EchoCare Logo
echocare

Echo Ambulance LLC

Privacy Policy

Effective Date: May 1, 2026 | Last Revised: May 1, 2026

Privacy Officer: Jordan Smith

1. Introduction

Echo Ambulance LLC ("Echo Ambulance," "we," "us," or "our") is a technology and services company providing an AI-powered emergency medical services dispatch platform, electronic patient care reporting system, and revenue cycle management tools. Echo Ambulance LLC is headquartered in Houston, Texas.

This Privacy Policy describes how we collect, use, share, and protect personal information and protected health information in connection with our platform, mobile application, website, and related services (collectively, the "Services").

We may update this Privacy Policy from time to time as our practices evolve or as required by law.

2. Scope and Entities Covered

This Privacy Policy applies to:

  • Echo Ambulance LLC, as platform operator and business associate under HIPAA
  • Covered entity clients operating under a Business Associate Agreement (BAA)

Covered entity clients are independently responsible for their own HIPAA compliance obligations. If you access our Services through a covered entity client, your health-related data is governed by this policy and by the applicable BAA.

Jurisdictional scope: Our Services are intended for use within the United States. We do not knowingly process personal data subject to non-U.S. privacy frameworks.

This policy is not a substitute for a covered entity's Notice of Privacy Practices under 45 CFR 164.520.

3. HIPAA Compliance and Protected Health Information

3.1 Our HIPAA Status

Echo Ambulance LLC functions as a Business Associate under HIPAA for PHI received, created, transmitted, or maintained on behalf of covered entities. We maintain administrative, physical, and technical safeguards and follow the minimum necessary standard under 45 CFR 164.502(b).

3.2 What Constitutes PHI in Our Platform

PHI may include:

  • Patient name, date of birth, address, and contact information
  • Insurance information and payer data
  • Medical history, chief complaint, vitals, and assessments
  • Diagnosis/procedure codes and medication information
  • Transport origin and destination tied to a patient
  • Billing records, claims data, and remittance information
  • Dispatch notes referencing patient condition

3.3 Business Associate Agreements

Echo Ambulance LLC enters into a BAA with each covered entity that shares PHI with us. Covered entities may audit compliance as permitted by the applicable agreement.

3.4 AI and Machine Learning Use of Data

AI/ML components may process PHI in identifiable form for real-time operations such as dispatch optimization, routing, unit assignment, and ePCR generation.

  • Inference and operational processing occur in secured infrastructure and are subject to HIPAA safeguards.
  • Model training and improvement use de-identified and aggregated data, with de-identification aligned to HIPAA Safe Harbor principles (45 CFR 164.514(b)(2)).
  • Any third-party AI/ML provider receiving PHI must execute a BAA before processing.

4. Information We Collect

4.1 Information You Provide Directly

  • Name, role, employer, work email, and work phone
  • Credentials and access permissions in the platform
  • Dispatch details and patient information entered into the system
  • Billing and insurance information for claims processing
  • Support requests, communications, and feedback

4.2 Information Collected Automatically

  • Device identifiers and app version
  • IP address and approximate geographic region
  • Browser and operating system information
  • Log data, access times, error events, and session duration

4.2.1 Cookies and Tracking Technologies

  • Essential cookies for authentication, sessions, and security
  • New Relic for mobile diagnostics (no PHI or personal data transmitted)
  • No advertising cookies, tracking pixels, or cross-site behavioral tracking

4.3 Location Data (Mobile Application)

Real-time GPS data may be collected from dispatch personnel and field crews to support dispatch, routing, ETA calculations, compliance documentation, and audit trails. Background location, if enabled, requires explicit permission.

4.4 Information from Third Parties

  • Healthcare systems and integrations
  • Insurance verification and benefits services
  • Billing clearinghouses and remittance processors
  • Identity verification and credentialing services

4.5 Workforce and Platform User Data

For workforce users (e.g., crews, dispatchers, billing staff), we may collect login activity, credentials, GPS location (as applicable), session logs, and performance data for operations, security, compliance, and quality improvement.

