Privacy Policy

Pinnie.com is operated by Recora, Inc. (the "MSO"), which provides non-clinical management, administrative, technology, billing-support, care-coordination support, and related management services for Pinnie-branded professional medical entities.

Clinical services are provided by Pinnie Medical Group, P.C. and, in the future, may be provided by other Pinnie-branded professional corporations or professional medical entities that are formed, licensed or registered where required, and adopt the Pinnie model and this policy (collectively, the "Pinnie Clinical Practices"). This may include future state-specific professional entities for California, New Jersey, Kansas, or other states. Unless and until those entities are formed and begin furnishing services, Pinnie Medical Group, P.C. is the primary professional entity referenced in this policy.

The MSO does not practice medicine, diagnose, prescribe, or make clinical decisions. The MSO acts as the management services organization ("MSO") for the Pinnie Clinical Practices. When the MSO creates, receives, maintains, or transmits protected health information ("PHI") for a Pinnie Clinical Practice, the MSO acts as a business associate under HIPAA and the Pinnie Clinical Practice’s HIPAA Notice of Privacy Practices controls.

This Privacy Policy explains how information is collected, used, disclosed, and protected through Pinnie.com, Pinnie-branded websites, online forms, scheduling and intake flows, telehealth and remote-care workflows, patient communications, and related administrative services (the "Services").

This Privacy Policy is not a HIPAA authorization, treatment consent, or consent to use PHI for marketing. For PHI maintained by a Pinnie Clinical Practice, please review the Pinnie HIPAA Notice of Privacy Practices.

Medicare notice: Pinnie.com may provide information and advertising to Medicare beneficiaries about care navigation, Community Health Integration (CHI), Principal Illness Navigation (PIN), care management, cardiac rehabilitation, pulmonary rehabilitation, and related telehealth services. Pinnie is not a Medicare Advantage plan, Part D plan, health insurance plan, Medicare broker, enrollment agent, or government website. Pinnie is not endorsed by Medicare, CMS, or HHS.

Depending on how you interact with the Services, we may collect the following categories of information:

• Contact and demographic information, such as name, address, phone number, email address, date of birth, preferred language, and emergency contact information.
• Care-related information, such as health concerns, medications, conditions, symptoms, social needs, care goals, provider information, referral information, cardiac rehabilitation or pulmonary rehabilitation eligibility and participation information, exercise tolerance or activity information, vitals, device or kit information, and information you submit through forms or communications.
• Medicare, insurance, billing, and eligibility information, such as Medicare beneficiary information, payer information, claims-related data, authorizations, cost-sharing information, and service documentation.
• Communications information, such as calls, voicemails, texts, emails, secure messages, consent records, and customer support requests.
• Website and device information, such as IP address, browser type, device identifiers, pages viewed, referring website, cookie data, and similar technical information from public website pages.
• Information from other sources, such as clinicians, care partners, caregivers, health plans, payers, referral partners, community resources, and service providers, where permitted by law.

We use information to:

• Respond to inquiries, confirm eligibility, schedule visits, and support enrollment into services.
• Support the Pinnie Clinical Practices in providing CHI, PIN, care management, telehealth visits, cardiac rehabilitation or pulmonary rehabilitation services delivered through telehealth, hybrid, or other permitted care models, care coordination, and related clinical or care-navigation services.
• Communicate with you about appointments, care coordination, resources, service updates, administrative matters, billing, and legally required notices.
• Support billing, payment, claims, documentation, audits, compliance, and payer communications.
• Maintain security, prevent fraud, debug systems, improve website performance, and evaluate service quality.
• Provide personalized advertising experiences, including by using Personal Information to create custom audiences and targeted advertising campaigns on third-party platforms such as Facebook (Meta) and Google Ads, to reach you with relevant information about the Services, where permitted by applicable law and subject to any required authorization, consent, notice, and opt-out rights.
• Comply with laws, regulations, professional obligations, contracts, subpoenas, audits, and government requests.

We do not use PHI, patient portal information, appointment or intake information, care navigation information, Medicare information, insurance information, or other health-related patient information for cross-context behavioral advertising, custom audiences, advertising platform matching, or the sale of personal information, unless permitted by applicable law and supported by a HIPAA-compliant authorization or other legally sufficient basis.

