PRIVACY POLICY

TERMS AND CONDITIONS 

Last Updated: 2/23/2026 

1. INTRODUCTION AND ACCEPTANCE 

Welcome to Club Northwest ("Company," "we," "us," or "our"). These Terms and Conditions ("Terms") govern your access to and use of our medical records management services, including our website, mobile applications, and any other services we provide (collectively, the "Services"). 

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by these Terms. If you are using the Services on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms. 

If you do not agree to these Terms, you must not access or use our Services. We reserve the right to modify these Terms at any time. Your continued use of the Services following any changes constitutes your acceptance of such changes. 

2. DEFINITIONS 

For the purposes of these Terms: 

"Authorized User" means any individual authorized by a healthcare provider, patient, or their legal representative to access the Services. 

"Business Associate" has the meaning set forth in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations. 

"Covered Entity" has the meaning set forth in HIPAA and its implementing regulations. 

"Healthcare Provider" means any healthcare professional, facility, or organization that uses our Services to manage patient medical records. 

"Medical Records" means any information relating to the past, present, or future physical or mental health of an individual, including but not limited to diagnoses, treatment plans, prescriptions, test results, and clinical notes. 

"Patient" means any individual whose Medical Records are stored, processed, or transmitted through our Services. 

"Personal Data" means any information relating to an identified or identifiable natural person, including Protected Health Information. 

"Protected Health Information" or "PHI" has the meaning set forth in HIPAA and includes any individually identifiable health information transmitted or maintained in any form or medium. 

 

3. DESCRIPTION OF SERVICES 

Our Services include, but are not limited to: (a) secure storage and management of electronic medical records; (b) transmission of medical records between authorized parties; (c) patient portal access for viewing and managing personal health information; (d) integration services with electronic health record (EHR) systems; (e) analytics and reporting tools for healthcare providers; and (f) compliance management tools for healthcare regulations. 

We reserve the right to modify, suspend, or discontinue any aspect of the Services at any time, with or without notice. We shall not be liable to you or any third party for any modification, suspension, or discontinuation of the Services. 

4. USER ACCOUNTS AND REGISTRATION 

4.1 Account Creation 

To access certain features of our Services, you must create an account. You agree to provide accurate, current, and complete information during registration and to update such information as necessary to maintain its accuracy. 

4.2 Account Security 

You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You agree to: (a) use strong, unique passwords; (b) enable multi-factor authentication when available; (c) notify us immediately of any unauthorized access or suspected security breach; and (d) log out of your account at the end of each session, especially when using shared or public devices. 

4.3 Account Termination 

We reserve the right to suspend or terminate your account at any time for any reason, including but not limited to: (a) violation of these Terms; (b) requests by law enforcement or government agencies; (c) extended periods of inactivity; (d) unexpected technical or security issues; or (e) engagement in fraudulent or illegal activities. 

5. ACCEPTABLE USE POLICY 

You agree to use the Services only for lawful purposes and in accordance with these Terms. You agree not to: (a) use the Services to store, transmit, or process any information in violation of applicable laws or regulations; (b) attempt to gain unauthorized access to any part of the Services or any other systems or networks connected to the Services; (c) use the Services to transmit any viruses, malware, or other malicious code; (d) interfere with or disrupt the integrity or performance of the Services; (e) use the Services to collect, harvest, or compile information about other users without their consent; (f) impersonate any person or entity or misrepresent your affiliation with any person or entity; or (g) use the Services for any purpose that is not expressly authorized by these Terms. 

6. HIPAA COMPLIANCE AND BUSINESS ASSOCIATE AGREEMENT 

6.1 Business Associate Status 

When we provide Services to a Covered Entity that involve the creation, receipt, maintenance, or transmission of PHI, we act as a Business Associate as defined under HIPAA. Our use and disclosure of PHI is governed by the Business Associate Agreement ("BAA") that we enter into with each Covered Entity. 

