails so providers know their submission was received. These confirmation emails do not contain any patient information.
- Improve our public website — use analytics data to understand how visitors use sleep-america.com and make it better.
- Maintain security and accountability — keep audit records of portal activity, as described under Security below.
How we share information
[[SA-CONFIRM:no-sale-of-personal-information]]
We share information with a small number of service providers who help us run our websites and services. [[SA-CONFIRM:vendor-baa-status]]
- Cloud hosting — Amazon Web Services (AWS) hosts our systems and stores referral order data.
- Identity services — Auth0 manages provider portal sign-in and account security.
- Analytics — Google provides the Google Analytics 4 service used on our public website.
[[SA-CONFIRM:affiliates-business-associates]]
We may also disclose information when required to do so by law, such as in response to a valid legal request from a court or government authority.
Security
We take the security of your information seriously, especially the patient information submitted through the provider portal. Our safeguards include:
- Encryption in transit — connections to our websites and portal use TLS encryption, so information is protected while it travels over the internet.
- Encryption at rest — referral order data is encrypted where it is stored, using AWS Key Management Service (KMS) managed encryption keys.
- Multi-factor authentication — every provider portal account requires a second verification factor at sign-in, not just a password.
- Access controls — access to stored referral data is restricted through cloud access-management (IAM) policies, so only authorized systems and personnel can reach it.
- Audit logging — the portal keeps a delivery audit log recording the order ID, the practice, the submitting provider's identity, and the source IP address of each submission. The audit log does not contain patient data.
- Session protections — portal sessions use short-lived access tokens held in memory (valid for 15 minutes), time out after 30 minutes of inactivity, and end after a maximum of 8 hours.
- Record retention — submitted referral records are retained under a 6-year retention lock, consistent with health care record-keeping requirements.
No system can be guaranteed perfectly secure, but these controls are designed and maintained to protect your information against unauthorized access, alteration, and loss.
Cookies and analytics
Our public website, sleep-america.com, uses Google Analytics 4, which sets cookies to measure how visitors use the site. Some pages on our public website also include embedded videos hosted by YouTube; when you view a page with an embedded video, YouTube (a Google service) may set cookies and collect viewing data under Google's privacy policy. The provider portal at portal.sleep-america.com contains no advertising or analytics trackers.
You can control cookies through your browser settings, including blocking or deleting them. To opt out of Google Analytics across the web, you can install the Google Analytics Opt-out Browser Add-on.
Your choices and rights
- Analytics opt-out — you can decline analytics measurement using your browser's cookie controls or the Google opt-out add-on described above.
- Patient rights under HIPAA — if you are a patient, you have rights regarding your health information, including the right to access and request corrections to your records. These rights, and how to exercise them, are described in our Notice of Privacy Practices.
- State privacy rights — [[SA-CONFIRM:state-law-addenda]]
Children
Our websites are not directed at children under 13, and we do not knowingly collect personal information from children under 13 through them.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page with a new effective date. We encourage you to review this page periodically.
Contact us
If you have questions about this Privacy Policy or how we handle your information, please contact our privacy official:
[[SA-CONFIRM:privacy-official-name-title]]
[[SA-CONFIRM:privacy-official-phone-email]]
[[SA-CONFIRM:mailing-address]]
Effective date: TBD