← Home Privacy PolicyTerms of ServiceHIPAA / BAA Security Contact legal
Legal · Privacy

Privacy that's plainly written.

This policy describes what information Focus EHR, Inc. ("Focus," "we") collects from visitors to our marketing site and customers of our service. We try to write it the way we'd want to read it.

Effective date · March 1, 2026  ·  Last updated · March 1, 2026

1. Two kinds of information

Focus operates a marketing website and a SaaS product. We collect different information for each, and they are governed by different agreements.

  • Marketing visitors — covered by this Privacy Policy.
  • Customer practices — covered by your subscription agreement and Business Associate Agreement (BAA). Patient data ("PHI") is never used for any purpose other than serving you.

2. What we collect from marketing visitors

  • Forms you submit — name, work email, practice name, specialty, provider count. Used to contact you about your inquiry.
  • Standard server logs — IP address, user agent, referrer, page viewed. Retained 90 days.
  • Privacy-respecting analytics — first-party, no fingerprinting, no cross-site tracking. Aggregate-only.
  • Cookies — strictly necessary cookies only. We do not run advertising trackers on this site.

3. What we do not do

  • We do not sell information to third parties. Ever. For any purpose.
  • We do not run advertising or remarketing pixels on this site.
  • We do not use your customer data (PHI or otherwise) to train AI models that serve other customers.
  • We do not share your information with affiliates for their marketing.

4. PHI handling (for customers)

If your practice subscribes to Focus, the patient data you and your patients enter is Protected Health Information (PHI) under HIPAA and is governed by our Business Associate Agreement.

  • PHI is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Access is restricted to authorized personnel and audit-logged.
  • We do not use PHI for any purpose outside delivering our service to you.
  • Sub-processors (listed in our trust portal) are bound by contractually equivalent terms.

See our HIPAA / BAA page for the full list of safeguards.

5. Your rights

If you are a marketing visitor, you may at any time request that we delete the information you submitted to us. Email privacy@focusehr.com. We respond within 30 days.

If you are a patient and want to exercise rights over your PHI (access, amendment, accounting of disclosures), contact your provider — they are the covered entity. We act on your provider's instructions.

If you reside in California, the EU, the UK, or another jurisdiction with specific privacy rights, those rights apply to your dealings with Focus and we will honor them.

6. Retention

  • Marketing form data — 24 months from last contact, or until you ask us to delete it.
  • Server logs — 90 days.
  • Customer PHI — governed by the BAA. By default, retained for the life of the customer relationship plus 6 years post-termination, unless you direct otherwise.

7. Security

Focus is SOC 2 Type II audited, HITRUST CSF certified, and ONC certified. We publish our trust portal at focusehr.com/security with current audit reports, sub-processors, and our security disclosure policy.

8. Changes to this policy

We will not make a material change to this policy without 30 days' email notice to active customers and a banner notice on this site. The effective date above always reflects the version in force.

Questions? Email legal@focusehr.com or write to Focus EHR, Inc., 600 Mission Street, 18th Floor, San Francisco, CA 94105.