Our Privacy Statement describes our practices and management of privacy.

1. Introduction 

Orion Health (“we,” “us,” or “our”) is a global company that designs and operates digital health platforms that enable secure health information exchange, system interoperability, virtual care services, and improved clinical outcomes. Orion Health is part of the HEALWELL AI Inc. group of companies. When we refer to “us”, “we” or “our” or “Orion Health” we are referring to our New Zealand parent company Orion Health Group Limited and its local subsidiary companies located in the regions we operate in.

This Privacy Policy explains how Orion Health collects, uses, discloses, retains, and protects personal information (“PI”) and personal health information (“PHI”) in connection with:

  • Orion Health’s digital health platforms and products, and
  • Orion Health’s public website and related communications

Orion Health is committed to protecting the personal information that is held by us. 

2. Orion Health’s Role in Processing PI and PHI

In most cases, Orion Health acts as a business associate, service provider, agent, or information manager on behalf of healthcare providers, health authorities, or government ministries (each, a “custodian”). Unless explicitly stated otherwise, Orion Health does not typically act as the health information custodian for patient PHI. Where Orion Health processes patient PHI, it does so:

  • Under the authority and direction of the applicable custodian
  • In accordance with contractual arrangements
  • In compliance with applicable privacy and health information legislation

Orion Health does not use patient PHI for independent commercial purposes and does not determine the purposes for which patient PHI is collected.

3. Orion Health’s Products and Services that Process PHI

Orion Health provides a portfolio of digital health platforms that may process PI and PHI under custodian direction. These include:

  • Digital Care Record and Clinical Data Platforms – These platforms support configurable digital care records, shared care records, and consolidated patient views
  • Interoperability and Integration Platforms – These systems enable standards-based health information exchange (e.g., HL7, FHIR, APIs) across providers and network
  • Care Coordination and Engagement – These platforms support secure communication, care pathways, virtual care, and patient interaction
  • Analytics and Health Intelligence – These tools support governed analytics, reporting, research, and population health management, subject to custodian authorization

Each Orion Health product processes PI and PHI solely for the purposes described in this policy and under custodian authority.

4. Information we collect and how we use it

A. Information related to healthcare providers and authorized users

When healthcare providers, health system partners, or authorized users interact with Orion Health’s website, its health systems or support channels, we may collect:

  • Account and contact information:Names, job titles, email addresses, and other professional contact details provided by administrators, clinicians, or support users. 
  • Technical and usage information:System logs, device identifiers, and website interaction data (e.g., IP address, browser type) are collected to operate, secure, and improve Orion Health’s digital platforms and support services.
  • Credentials and access-control information
  • Communications with Orion Health, including support requests and inquiries
  • Audit trail and system activity logs
  • Cookies and analytics data

Orion Health uses healthcare provider information and technical data for the following purposes: 

  • Provision and manage user accounts
  • Authenticate users and control access
  • Operate and secure Orion Health platforms
  • Conduct website analytics and performance monitoring
  • System support and maintenance:Using limited PI and PHI where necessary, and technical data to provide technical assistance, ensure system reliability, maintain service availability, and address product or service issues. 
  • Quality assurance and system improvement:Analyzing de-identified or aggregated data to monitor, maintain, and improve the performance, security, and functionality of our platforms and services. 

B. Information related to patients

Orion Health collects PI or PHI directly from patients only in limited circumstances. Usually, healthcare providers or health system partners may input patient PI or PHI in Orion Health’s systems so that we may deliver services on their behalf. Patient PI and PHI processed by us may include:

  • EMR PHI:PHI entered, maintained, or exchanged through Orion Health’s data-exchange platforms, including demographic details, clinical notes, diagnoses, medications, and treatment outcomes. 
  • Program specific PHI:Information collected through Ontario Health Ministry-directed programs (such as smoking cessation, breastfeeding, or medical assistance in dying (MAID)), including intake details, patient interactions, and outcomes. 
  • Call and Chat related Information:Patient or consumer PHI recorded during call-center, virtual visit, or chat interactions, such as presenting issues, reported symptoms, triage details, or service outcomes.  
  • Identifiers and Administrative Data:Health card numbers or identifiers, version codes, postal codes, or other identifiers used for reporting, or population-health management, or program administration.
  • Longitudinal care record data aggregated across systems

All PHI processed by Orion Health is handled under the direction and authority of relevant custodians or their governing health ministries for the following purposes:

  • Clinical care and coordination: Supporting digital health services such as video visits, online triage, and contact-center interactions, and enabling care teams to access accurate, up-to-date patient PI and PHI to support care delivery and coordination. 
  • EMR and longitudinal record management: Creating, maintaining, and facilitating access to interoperable EMRs and longitudinal health records that support continuity of care and authorized data sharing among authorized healthcare providers. 
  • Program-Specific Service Delivery: Supporting Ontario Health Ministry-directed healthcare programs (such as smoking cessation, breastfeeding, and medical assistance in dying (MAID)) by enabling clinicians and authorized agents to document, track, and manage patient care and outcomes. 
  • Public Health and Population Reporting: Producing mandatory reports for Ontario Health and the Ontario Ministry of Health, including epidemiological, immunization, and other program-specific outcomes derived from patient personal health information, as required by law. 

