Toyon Associates, Inc. Privacy Statement
Latest revision: May 14, 2026
Toyon Associates, Inc. (“Toyon,” “we,” “us,” or “our”) provides a website (the “Website”) and web applications (the “App”) that allow our healthcare-provider clients and other users to receive industry updates, review Medicare and Medicaid reimbursement analyses, transfer data securely, automate the preparation of Medicare and Medicaid cost reports, and access related services.
This Privacy Statement explains how we collect, use, share, retain, and protect personal information when you use the Website or the App, the choices you have, and how to contact us with questions or to exercise your rights. It applies to the Website and the App owned and operated by Toyon.
“Personal information” means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Information that has been deidentified or aggregated is not personal information and is not covered by this Privacy Statement.
Protected Health Information (“PHI”) that Toyon processes on behalf of a covered-entity client is governed by the applicable Business Associate Agreement between Toyon and that client, the Health Insurance Portability and Accountability Act (HIPAA), and the HITECH Act — not by this Privacy Statement. See Section 6 below.
2. Security
Toyon maintains a layered information security program designed to protect personal information against loss, misuse, unauthorized access, alteration, or disclosure both during transmission and once received. Our controls include, at a minimum:
Encryption of personal information in transit using current Transport Layer Security (TLS) protocols and at rest using AES-256 or stronger algorithms.
Role-based access controls, multi-factor authentication, and periodic access reviews.
Network segmentation, vulnerability scanning, hardened operating system baselines, malware protection, and centralized logging and monitoring.
A Secure Software Development Lifecycle that segregates production, test, and development environments and applies secure-by-design and privacy-by-design principles, including least privilege, defense in depth, secure defaults, and code review.
A documented Incident Response Plan and Incident Notification Procedure for detecting, containing, investigating, and notifying affected parties of security incidents in accordance with applicable law and our contractual commitments.
Vendor due diligence and written contractual security and privacy requirements for service providers that handle Toyon information.
Toyon’s controls have been independently examined under the AICPA Trust Services Criteria, and Toyon holds a current SOC 2 Type 2 report. Toyon's controls have been independently examined under the AICPA Trust Services Criteria, and Toyon maintains a current SOC 2 Type 2 report. Clients and prospective clients may request access to the most recent report, along with other security documentation, through Toyon's Trust Center (available at https://trust.toyonassociates.com) subject to appropriate confidentiality terms.
Despite these measures, no method of transmitting or storing electronic information is perfectly secure, and we cannot guarantee the absolute security of any communication or material transmitted to or from us via the Internet.
3. Changes to this Privacy Statement
Toyon may update this Privacy Statement from time to time to reflect changes in our practices, the services we provide, or applicable law. The “Last Updated” date at the top of this Privacy Statement indicates when it was most recently revised. Any revised Privacy Statement applies both to information we already hold about you at the time of the change and to personal information we collect afterward. Where the change is material, we will provide notice through the Website or the App and where required by law we will obtain your consent. We encourage you to review this Privacy Statement periodically.
4. Website and App Visitor Data
We use third-party analytics services, including Google Analytics, to understand how visitors interact with the Website and the App so we can improve our content, performance, and user experience. These services collect limited identifiers, including a truncated Internet Protocol (IP) address, device and browser characteristics, and pseudonymous session identifiers, and they generate aggregated reports about site activity. We do not use this information to identify individual visitors, and we do not combine it with directly identifying information except as described in Section 5.
You can review Google’s privacy practices at https://policies.google.com/privacy, and you can opt out of Google Analytics by installing Google’s opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.
5. Collecting, Using, and Disclosing Personal Information
5.1 Information We Collect
Except as disclosed in this Privacy Statement, we do not collect personally identifying information about visitors to the Website or App. The categories of personal information we may collect, organized using the categories defined in the California Consumer Privacy Act (Cal. Civ. Code § 1798.140), are:
Identifiers: name, postal address, email address, telephone number, account username, and unique online identifiers.
Account credentials: username and password (passwords are stored only in salted, hashed form).
Commercial information: records of products or services requested or used, and customer-service interactions.
Internet or other electronic network activity: browsing history within the Website or App, interaction with our content, web log data, and information collected through cookies and similar technologies (see Section 5.3).
Geolocation data: approximate location derived from IP address and, only where you grant permission, more precise device location used by features of the App.
Professional or employment-related information: title, employer, and professional contact information for users acting on behalf of a Toyon client.
User preferences: favorites, saved searches, and user-interface settings within the App.
Inferences: limited inferences drawn from the above to improve the relevance of content delivered to you.
