Nivano Physicians, Inc.
Effective Date: August 7, 2025
Last Updated: March 12, 2026
Version: 2.0
Overview
This Cookie Policy explains how Nivano Physicians uses cookies and other tracking technologies on our website (nivanophysicians.com). Because we are a HIPAA-covered entity operating a healthcare website, our use of tracking technologies is governed by a more stringent set of rules than applies to typical commercial websites. This policy describes what we use, why, and what protections are in place.
Governing frameworks include the HIPAA Privacy and Security Rules, OCR guidance on tracking technologies (updated March 2024), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and GDPR for users accessing our site from the European Union.
What Are Tracking Technologies?
Cookies are small text files stored on your device that remember your preferences and interactions with a website. We also use related technologies including web beacons (invisible tracking pixels), session replay scripts, and analytics tools. Together, these are referred to as “tracking technologies” throughout this policy.
Authenticated vs. Unauthenticated Pages
We distinguish between two types of website interaction:
- Unauthenticated pages — public areas of the website that do not require login
- Patient portal — secure, authenticated areas requiring login credentials
This distinction matters under HIPAA. OCR guidance clarifies that tracking technologies on unauthenticated healthcare pages can collect Protected Health Information (PHI) when IP addresses are combined with health-related page visits, when navigation patterns reveal health conditions, when location data indicates visits to specific medical departments, or when search queries contain medical information. We configure our tracking accordingly.
HIPAA Compliance and Business Associate Agreements
We maintain Business Associate Agreements (BAAs) with tracking technology vendors that may have access to PHI. All data transmitted through tracking technologies is encrypted using HTTPS/TLS. PHI stored in analytics or session replay systems uses AES-256 encryption. We apply data minimization practices and automatic purging after defined retention periods.
Vendors with Active BAAs
| Vendor | Purpose | BAA Status |
|---|---|---|
| Google Analytics 4 | Website analytics | Active BAA |
| Microsoft Clarity | Session replay and heatmap analysis | Active BAA |
| Salesforce Health Cloud | Patient relationship management | Active BAA |
| Twilio | Communication services | Active BAA |
Non-BAA Vendors (No PHI Shared)
| Vendor | Purpose | PHI Restriction |
|---|---|---|
| Facebook / LinkedIn / Twitter | Social media integration | No PHI shared |
| Cloudflare / AWS | Content delivery and hosting | Encrypted transmission only |
Cookie Categories
Essential Cookies
These cookies are necessary for the website to function and cannot be disabled. They include session management for secure portal access, authentication tokens, security cookies for fraud prevention, and accessibility preference cookies. No PHI restriction issues arise from essential cookies used solely for functionality.
Performance Cookies
These cookies collect information about how visitors use our website — which pages are visited, where errors occur, and how the site loads. Analytics cookies in this category are subject to our BAA requirements when deployed on pages where PHI may be present.
Functional Cookies
These cookies remember your preferences, language settings, and location choices (such as the facility finder). They enable a more personalized browsing experience without sharing data with advertising networks.
Marketing Cookies (Restricted)
Due to HIPAA restrictions, our use of marketing cookies is severely limited. We do not share PHI with advertising networks. Any marketing cookie use requires opt-in and a clear disclosure of purpose.
CCPA / CPRA — California Consumer Rights
California residents have the following rights with respect to data collected through tracking technologies:
- Right to Know — the categories of personal information collected, its sources, its purposes, and any third parties with whom it is shared
- Right to Delete — deletion of tracking data upon verified request, with removal from third-party systems where technically feasible
- Right to Opt-Out — we honor Global Privacy Control (GPC) signals and do not discriminate against users who exercise opt-out rights
To exercise any of these rights, contact us using the information at the bottom of this page or visit our Do Not Sell or Share My Personal Information page.
GDPR — European Users
For users accessing our website from the European Union, explicit consent is required for all non-essential cookies. You have the right to withdraw consent at any time, request data portability, and request erasure of personal data. Contact us at compliance@nivanophysicians.com for GDPR requests.
Managing Your Cookie Preferences
You can control cookies and tracking technologies through the following methods:
- Browser settings — most browsers allow you to block or delete cookies through their privacy settings
- Incognito / private mode — prevents cookies from being stored beyond your session
- Opt-out mechanisms — available for specific analytics tools such as Google Analytics (via the Google Analytics Opt-out Browser Add-on)
- Contact us — to request limitation of specific tracking technologies
Note that disabling certain cookies may affect website functionality, including patient portal access.
Tracking Technology Inventory
| Technology | Type | Retention | PHI Risk | BAA |
|---|---|---|---|---|
| Nivano Session Cookies | First-party | Session only | High (portal) | N/A |
| Preference Cookies | First-party | 12 months | Low | No |
| Google Analytics 4 | Third-party | 14 months | Medium | Active |
| Microsoft Clarity | Third-party | 12 months | Medium | Active |
| Salesforce Health Cloud | Third-party | Per business need | High | Active |
Data Retention and Disposal
Analytics data is retained for a maximum of 14 months, consistent with GA4 default settings and our Data Retention Policy. Marketing data is retained for 12 months with annual consent renewal. Session and preference cookies expire as noted in the inventory above. Upon expiration or deletion request, electronic data is disposed of using cryptographic deletion or overwriting consistent with NIST SP 800-88, with certificates of destruction maintained for PHI-containing records.
Policy Updates
We will update this Cookie Policy when regulations change, new tracking technologies are deployed, vendor BAA status changes, or business practices evolve. Material changes will be communicated via email notification to registered users and a website notice posted for 30 days following the change.
Contact Information
Privacy Officer — Nivano Physicians, Inc.
2554 Millcreek Dr., Suite 100, Sacramento, CA 95833
Phone: (916) 407-2000
Email: compliance@nivanophysicians.com
Policy Review
This policy is reviewed annually and updated as needed to reflect changes in HIPAA OCR guidance, CCPA/CPRA requirements, and our vendor relationships. The next scheduled review is August 7, 2026.
This policy was last updated on March 12, 2026.