6.2 HIPAA Security Measures 

We implement administrative, physical, and technical safeguards to protect PHI in accordance with the HIPAA Security Rule, including: (a) encryption of PHI at rest and in transit; (b) access controls and audit logging; (c) regular security assessments and penetration testing; (d) workforce training on privacy and security; and (e) incident response and breach notification procedures. 

6.3 Breach Notification 

In the event of a breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and in no case later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule. 

7. 21ST CENTURY CURES ACT AND INFORMATION BLOCKING 

We are committed to compliance with the 21st Century Cures Act and the Office of the National Coordinator for Health Information Technology (ONC) Information Blocking Rule. We do not engage in practices that interfere with, prevent, or materially discourage access, exchange, or use of electronic health information, except as permitted by law. 

Healthcare Providers using our Services are responsible for ensuring that their use of the Services does not constitute information blocking. We provide tools and features to facilitate the sharing of electronic health information in accordance with applicable regulations. 

 

8. UNITED STATES STATE-SPECIFIC REQUIREMENTS 

In addition to federal requirements, we comply with state-specific laws and regulations regarding medical records and health information privacy. The following provisions apply to users and data subjects in the respective states: 

In addition to federal requirements, we comply with state-specific laws and regulations regarding medical records and health information privacy. If you have any questions about state-specific laws, or to exercise state specific-rights, contact us at welltogether@clubnw.com. The following provisions apply to users and data subjects in the respective states: 

8.1 California 

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) 

California residents have specific rights under the CCPA and CPRA, including the right to know what personal information is collected, the right to delete personal information, the right to opt-out of the sale or sharing of personal information, and the right to non-discrimination for exercising privacy rights. Note that medical information protected under HIPAA or the Confidentiality of Medical Information Act (CMIA) may be exempt from certain CCPA/CPRA requirements. 

Confidentiality of Medical Information Act (CMIA) 

We comply with the CMIA, which provides additional protections for medical information beyond HIPAA. We will not disclose medical information without written authorization except as permitted by law. Patients have the right to receive a copy of their medical records within 15 days of a written request. 

8.2 Colorado 

The Colorado Privacy Act (CPA) grants Colorado residents rights including access to personal data, correction of inaccuracies, deletion of personal data, data portability, and the right to opt out of targeted advertising and sale of personal data. We honor these rights for Colorado residents, subject to applicable exemptions for HIPAA-covered data. 

8.3 Connecticut 

The Connecticut Data Privacy Act (CTDPA) provides Connecticut consumers with rights to access, correct, delete, and obtain a copy of their personal data, as well as to opt out of data sales and targeted advertising. Connecticut law also includes specific protections for mental health records requiring patient consent for disclosure. 

8.4 Delaware 

The Delaware Personal Data Privacy Act grants Delaware residents rights to access, correct, delete, and obtain their personal data, and to opt out of targeted advertising, sales of personal data, and profiling. Delaware law requires that healthcare facilities maintain medical records for at least seven years. 

8.5 Florida 

Under Florida law, patients have a constitutional right to privacy. The Florida Statutes require healthcare providers to maintain medical records for at least five years after the last patient contact for adults and for at least five years after the patient reaches age 18 for minors. Florida law requires patient authorization for disclosure of HIV/AIDS-related information. 

8.6 Indiana 

The Indiana Consumer Data Protection Act provides Indiana residents with rights to confirm processing of their data, access and correct inaccuracies, delete personal data, and obtain a portable copy. Indiana law requires medical records to be retained for at least seven years. 

8.7 Iowa 

The Iowa Consumer Data Protection Act grants Iowa consumers rights to access, delete, and obtain a copy of their personal data, and to opt out of sales and targeted advertising. Iowa has specific requirements for mental health records requiring written consent for disclosure. 

8.8 Kentucky 

The Kentucky Consumer Data Protection Act provides rights to access, correct, delete, and obtain personal data, and to opt out of targeted advertising and sales. Kentucky requires healthcare facilities to maintain medical records for at least five years after the last date of service. 

