Privacy Policy

Effective date: May 25, 2026  ·  Last updated: May 25, 2026

1. Overview & Scope

Asheville Home Health Inc., a North Carolina corporation that provides the LEMR platform ("LEMR," "we," "us," or "our"), offers a software platform that home health and home care agencies use to manage clinical documentation, billing, scheduling, payroll, compliance, and patient engagement. This Privacy Policy explains what information we collect through the LEMR web application at our website and the LEMR mobile applications for iPhone and Android (together, the "Services"), how we use and share that information, and the choices available to you.

This policy applies to: agency administrators and clinical staff who use LEMR on behalf of their agency; patients and authorized family members who use the LEMR patient portal; and visitors to our marketing website. By using the Services, you acknowledge the practices described here.

2. Our Two Roles: Service Provider and Business Associate

LEMR handles information in two distinct capacities:

• As a software service provider to subscribing agencies, for account, agency, staff, and operational information.
• As a "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA), with respect to protected health information ("PHI") about patients. Each subscribing agency is the "covered entity" and controls that PHI. LEMR processes PHI only on the agency's behalf and only as permitted by our Business Associate Agreement (BAA) with that agency.

If you are a patient, the agency providing your care — not LEMR — determines what information is entered about you and how it is used to deliver care. Direct requests about your health record to your agency.

3. Information We Collect

a. Account & Agency Information

When an agency subscribes and when staff accounts are created, we collect names, work email addresses, phone numbers, job titles, professional roles and disciplines, professional license and credential information, agency name and address, and authentication credentials. For payroll features, agencies may enter staff compensation and tax-related information.

b. Patient Information (Protected Health Information)

Agency staff enter and store patient information needed to deliver and document care. Depending on how an agency uses LEMR, this may include patient names and contact details, dates of birth, demographic information, insurance and payer details, diagnoses and clinical assessments (including OASIS data), medications, plans of care, visit notes, wound photographs, signatures, and billing and claim records. This information is PHI and is handled under the applicable agency's BAA.

c. Information From Your Device

The mobile apps may, with your permission, access device features to provide the Services — including the camera and photo library (to capture and attach clinical photos such as wound images), location (to verify that a visit took place at the patient's home), and the microphone (for voice-to-text documentation). Push notification tokens are collected to deliver alerts. See Section 6 for detail.

d. Technical & Usage Information

We automatically collect limited technical information needed to operate and secure the Services, such as device and browser type, operating system, app version, IP address, log and audit records of actions taken in the platform, timestamps, and diagnostic and error data.

e. Information From the Marketing Website

When you submit a demo request or contact form, we collect the information you provide (such as agency name, your name, email, phone, state, and message). Our website does not use third-party advertising trackers.

4. How We Use Information

We use the information described above to:

• Provide, operate, maintain, and secure the Services;
• Authenticate users and enforce role-based access and scope-of-practice controls;
• Enable clinical documentation, scheduling, billing, payroll, compliance reporting, and patient-portal functionality;
• Generate AI-assisted features — such as patient summaries, schedule drafts, and patient-education materials — on HIPAA-eligible infrastructure;
• Maintain audit logs and support security monitoring and incident response;
• Provide customer support, onboarding, and training;
• Communicate with you about the Services, including service and security notices;
• Respond to demo and sales inquiries; and
• Comply with legal obligations and enforce our agreements.

We do not sell personal information, we do not use PHI for advertising, and we do not use patient data to train third-party foundation models.

5. How We Share Information

We share information only as needed to provide the Services and as described here:

• Within your agency. Information is visible to authorized users of the same agency according to their roles. Agencies are isolated from one another; one agency cannot see another agency's data.
• Service providers (subprocessors). We use trusted infrastructure and service providers to operate LEMR — including Google Cloud Platform and Firebase (application hosting, database, authentication, storage, and Vertex AI) and Stripe (payment processing for patient invoices). These providers process data on our behalf under contractual confidentiality and security obligations, and our infrastructure providers operate under their own BAAs where PHI is involved.
• At your agency's direction. The Services let agencies generate files and transactions — such as claims, EVV records, and signature requests — that the agency chooses to transmit to payers, clearinghouses, physicians, or government systems.
• Legal & safety. We may disclose information if required by law, subpoena, or legal process, or to protect the rights, safety, and security of LEMR, our customers, or the public.
• Business transfers. If LEMR is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to this policy and applicable law.