We use and disclose this information to:
Provide, operate, secure, and improve the Website and the App and their features;
Send requested product or service information and respond to inquiries and customer-service requests;
Administer your account and authenticate your access;
Send newsletters, service messages, and other communications you have asked to receive (which you can opt out of at any time);
Customize your experience on the Website or App;
Conduct internal quality assurance, business analysis, and security monitoring;
Comply with legal obligations and enforce our agreements; and
Carry out corporate transactions, such as a merger, acquisition, financing, reorganization, or sale of all or a portion of our assets, in which case the relevant personal information may be transferred subject to this Privacy Statement (or successor) and applicable law.
5.2 Web Logs
Consistent with industry standards, we maintain web logs that record information about all visitors to the Website and the App. These logs may contain the Internet domain from which you access the site, the IP address assigned to your device, the type of browser and operating system you use, the date and time you visited, the pages you viewed, and the address of any website you linked from. If you sign in to use authenticated features, our logs will also contain a user identifier and a record of actions performed.
Web logs are stored securely and are accessed only by Toyon personnel or authorized service providers on a need-to-know basis. We use web log information to design and improve the Website and App, to identify popular features, to resolve user, hardware, and software problems, and for security and fraud-prevention purposes. Web logs are retained in accordance with our internal retention schedule, which provides for retention of system, application, and network logs for a defined number of years for security, audit, and regulatory purposes.
5.3 Cookies and Similar Technologies
We and our service providers use cookies and similar technologies (such as pixels, local storage, and session identifiers) to operate the Website and App, to remember your preferences, to analyze how visitors use our services, and to keep your account secure.
The cookies we use fall into the following categories:
Strictly necessary cookies, which are required to operate the Website and the App and to maintain your authenticated session.
Performance and analytics cookies, which help us understand how the Website and App are being used so we can improve them.
Functional cookies, which remember choices you make (such as language, display preferences, or saved favorites) to improve your experience.
Advertising cookies. Toyon does not currently use advertising cookies on the Website or the App.
Cookies may be either “session” cookies, which expire when you close your browser, or “persistent” cookies, which remain on your device until they expire or you delete them.
Most browsers — including Safari, Chrome, Firefox, and Edge on desktop and on mobile — allow you to control or block cookies through their settings. If you disable cookies, some features of the Website or App may not function correctly. For instructions on managing cookies, please consult your browser’s help documentation.
5.4 Disclosures to Third Parties
We may disclose your personal information to the following recipients:
Service providers and sub-processors. We engage third-party service providers to help us operate the Website and App and run our business. Categories include cloud infrastructure and hosting, analytics, email and communication services, customer support tooling, security services, and professional advisors. Service providers that handle Toyon information are bound by written agreements that require them to maintain security and privacy controls equivalent to ours, to use the information only for the purposes for which it was disclosed, and to securely return or destroy the information when their services are complete.
Legal and regulatory recipients. We may disclose information as required by law, such as in response to a subpoena, court order, or other legal process; to comply with regulatory obligations; or to respond to lawful requests by public authorities (including for national security or law enforcement).
Protection of rights and safety. We may disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, to investigate fraud, to protect the security and reliability of the Website and App, or to enforce our terms.
Corporate transactions. If Toyon is involved in a merger, acquisition, financing, reorganization, or sale of all or a portion of its assets, your personal information may be transferred. We will provide notice of any such change in ownership or material change in the use of your personal information.
With your consent. We may share your personal information with any other third party with your prior consent.
We do not sell personal information for monetary consideration. See Section 8 for a discussion of California-specific “sale” and “sharing” concepts and your right to opt out.
6. Healthcare Information and HIPAA
Toyon provides services to healthcare providers and other organizations that may be covered entities or business associates under HIPAA. Where Toyon receives, creates, maintains, or transmits Protected Health Information ("PHI") on behalf of a covered-entity client, our handling of that PHI is governed by the Business Associate Agreement ("BAA") between Toyon and that client, by HIPAA and the HITECH Act, and by Toyon's internal policies designed to protect PHI. This Privacy Statement does not modify or supersede those BAAs or those obligations.
PHI that Toyon handles for a covered-entity client is regulated by HIPAA, not by general consumer-privacy laws like the CCPA and CPRA, which exclude HIPAA-regulated information from their scope. Under the BAA, Toyon acts as a service provider to the covered entity and does not have a direct relationship with the individuals whose PHI we process.