8.9 Maryland 

The Maryland Online Data Privacy Act provides Maryland residents with comprehensive privacy rights. Maryland's Confidentiality of Medical Records Act (MCMRA) provides additional protections, requiring healthcare providers to obtain patient authorization before disclosing medical records except as permitted by law. Maryland requires medical records to be maintained for at least five years. 

8.10 Minnesota 

The Minnesota Consumer Data Privacy Act grants rights to access, correct, and delete personal data, obtain portable copies, and opt out of targeted advertising and sales. Minnesota's Health Records Act provides additional protections requiring written consent for disclosure of health records. 

8.11 Montana 

The Montana Consumer Data Privacy Act provides Montana consumers with rights to access, correct, delete, and obtain their personal data, and to opt out of targeted advertising, sales, and profiling. Montana law provides constitutional privacy protections. 

8.12 Nebraska 

The Nebraska Data Privacy Act grants Nebraska residents rights to access, correct, delete, and obtain their personal data. Nebraska requires healthcare providers to maintain medical records for at least ten years after the last date of service. 

8.13 New Hampshire 

The New Hampshire Privacy Act provides residents with rights to access, correct, and delete personal data, obtain portable copies, and opt out of targeted advertising and sales. New Hampshire has specific protections for mental health records. 

8.14 New Jersey 

The New Jersey Data Privacy Act provides comprehensive privacy rights including access, correction, deletion, and portability. New Jersey requires healthcare providers to maintain medical records for at least seven years after the last treatment date for adults and until age 23 for minors. 

8.15 New York 

New York's SHIELD Act requires reasonable security safeguards for private information of New York residents. The state's Public Health Law requires medical records to be retained for at least six years from discharge or, for minors, until age 19 (or age 21 if later). New York Mental Hygiene Law provides additional protections for mental health records. 

8.16 Oregon 

The Oregon Consumer Privacy Act grants Oregon residents rights to access, correct, delete, and obtain their personal data, and to opt out of targeted advertising, sales, and profiling. Oregon has specific requirements for HIV/AIDS information disclosure. 

8.17 Rhode Island 

The Rhode Island Data Transparency and Privacy Protection Act provides privacy rights for Rhode Island residents. Rhode Island's Confidentiality of Health Care Communications and Information Act provides additional protections for health information. 

8.18 Tennessee 

The Tennessee Information Protection Act provides Tennessee residents with rights to access, correct, and delete personal data, and to opt out of sales and targeted advertising. Tennessee requires medical records to be maintained for at least ten years after the last date of treatment. 

8.19 Texas 

The Texas Data Privacy and Security Act provides comprehensive privacy rights including access, correction, deletion, and portability. Texas Medical Records Privacy Act provides additional protections requiring authorization for disclosure of protected health information. Texas requires medical records to be maintained for at least seven years. 

8.20 Utah 

The Utah Consumer Privacy Act provides Utah consumers with rights to access, delete, and obtain their data, and to opt out of sales and targeted advertising. Utah's Health Data Authority establishes requirements for health information exchange. 

8.21 Virginia 

The Virginia Consumer Data Protection Act (VCDPA) provides Virginia residents with rights to access, correct, delete, and obtain personal data, and to opt out of targeted advertising, sales, and profiling. Virginia law requires medical records to be maintained for at least six years after the last date of service. 

8.22 Other States 

For residents of states not specifically listed above, we comply with all applicable state laws regarding medical records privacy and data protection. Many states have specific requirements for medical record retention (typically ranging from five to ten years), mental health record protections, HIV/AIDS confidentiality, and substance abuse treatment records. We will honor any additional rights provided under your state's laws. 

 

9. INTERNATIONAL DATA PROTECTION COMPLIANCE 

9.1 European Union - General Data Protection Regulation (GDPR) 

For individuals located in the European Economic Area (EEA), we process personal data in accordance with the GDPR. Health data constitutes a special category of personal data under Article 9 of the GDPR, and we only process such data where we have a valid legal basis, such as explicit consent, necessity for medical diagnosis or treatment, or substantial public interest. 