We do not share personal information with third parties for their own marketing purposes.

6. Mobile App Permissions

The LEMR iPhone and Android apps request the following device permissions. Each is optional, requested in context, and used only for the stated purpose. You can grant or revoke permissions at any time in your device settings; some features will not function without the related permission.

• Camera — to photograph clinical findings, such as wounds, and attach them to documentation.
• Photo library — to attach an existing image to a patient record.
• Location — to verify visits (Electronic Visit Verification) by recording that a visit occurred at the patient's location at clock-in and clock-out. Location is used while the app is in use; LEMR does not track location continuously in the background.
• Microphone & speech recognition — to support voice-to-text dictation of clinical notes.
• Notifications — to deliver alerts such as schedule changes, license-expiry reminders, and messages.
• Biometrics (Face ID / Touch ID) — if you enable biometric sign-in, your device's secure hardware is used to unlock a stored credential. LEMR does not receive or store your biometric data.

7. Data Retention

We retain agency and patient information for as long as the agency maintains an active subscription, and afterward as needed to meet the agency's legal, regulatory, and recordkeeping obligations — medical and billing records are subject to retention periods set by law. Retention and post-termination handling of PHI are governed by the agency's BAA. We retain marketing-inquiry information only as long as needed for the related purpose. When information is no longer required, we delete or de-identify it. See our Account & Data Deletion page for how to request deletion.

8. How We Protect Information

We use administrative, physical, and technical safeguards designed to protect information, including encryption of data in transit and at rest, role-based access controls, automatic session timeouts, a mobile background-lock, audit logging, and strict tenant isolation. No method of transmission or storage is completely secure, but we work continuously to protect the information entrusted to us. Learn more on our Security page.

9. Your Rights & Choices

Agency staff users: you may review and update your account profile within the app. Your agency administrator manages account creation, roles, and deactivation.

Patients: requests to access, amend, or restrict your health record are handled by the agency providing your care, consistent with HIPAA and the agency's Notice of Privacy Practices. Please contact your agency directly.

Account & data deletion: you can request deletion of an account and associated data as described on our Account & Data Deletion page. Some information must be retained where required by law or by the agency's recordkeeping obligations.

Communications: you may opt out of non-essential marketing emails using the unsubscribe link; essential service and security notices will still be sent.

Depending on where you live, you may have additional rights over your personal information under applicable state privacy laws. To exercise any right, contact us using the details below; we may need to verify your identity, and certain requests about PHI will be directed to the relevant agency.

10. HIPAA Notice

With respect to PHI, LEMR acts as a business associate of each subscribing agency. We use and disclose PHI only as permitted by our BAA with the agency and by the HIPAA Rules. We maintain safeguards for PHI and a documented breach-notification procedure, and we will notify the affected agency without unreasonable delay in the event of a breach of unsecured PHI so the agency can meet its own obligations. This Privacy Policy does not replace the Notice of Privacy Practices that your home health or home care agency provides to its patients.

11. Children's Privacy

The Services are intended for use by home health and home care agency professionals and by adult patients or their authorized representatives. The Services are not directed to children, and we do not knowingly allow anyone under 18 to create an account. Agencies that provide pediatric care may, as covered entities, maintain records about minor patients within the platform; that information is PHI handled under the agency's BAA and direction. If you believe a child has created an account with us directly, please contact us so we can address it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date above and, where appropriate, provide additional notice through the Services. Your continued use of the Services after an update means you accept the revised policy.

13. Contact Us

For questions about this Privacy Policy or our privacy practices, contact us at:

Asheville Home Health Inc.
Email: info@lemrsystems.com
Support: support@lemrsystems.com
Mailing address: 5 Doctors Park, Suite D, Asheville, NC 28801