Overview & Acceptance
These Terms of Use and Privacy Policy ("Terms") govern your use of the Vela Health Technologies platform ("Platform"), operated by Vela Health Technologies LLC, a Wyoming limited liability company ("Vela," "we," "us," or "our").
By accessing or using the Platform — including through an Epic MyChart portal integration — you agree to be bound by these Terms. If you do not agree, do not use the Platform.
Important: The Platform is designed exclusively for use within authorized Epic health system environments. Access is provided through health system partners who have independently authorized deployment within their Epic instance.
Data Access & Use
What data we access
With your explicit consent, the Platform accesses the following data from your Epic health record via SMART on FHIR R4 APIs:
- Patient demographics and Medicare eligibility information
- Active medication orders (for Medicare plan formulary matching)
- Provider and practitioner information (for Medicare network adequacy scoring)
- Current insurance and coverage information
- Active diagnoses (for Medicare plan scoring and matching)
How we use your data
Data accessed through the Platform is used solely to provide you with personalized Medicare Advantage plan recommendations based on your actual clinical profile. Your data is never sold, shared with third parties for marketing purposes, or used for any purpose beyond the enrollment workflow you initiate.
Data Retention: Vela does not store your clinical data after your enrollment session is complete. Patient health information is used in real time and is not retained in Vela's systems beyond the active session.
What we do not do
- We do not sell your data to any third party
- We do not use your data for advertising or marketing purposes
- We do not share your data with plan carriers beyond what is required to complete enrollment
- We do not access your data outside of an active, patient-initiated enrollment session
HIPAA Compliance
Vela Health Technologies operates as a Business Associate under HIPAA and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 164) and Security Rule. We comply with all applicable requirements under:
All data transmissions are encrypted in transit using TLS 1.2 or higher. We maintain Business Associate Agreements with all applicable health system partners.
Patient Consent Architecture
HIPAA Authorization
A patient-directed disclosure authorization consistent with HIPAA Section 13405 and 45 CFR §164.524, authorizing Vela to access your health record data for the specific purpose of Medicare plan matching. This authorization is time-limited, purpose-specific, and revocable at any time.
CMS Scope of Appointment (SOA)
A CMS-compliant Scope of Appointment captured electronically within the MyChart interface, consistent with 42 CFR §422.2262 and 42 CFR §422.2268(g)(h). The SOA is timestamped, versioned, and stored in Vela's secure consent registry as a tamper-evident audit record.
No plan information is presented and no enrollment actions are initiated until both consent records are captured and confirmed.
CMS Regulatory Compliance
The Platform is designed and operated in full compliance with CMS Medicare Advantage marketing and enrollment regulations:
Epic FHIR Integration
The Platform integrates with Epic health systems through Epic's SMART on FHIR framework, consistent with Epic EULA §3.2, SMART Implementation Guide R1, HL7 FHIR R4, and Epic Showroom app distribution standards.
The Platform does not access Epic's backend database directly. All data access occurs through Epic's published FHIR R4 API endpoints following patient authorization. Production deployment within any Epic health system instance requires that health system's independent authorization through Epic's standard client distribution process.
Data Security
- All data in transit encrypted via TLS 1.2 or higher
- OAuth 2.0 authorization with short-lived access tokens
- No long-term storage of patient health information beyond active sessions
- Consent records stored in an encrypted, tamper-evident audit registry
- Access controls limiting data access to authorized personnel only
Data Retention
- Patient health information (EHR data): Not retained after session completion
- Consent records (HIPAA Authorization + SOA): Retained minimum 10 years per CMS requirements
- Enrollment transaction records: Retained minimum 10 years for CMS audit purposes
- Account and access logs: Retained minimum 6 years per HIPAA requirements
Your Rights
- Right to Access: You may request a copy of any data Vela holds about you
- Right to Revoke Consent: You may revoke your HIPAA authorization at any time
- Right to Opt Out: You may decline to use the Platform at any time — use is entirely voluntary
- Right to Correct: You may request correction of inaccurate data
- Right to Delete: You may request deletion of data beyond legally required retention periods
Limitation of Liability
The Platform provides Medicare Advantage plan information and enrollment assistance based on your clinical profile. Plan recommendations are generated algorithmically and do not constitute medical or financial advice. Vela is not responsible for plan benefit changes, carrier decisions, or coverage determinations made by Medicare Advantage plan carriers after enrollment.
Changes to This Policy
Vela reserves the right to update these Terms at any time. Material changes will be communicated to health system partners at least 30 days prior to taking effect. The most current version will always be available at velahealthtech.com/legal.
Contact Us
For questions about these Terms, privacy concerns, or to exercise your data rights:
Vela Health Technologies LLC
30 N. Gould Street, Suite R · Sheridan, Wyoming 82801
luke@velahealthtech.com · velahealthtech.com