Your GDPR Rights: You have the right to: (a) access your personal data; (b) rectify inaccurate personal data; (c) erasure of personal data ("right to be forgotten"); (d) restrict processing of personal data; (e) data portability; (f) object to processing; and (g) not be subject to automated decision-making, including profiling. To exercise these rights, contact us at welltogether@clubnw.com. 

International Data Transfers: When we transfer personal data outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, adequacy decisions, or your explicit consent. You may request a copy of the safeguards we use by contacting us. 

Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. For health data, retention periods are determined by applicable medical records laws. 

Supervisory Authority: You have the right to lodge a complaint with a supervisory authority in your Member State of residence, place of work, or place of the alleged infringement if you believe our processing of your personal data violates the GDPR. 

9.2 United Kingdom - UK GDPR and Data Protection Act 2018 

For individuals located in the United Kingdom, we process personal data in accordance with the UK GDPR (as incorporated into UK law by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018. 

Your UK Data Protection Rights: UK residents have the same rights as described for the GDPR above, including the rights of access, rectification, erasure, restriction, portability, and objection. 

International Data Transfers: For transfers of personal data from the UK to countries outside the UK, we rely on the UK's adequacy regulations, the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other appropriate safeguards. 

NHS and Health Service Data: Where we process data on behalf of NHS organizations or other UK health services, we comply with the Common Law Duty of Confidentiality, the NHS Code of Practice on Confidential Information, and Caldicott Principles. 

Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe our processing of your personal data violates UK data protection law. 

9.3 Canada - PIPEDA and Provincial Health Privacy Laws 

Federal Requirements (PIPEDA): For individuals located in Canada, we process personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). We collect, use, and disclose personal health information only with knowledge and consent, except as permitted by law. You have the right to access your personal information, challenge its accuracy, and withdraw consent to its collection, use, or disclosure. 

Provincial Health Privacy Laws 

Alberta: The Health Information Act (HIA) governs the collection, use, and disclosure of health information by health custodians. Individuals have the right to access their health information and request corrections. 

British Columbia: The Personal Information Protection Act (PIPA) and the E-Health (Personal Health Information Access and Protection of Privacy) Act govern health information privacy. 

Manitoba: The Personal Health Information Act (PHIA) governs the collection, use, disclosure, and security of personal health information. 

New Brunswick: The Personal Health Information Privacy and Access Act (PHIPAA) establishes rules for the protection of personal health information. 

Newfoundland and Labrador: The Personal Health Information Act (PHIA) governs personal health information in the province. 

Nova Scotia: The Personal Health Information Act (PHIA) sets out requirements for the collection, use, and disclosure of personal health information. 

Ontario: The Personal Health Information Protection Act (PHIPA) establishes rules for the collection, use, and disclosure of personal health information by health information custodians. 

Quebec: Law 25 (formerly Bill 64) and the Act Respecting the Protection of Personal Information in the Private Sector provide comprehensive privacy protections. The Act Respecting Health Services and Social Services contains additional protections for health records. 

Saskatchewan: The Health Information Protection Act (HIPA) governs the collection, use, disclosure, and protection of personal health information. 

Canadian Data Retention: We retain personal health information in accordance with applicable federal and provincial requirements. Most provinces require medical records to be retained for at least ten years after the last entry or until a specified period after the patient reaches the age of majority. 

 

10. INTELLECTUAL PROPERTY RIGHTS 

All intellectual property rights in the Services, including but not limited to software, text, graphics, logos, icons, images, and audio clips, are owned by us or our licensors. Nothing in these Terms grants you any right, title, or interest in the Services except for the limited right to use the Services in accordance with these Terms. 

You retain ownership of any Medical Records and other content you submit through the Services. By submitting content, you grant us a limited license to store, process, and transmit such content solely for the purpose of providing the Services. 