5. Sharing of personal information

Orion Health may share the personal information we collect via our website outside our organisation for specific third-party processing. This includes:

Platform

Description

HubSpot

We use Hubspot to manage customer relationships and marketing activities. Information collected through forms and cookies, such as your name, email address, company information, and website interaction data, is stored in Hubspot to facilitate communications, personalise marketing efforts, and analyse campaign performance.

Dealfront

We use Dealfront to enrich website visitor data. IP addresses collected via website cookies are used to de-anonymise visitors at the company level. This information is integrated with Hubspot to support marketing and sales activities.

Netsuite

Information submitted through forms, such as inquiries and registration details, may be transferred to NetSuite. This enables us to manage follow-ups, maintain accurate customer records, and streamline operational processes.

Google Ads

We use Google Ads to promote our services. Cookie and activity data, including information related to website interactions and conversions (such as form submissions), is shared with Google to measure ad performance, create audience segments, and optimise advertising campaigns.

LinkedIn

We use LinkedIn advertising services to promote relevant content. Cookie and interaction data is shared with LinkedIn to build advertising audiences, track ad conversions, and enhance the performance of our LinkedIn campaigns.

Eventbrite

When you register for one of our events via Eventbrite and its integrations within our website, the information you provide, including your name, email address, and organisation, is collected to manage event registrations and related communications. This information may also be used to facilitate post-event engagement. 

Patient related PI or PHI is disclosed only as necessary to provide contracted services and as authorized by relevant custodians. This includes the following disclosures:

  • Service delivery and interoperability operations – Patient PI or PHI is accessed, used, and disclosed solely to provide contracted health IT services, including, data hosting, integration, interoperability exchange, analytics and technical support. Information is exchanged with authorized healthcare providers, payers, and related entities through secure, standards-based frameworks (e.g., HL7, FHIR, APIs) to enable coordinated care, population health management, billing, and other healthcare operations in accordance with custodian instructions, applicable privacy laws and established data use agreements.
  • Vendors and sub-processors – Data may be disclosed to vetted third-party service providers that support infrastructure, cloud hosting, security monitoring, analytics, or other operational functions. These providers are contractually bound to confidentiality, security, and data protection obligations consistent with applicable healthcare and privacy regulations.
  • Legal, Regulatory, and Corporate Requirements – PI or PHI may be disclosed where required to comply with applicable laws, regulations, court orders, audits, or lawful government requests, and in connection with corporate transactions (e.g., merger, acquisition, restructuring), subject to appropriate safeguards and continuity of data protection obligations.

6. Artificial Intelligence and Analytics

Orion Health platforms may include analytics capabilities that support population health management, care coordination, and health system reporting. Orion Health does not use identifiable patient PHI for independent commercial AI model training unless authorized by the custodian and permitted by law. Healthcare providers remain responsible for clinical decision-making.

7. Cross-border Data Transfers

Any personal information we collect is held in our third-party marketing supplier’s database located in the EU’s Data Centre, as well as Orion Health’s internal systems hosted in New Zealand and/or the cloud-based applications we use, hosted in other countries. Provider and patient personal information will be accessed by our sales and marketing teams located in our main office in New Zealand and other Orion Health offices around the world for the purposes described in this policy. Orion Health ensures that there are adequate privacy and security arrangements in place wherever your information is accessed by way of strict privacy and security obligations in inter-company agreements and in our agreements with third parties.

8. Data Security

Orion Health actively seeks to maintain the privacy of the information under our control. To prevent unauthorised use, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate physical, electronic, and administrative procedures to safeguard and secure the information we collect.  

9. Data Retention 

Orion Health retains PI and PHI for only as long as necessary to meet applicable legal, regulatory and contractual obligations. We will stop contacting individuals for marketing purposes if they ask us to, or once they no longer engage with us. From this point we may retain their information in an ‘unmarketable’ list for the purpose of ensuring we no longer contact them. 

10. Children’s Information

Orion Health does not knowingly solicit, collect, or accept any information from or about children via our website. If we become aware that a person submitting personal information through any part of our website is a child, we will delete the information as soon as we discover it and do not use it for any purpose, nor do we disclose it to third parties. 

Since we do not seek to collect any personal information about children, and we delete any information collected inadvertently as soon as we discover that a child has submitted it, we retain no information about children that could be reviewed or deleted. If a parent requests review or deletion of information about their child before discovering and deleting it, we will honour that request. 

11. Your Rights 

Subject to certain limitations and depending on the applicable privacy laws, providers, patients and staff, as applicable, have rights under applicable laws to access the personal information that Orion Health holds regarding them, and have it corrected where necessary, subject to some exceptions. Depending on the country patients or providers reside in, they may also have rights to access their personal information in a portable, electronic format, a right to have their personal information erased, a right to know the third parties with whom their personal information has been shared with and/or a right to object to Orion Health processing their personal information. Individuals also have rights, under applicable laws, to lodge a complaint with the relevant data protection or privacy authorities if they believe Orion Health is not handling their personal information in accordance with the law. For any questions or concerns about Orion Health’s privacy practices or this policy, please contact our Privacy Office at privacy@orionhealth.com

12. Changes to this Privacy Policy

This policy may be updated from time to time. The date of the most recent revisions will appear on our page. If you do not agree to these changes, please do not continue to use our website or to submit personal information to Orion Health via our website. 

 March 2026