Overview
This Cookie Policy explains how Nivano Physicians uses tracking technologies on our website in compliance with HIPAA Privacy and Security Rules, OCR guidance on tracking technologies (updated March 2024), GDPR, and the California Consumer Privacy Act (CCPA/CPRA). We are committed to protecting your privacy while providing you with the best possible online experience.
What Are Cookies and Tracking Technologies?
Types of Tracking Technologies We Use
- Cookies: Small text files stored on your device that remember your preferences and activities
- Web Beacons (Pixels): Invisible images that track user interactions and page views
- Session Replay Scripts: Technologies that record user interactions for website improvement
- Analytics Tools: Services that collect data about website usage and performance
- Social Media Plugins: Integration tools for social media platforms
- Marketing Pixels: Tracking tools for advertising and marketing purposes
Authentication Distinctions
We distinguish between two types of website interactions:
- Unauthenticated Webpages: Public website areas that do not require login
- Patient Portal: Secure, authenticated areas requiring login credentials
HIPAA Compliance and PHI Protection
When Tracking May Collect PHI
Under OCR guidance, tracking technologies may collect Protected Health Information (PHI) when:
- IP addresses are combined with health-related website visits (e.g., visiting diabetes management pages)
- User behavior indicates health conditions through page navigation patterns
- Location data reveals visits to specific medical facilities or departments
- Search queries contain health-related terms or medical information
Business Associate Agreements (BAAs)
We maintain Business Associate Agreements with tracking technology vendors who may have access to PHI:
Vendors with BAAs:
- Google Analytics 4: Web analytics with HIPAA-compliant configuration
- Microsoft Clarity: Session replay and heatmap analysis with BAA
- Salesforce Health Cloud: Patient relationship management with healthcare BAA
- Twilio: Communication services with healthcare compliance features
Non-BAA Vendors (Limited Data):
- Social Media Platforms: Facebook, Twitter, LinkedIn (no PHI sharing)
- Content Delivery Networks: CloudFlare, AWS (encrypted data transmission only)
Encryption and Data Protection
All PHI transmitted through tracking technologies must be encrypted using industry-standard protocols:
- HTTPS/TLS encryption for all data transmission
- AES-256 encryption for stored tracking data containing PHI
- Data minimization practices to limit PHI collection
- Automatic data purging after specified retention periods
GDPR and International Compliance
European Users
For users accessing our website from the European Union:
- Explicit consent required for all non-essential cookies
- Granular control options for different cookie categories
- Right to withdraw consent at any time through cookie preferences
- Data portability rights for all collected information
- Right to erasure of personal data upon request
Cookie Categories
Essential Cookies
- Session management cookies for secure portal access
- Authentication cookies for login functionality
- Security cookies for fraud prevention
- Accessibility cookies for disability accommodations
Performance Cookies
- Analytics cookies (with BAA when collecting PHI)
- Error reporting cookies for website optimization
- Load balancing cookies for server performance
Functional Cookies
- Preference cookies for user customization
- Language cookies for localization
- Location cookies for facility finder functionality
Marketing Cookies (Restricted)
- Limited use due to HIPAA restrictions
- No PHI sharing with advertising networks
- Opt-in required for any marketing communications
- Clear purpose disclosure for all marketing uses
CCPA/CPRA Compliance
California Consumer Rights
Under the California Consumer Privacy Act and California Privacy Rights Act:
Right to Know
- Categories of PHI collected through tracking technologies
- Sources of PHI collection including cookies and pixels
- Business purposes for PHI collection and processing
- Third parties with whom PHI may be shared
Right to Delete
- Deletion of tracking data upon verified request
- Removal from third-party systems where technically feasible
- Retention of essential data for legal compliance only
- Confirmation of deletion provided to consumers
Right to Opt-Out
- “Do Not Sell My Personal Information” banner compliance
- Global Privacy Control recognition and processing
- Opt-out preference signals from browsers and devices
- No discrimination for exercising privacy rights
Cookie Management and Controls
User Controls
You can manage tracking technologies through multiple methods:
Browser Settings
- Cookie blocking and deletion in browser preferences
- Third-party cookie restrictions
- JavaScript disabling for advanced users
- Privacy mode for temporary sessions
Our Cookie Preference Center
- Granular control over cookie categories
- Real-time consent management
- Preference history tracking
- Easy withdrawal of consent
Mobile App Controls
- Push notification settings
- Location services controls
- App-specific tracking toggles
- Cross-app tracking restrictions
Tracking Technology Inventory
First-Party Tracking
- Nivano Session Cookies
- Purpose: User authentication and session management
- Duration: Session-based (expires when browser closes)
- PHI Risk: High (patient portal access)
- BAA Required: N/A (internal processing)
- Preferences Cookies
- Purpose: Remember user settings and language preferences
- Duration: 12 months
- PHI Risk: Low (general preferences only)
- BAA Required: No
Third-Party Tracking
- Google Analytics 4
- Purpose: Website performance and user behavior analysis
- Duration: 26 months
- PHI Risk: Medium (IP + health page visits)
- BAA Status: Active BAA in place
- Microsoft Clarity
- Purpose: Session replay and heatmap analysis
- Duration: 12 months
- PHI Risk: Medium (session recordings may capture PHI)
- BAA Status: Active BAA in place
- Salesforce Health Cloud
- Purpose: Patient relationship management
- Duration: Per business requirements
- PHI Risk: High (comprehensive PHI processing)
- BAA Status: Healthcare-specific BAA active
Data Retention and Disposal
Retention Periods
- Essential cookies: Duration of session or legal requirement
- Analytics data: 26 months maximum, with quarterly review
- Marketing data: 12 months with annual consent renewal
- Preference data: Until user account deletion or opt-out
Secure Disposal
- Cryptographic deletion of encrypted data
- Overwriting of storage media containing PHI
- Certificate of destruction for physical media
- Audit trail of all deletion activities
Your Rights and Choices
Access Rights
- Request a copy of all tracking data we have collected
- Understand how your data is being used
- Identify third parties who have received your data
- Review consent history and preference changes
Control Rights
- Opt-out of specific tracking technologies
- Request deletion of collected data
- Restrict processing for marketing purposes
- Port your data to another service provider
Contact Information
For questions about our use of tracking technologies:
Privacy Officer
- Email: customerservice@nivanophysicians.com
- Phone: (916) 407-2000
- Mail: Nivano Physicians Privacy Office, 2554 Millcreek Drive, Suite 100, Sacramento, CA 95833
Data Protection Officer (for EU residents)
Updates to This Policy
This Cookie Policy may be updated periodically to reflect changes in:
- Legal requirements under HIPAA, GDPR, CCPA, and other regulations
- Technology changes in tracking mechanisms
- Business practices in data collection and use
- Third-party relationships and BAA status
Last Updated: August 7, 2025
Next Review Date: February 7, 2026
Policy Version: 1.0
We will notify you of significant changes through:
- Email notification to registered users
- Website banner for 30 days after changes
- Patient portal notifications for active patients
This Cookie Policy demonstrates our commitment to transparency in data collection while maintaining strict HIPAA compliance and protecting patient privacy.