We may disclose information as described below and as permitted or required by law:

• Among the MSO and the Pinnie Clinical Practices for care delivery, telehealth and remote-care support, cardiac rehabilitation or pulmonary rehabilitation program support, administrative support, care coordination, billing support, quality improvement, security, and operations.
• To clinicians, Advocates, auxiliary personnel, care coordinators, and other workforce members who support the Services.
• To vendors and service providers, including technology, hosting, communications, analytics, billing, compliance, security, and professional-service vendors. When vendors receive PHI on behalf of a Pinnie Clinical Practice, they must have appropriate HIPAA business associate arrangements when required.
• To health care providers, health plans, Medicare, Medicaid, payers, clearinghouses, and community resource organizations for treatment, payment, care coordination, benefits, claims, and operations.
• To family members, caregivers, personal representatives, or others involved in your care or payment for care, where permitted by law and consistent with your preferences.
• To government agencies, regulators, courts, law enforcement, auditors, or other parties when required or permitted by law.
• To advertising partners: Where permitted by applicable law and subject to any required authorization, consent, notice, and opt-out rights, we may share certain Personal Information, including your name, email, phone number, date of birth, gender, and address (including city, state, and zip), to deliver personalized ads and measure ad performance. This may involve sharing this information with advertising partners like Facebook (Meta) and Google Ads. This information may be shared using secure data transmission methods, including hashing where applicable, to help match your information with existing profiles on these platforms and to deliver relevant advertisements to you. We do not use or disclose PHI for marketing, targeted advertising, custom audiences, or advertising platform matching unless permitted by HIPAA and supported by a HIPAA-compliant authorization or other legally sufficient basis.

We may use cookies and similar technologies on public, unauthenticated pages of Pinnie.com to operate the website, remember preferences, measure website performance, improve content, detect security issues, understand ad effectiveness, deliver personalized ads, create custom audiences, conduct targeted advertising campaigns, and evaluate outreach.

To provide personalized advertising experiences, we may use your Personal Information to create custom audiences and targeted advertising campaigns on third-party platforms such as Facebook (Meta) and Google Ads. This allows us to reach you with relevant information about our Services, where permitted by applicable law and subject to any required authorization, consent, notice, and opt-out rights.

These technologies may collect information such as IP address, device identifiers, browser type, pages viewed, referring pages, approximate location, cookie data, and interactions with public website content. We configure these technologies, to the extent technically feasible, to avoid transmitting PHI or health-related patient information to advertising platforms.

We do not knowingly place third-party advertising pixels, custom-audience tools, or similar tracking technologies on authenticated pages, patient portals, telehealth pages, scheduling or intake flows, eligibility-check flows, appointment-confirmation pages, or pages where PHI or other health-related patient information is submitted or exchanged, unless permitted by law and supported by appropriate authorization or other required safeguards.

We do not sell PHI. To the extent any advertising activity is considered a sale, sharing, targeted advertising, or cross-context behavioral advertising under applicable state privacy laws, we will provide legally required notices, consent mechanisms, opt-out mechanisms, and appeal rights.

We may contact you by phone, email, text message, secure message, mail, or similar methods for scheduling, care coordination, administrative, billing, service-related, and legally required communications. Standard message and data rates may apply. You may opt out of non-essential text messages by following the instructions in the message, but we may continue to send legally permitted service, care-related, or transactional communications.

Email and text messages may not always be secure. Do not use email, text, or website forms for emergencies. If you believe you may have a medical emergency, call 911 or seek emergency care immediately.

For PHI maintained by a Pinnie Clinical Practice, your HIPAA rights are described in the Pinnie HIPAA Notice of Privacy Practices. These rights may include access, amendment, accounting of disclosures, restrictions, confidential communications, paper copies of the notice, and complaint rights.

Depending on your state of residence and the type of information involved, you may have rights to confirm whether we process your Personal Information, request access, correction, deletion, portability, or restriction, opt out of sale, sharing, targeted advertising, cross-context behavioral advertising, or certain profiling, limit certain uses of sensitive Personal Information, withdraw consent where applicable, appeal denied requests, and exercise your rights without unlawful discrimination. Some health, medical, insurance, billing, Medicare, and clinical information may be exempt from state consumer privacy laws because it is regulated by HIPAA, Medicare, or other health privacy laws.

Where required by applicable law, you may opt out of the sale or sharing of Personal Information, targeted advertising, cross-context behavioral advertising, or certain profiling by contacting us using the methods below, or using a legally recognized opt-out preference signal, such as Global Privacy Control, where required. An opt-out does not limit clinically necessary, transactional, security, compliance, billing, or administrative communications or uses permitted by law.