11. DISCLAIMERS AND LIMITATION OF LIABILITY 

11.1 No Medical Advice 

THE SERVICES ARE NOT INTENDED TO PROVIDE MEDICAL ADVICE, DIAGNOSIS, OR TREATMENT. THE SERVICES ARE FOR INFORMATIONAL AND RECORD-KEEPING PURPOSES ONLY. ALWAYS SEEK THE ADVICE OF A QUALIFIED HEALTHCARE PROVIDER WITH ANY QUESTIONS YOU MAY HAVE REGARDING A MEDICAL CONDITION. 

11.2 Disclaimer of Warranties 

THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE. 

11.3 Limitation of Liability 

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL WE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY, OR ANY LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES, RESULTING FROM: (A) YOUR ACCESS TO OR USE OF OR INABILITY TO ACCESS OR USE THE SERVICES; (B) ANY UNAUTHORIZED ACCESS TO OR USE OF OUR SERVERS OR ANY PERSONAL INFORMATION STORED THEREIN; (C) ANY INTERRUPTION OR CESSATION OF TRANSMISSION TO OR FROM THE SERVICES; OR (D) ANY BUGS, VIRUSES, OR OTHER HARMFUL CODE THAT MAY BE TRANSMITTED THROUGH THE SERVICES. 

OUR TOTAL LIABILITY FOR ANY CLAIMS UNDER THESE TERMS SHALL NOT EXCEED THE AMOUNT YOU HAVE PAID US IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. 

 

12. INDEMNIFICATION 

You agree to indemnify, defend, and hold harmless the Company and its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from or related to: (a) your use of the Services; (b) your violation of these Terms; (c) your violation of any applicable law or regulation; or (d) your violation of any third-party rights, including intellectual property rights or privacy rights. 

13. DISPUTE RESOLUTION 

13.1 Governing Law 

These Terms shall be governed by and construed in accordance with the laws of the State of Oregon, United States, without regard to its conflict of law provisions. However, where mandatory local laws apply to users in other jurisdictions (such as consumer protection laws in the EU, UK, or Canada), those laws shall also apply to the extent required. 

13.2 Arbitration Agreement 

For users in jurisdictions where arbitration agreements are enforceable, you agree that any dispute, claim, or controversy arising out of or relating to these Terms or the Services shall be resolved by binding arbitration administered by the American Arbitration Association in accordance with its Commercial Arbitration Rules. The arbitration shall be conducted in Grants Pass, Oregon. Each party shall bear its own costs. This arbitration agreement shall not apply to users in jurisdictions where such agreements are not permitted by law. 

13.3 Class Action Waiver 

To the extent permitted by applicable law, you agree that any arbitration or court proceeding shall be conducted on an individual basis and not as a class action, collective action, or representative action. If this class action waiver is found unenforceable, the entire arbitration agreement shall be void. 

13.4 EU/UK/Canada Users 

Users in the European Union, United Kingdom, or Canada may have the right to bring claims in their local courts. Nothing in these Terms shall deprive such users of any mandatory consumer protection rights under applicable law. EU residents may also bring claims before the European Commission's Online Dispute Resolution platform at ec.europa.eu/consumers/odr. 

14. FORCE MAJEURE 

We shall not be liable for any failure or delay in performing our obligations under these Terms where such failure or delay results from circumstances beyond our reasonable control, including but not limited to natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, pandemics, strikes, or shortages of transportation, facilities, fuel, energy, labor, or materials. 

15. SEVERABILITY 

If any provision of these Terms is found to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, severed from these Terms. The remaining provisions shall continue in full force and effect. 

16. ENTIRE AGREEMENT 

These Terms, together with any Business Associate Agreement, Privacy Policy, and any other agreements expressly incorporated by reference, constitute the entire agreement between you and the Company regarding the Services and supersede all prior agreements and understandings, whether written or oral. 

17. CONTACT INFORMATION 

If you have any questions about these Terms, please contact us at: 

Club Northwest 

2160 NW Vine Street, Grants Pass, Oregon 97526 

Email: welltogether@clubnw.com 

Phone: 541-955-2582 

General Manager: Cassie Robinson