5. How We Use Your Information

  • Operate and improve the platform and mobile application
  • Process dispatch requests and coordinate EMS transport
  • Generate and submit ePCR and transport documentation
  • Support claims processing and revenue cycle workflows
  • Verify insurance eligibility and benefits
  • Authenticate users and maintain platform security
  • Send operational notifications and system communications
  • Diagnose issues and improve platform performance
  • Comply with legal, regulatory, and contractual obligations

We do not sell personal information or PHI. We do not use PHI for marketing or advertising.

6. How We Share Information

6.1 Affiliated Entities

We may share information with affiliated entities under common ownership for operational and administrative purposes, subject to HIPAA and contractual safeguards.

6.2 Service Providers and Subprocessors

We engage service providers for functions such as:

  • Cloud infrastructure and hosting
  • Claims and billing workflows
  • Insurance eligibility verification
  • AI and machine learning processing (if applicable)
  • Communications, notifications, and support
  • Analytics and performance monitoring

Subprocessors handling PHI must execute a BAA before processing. A current subprocessor list is available upon written request.

6.3 Covered Entity Clients

PHI submitted on behalf of covered entities is accessible to those clients and processed only as permitted by the applicable BAA.

6.4 Legal and Compliance Disclosures

We may disclose information when required by law, including for court orders, subpoenas, law enforcement requests, or regulatory inquiries.

6.5 Business Transfers

Information may be transferred during mergers, acquisitions, or asset sales, with notice prior to material policy changes.

7. Mobile Application Specific Disclosures

  • Camera access may be requested for documentation tasks such as scanning and photo capture.
  • Push notifications may be used for dispatch assignments, transport updates, and system alerts.
  • Dispatch and ePCR data may be cached locally during active dispatch and cleared when dispatch closes or a new user logs in.
  • Only permissions necessary for core app functions are requested (location, optional camera, notifications).

8. Your Rights and Choices

8.1 HIPAA Patient Rights

Patients retain rights under HIPAA (including access, amendment, and accounting of disclosures). Requests should be submitted through the covered entity responsible for the record.

8.2 Platform User Rights

Registered platform users may request access, correction, deletion, and communication preferences.

8.3 Texas Data Privacy and Security Act (TDPSA) Rights

Texas residents may have additional rights regarding access, correction, deletion, portability, and opt-out options for certain data processing activities. PHI subject to HIPAA is exempt from TDPSA.

9. Security of Your Information

Our information security program includes:

  • Encryption in transit (TLS 1.2+) and at rest
  • Role-based access controls
  • Multi-factor authentication for platform access
  • HIPAA workforce training and incident response procedures
  • Regular assessments, vulnerability management, and penetration testing

Data residency: Data is stored in the United States on Amazon Web Services (AWS) infrastructure. AWS region available upon request.

Security incident reporting: Contact security@echoambulance.com. We acknowledge reports within 4 hours and provide a substantive response within 24 hours.

9.1 Breach Notification

In the event of a breach of unsecured PHI, we notify affected covered entities without unreasonable delay and no later than 30 calendar days after discovery, in accordance with HIPAA requirements and applicable BAAs.

10. Data Retention

  • Active account data: retained for the customer relationship duration
  • PHI and ePCR records: minimum 6 years (or longer if required by law)
  • Billing and claims records: minimum 7 years
  • Dispatch and operational logs with PHI: minimum 6 years
  • De-identified and aggregated data: may be retained indefinitely

11. Children

Our Services are not directed to children and are intended for licensed EMS and healthcare professionals and administrative users. We do not knowingly collect personal information from children under 13.

12. Contact Information

For privacy requests, questions, or concerns:

Privacy and Compliance
Echo Ambulance LLC
12335 Kingsride Lane, Unit 335, Houston, TX 77024

For HIPAA-specific inquiries or BAA requests: privacy@echoambulance.com

For security incidents: security@echoambulance.com

13. Updates to This Privacy Policy

We may update this policy to reflect changes in practices, technology, legal requirements, or other factors. For material changes, we update the Effective Date and provide notice to users.

Last updated: May 1, 2026