To exercise privacy rights, contact us at pinnieoperations@pinnie.com or 929-244-2339. We may need to verify your identity or authority before responding. If your state provides an appeal right and we deny your request, you may appeal by replying to our decision email or using the process described in that decision.

This section supplements the rest of this Privacy Policy and applies where state privacy, consumer health data, or similar laws apply. For purposes of this section, "Personal Information" includes terms such as "personal data" or "covered information" used in applicable state privacy laws. PHI maintained by a Pinnie Clinical Practice remains governed by HIPAA and the Pinnie HIPAA Notice of Privacy Practices; if this section conflicts with HIPAA or the applicable Notice of Privacy Practices for PHI, HIPAA and that notice control.

California Residents

If you are a California resident and the California Consumer Privacy Act, as amended (the "CCPA"), applies, the categories of Personal Information we collect are described in Section 3, the sources of that information are described in Section 3, the purposes for collection and use are described in Section 4, the categories of recipients are described in Section 5, and our retention practices are described in Section 10.

For business purposes, we may disclose the categories of Personal Information described in Section 3 to the MSO, the Pinnie Clinical Practices, service providers, contractors, professional advisors, payers, providers, government entities, and other recipients described in Section 5. For advertising and measurement purposes, and subject to Section 6 and applicable law, we may sell or share identifiers, contact information, demographic information, internet or other electronic network activity information, approximate geolocation information, and inferences with advertising partners such as Facebook (Meta) and Google Ads. We do not sell or share PHI and do not knowingly sell or share Personal Information of consumers under 16.

California residents may have the right to know or access Personal Information, request deletion, request correction, opt out of sale or sharing, limit certain uses and disclosures of sensitive Personal Information, designate an authorized agent, and exercise rights without unlawful discrimination. To exercise these rights, contact us at pinnieoperations@pinnie.com or 929-244-2339. California residents may also request information about certain disclosures to third parties for their direct marketing purposes where that law applies.

Residents of Other States

Residents of certain states may have similar rights to confirm processing, access, correct, delete, obtain a portable copy, opt out of sale, sharing, targeted advertising, or certain profiling, limit or revoke consent for certain sensitive-data uses, appeal denied requests, and avoid unlawful discrimination for exercising privacy rights. We will honor these rights where required by applicable law. We will also honor legally required opt-out preference signals, including Global Privacy Control or other recognized universal opt-out mechanisms, where required.

Sensitive Personal Information and Consumer Health Data

Some state laws treat information about health status, attempts to obtain health care services, eligibility inquiries, care interests, biometric data, precise location, or similar information as sensitive Personal Information or consumer health data when that information is not PHI regulated by HIPAA. To the extent applicable, we process such information as described in this Privacy Policy, collect and use it only for disclosed or legally permitted purposes, restrict access to personnel and vendors with a need to know, use contracts with service providers and processors where required, and obtain consent or authorization where required for collection, use, disclosure, or sharing beyond what is necessary to provide requested services or as otherwise permitted by law.

We do not sell consumer health data. We do not use geofencing around health care facilities to identify or track consumers, collect consumer health data, or send health-related advertising where prohibited by law. Where a separate consumer health data privacy notice, homepage link, or consent flow is required by state law, we will provide that separate notice, link, or consent process.

We retain information for as long as necessary to provide the Services, support clinical care, comply with legal and contractual obligations, maintain records required by Medicare and applicable state medical-record laws, support billing and audit requirements, resolve disputes, enforce agreements, and satisfy HIPAA documentation obligations.

We use administrative, technical, and physical safeguards designed to protect information. No system or transmission is completely secure, and we cannot guarantee absolute security.

Pinnie.com and the Services are intended for adults, including Medicare beneficiaries and individuals seeking care navigation, care management, telehealth visits, cardiac rehabilitation or pulmonary rehabilitation services, or related services. We do not knowingly collect personal information from children under 13 through Pinnie.com. If you believe a child has provided personal information through Pinnie.com, please contact us.

The Services may link to third-party websites, community resources, health plan resources, or other services. We are not responsible for the privacy practices, content, or security of third-party websites or services. Review their policies before providing information.

We may update this Privacy Policy from time to time. The updated version will be posted on Pinnie.com with a new effective date. Material changes will apply as permitted by law.