If you are an individual whose PHI is processed by Toyon on behalf of a healthcare client and you wish to exercise rights under HIPAA, for example, to access, amend, or receive an accounting of disclosures of your PHI, please direct your request to your healthcare provider, health plan, or other covered entity that maintains your record. That entity is the party with the direct relationship and obligations to you under HIPAA, and is the appropriate recipient of such requests. Toyon will support the covered entity in responding to your request as required by the applicable BAA.
7. Data Retention
We retain personal information only for as long as is necessary to fulfill the purposes described in this Privacy Statement, to meet our legal, regulatory, audit, and operational obligations, to resolve disputes, and to enforce our agreements. Our retention practices are governed by an internal data retention schedule that includes, for example:
Records related to Medicare and Medicaid products are retained for at least ten years, consistent with CMS Chapter 11, Section 110.4.3 of the Medicare Managed Care Manual, or longer where required by law or contract.
Email is retained on a defined schedule, with journaling applied to support legal-hold and regulatory needs.
Human-resources and employee records are retained for at least five years.
Finance records are retained for at least seven years.
Application, system, network, and security logs are retained for defined periods to support security investigations and regulatory requirements.
Retention may be extended where reasonably necessary to comply with a legal hold, an audit, an investigation, a regulatory requirement, or a contractual commitment. When personal information is no longer needed, it is securely deleted, sanitized, or destroyed in accordance with our data disposal procedures.
8. Your California Privacy Rights
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), gives you specific rights regarding your personal information. This section describes those rights and how to exercise them. The categories of personal information that we collect, the sources from which we collect it, the business purposes for which we use it, and the categories of third parties to whom we disclose it are described in Section 5.
8.1 Sale and Sharing of Personal Information
We do not sell your personal information for monetary consideration. We do not knowingly sell or share the personal information of consumers under the age of 16. To the extent any of our use of analytics or similar tools constitutes “sharing” of personal information for cross-context behavioral advertising under the CCPA, you may opt out using the mechanism described below.
8.2 Your Rights
California residents have the right to:
Know what personal information we collect, use, disclose, and (if applicable) sell or share, including the specific pieces of personal information we hold about you;
Delete personal information that we have collected from you, subject to certain exceptions;
Correct inaccurate personal information that we maintain about you;
Opt out of the sale or sharing of personal information;
Limit our use and disclosure of sensitive personal information to specified business purposes;
Not be discriminated against for exercising any of your CCPA rights; and
Designate an authorized agent to make a request on your behalf.
8.3 How to Submit a Request
You may submit a request to exercise your rights by emailing privacy@toyonassociates.com or by calling (888) 514-9312. We will need to verify your identity before responding to your request, which we typically do by confirming information that matches what we have on file (such as the email address associated with your account). If you use an authorized agent, we will require proof of the agent’s authorization. We will respond to verifiable requests within the timeframes required by the CCPA.
9. International Data Transfers
Toyon operates and stores personal information in the United States. If you access the Website or the App from outside the United States, your personal information will be transferred to, processed in, and stored in the United States, where data-protection laws may differ from those in your country.
10. Children’s Privacy
The Website and the App are intended for business users and are not directed to children. We do not knowingly collect personal information from children under the age of 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us using the information in Section 13.
The Website may include social-media features and links to Toyon accounts on platforms such as LinkedIn, YouTube, Facebook, and X (formerly Twitter). These features may collect your IP address, the page you are visiting, and may set a cookie to enable the feature to function. They are governed by the privacy policies of the companies that provide them.
The Website and the App also include links to other websites whose privacy practices may differ from ours. If you submit personal information to those sites, your information is governed by their privacy statements. We encourage you to review the privacy statement of any website you visit.
12. Use of Artificial Intelligence Tools
Toyon uses certain AI-enabled tools to support internal operations, customer support, and analysis. Our internal AI policy requires Toyon personnel to obtain prior management and security review before using a third-party AI tool with Toyon information, and prohibits inputting customer personal information or PHI into a third-party AI tool that has not been approved for that purpose. We do not use customer personal information to train publicly available generative-AI models.
13. Questions, Complaints, and Contacts
If you have any questions about this Privacy Statement, our policies and practices concerning the Website or the App, your rights under this statement, or your dealings with Toyon, please contact us:
Toyon Associates, Inc.
Attn: Privacy
1800 Sutter Street, Suite 600
Concord, CA 94520
Telephone: 888-514-9312
General privacy inquiries: privacy@toyonassociates.com
Suspected security incidents: security@toyonassociates.com
General inquiries: info@toyonassociates.com
Toyon’s designated Security Officer oversees Toyon’s information-security program, including its handling of personal information and PHI.