Patient Portal Privacy & Data Retention Policy
Applies to: portal.ewbc.com
Elizabeth Wende Breast Care, LLC (“EWBC,” “we,” “our,” or “us”) is committed to protecting the privacy and security of your information. This Patient Portal Privacy & Data Retention Policy explains how information is collected, used, stored, and retained when you use the EWBC Patient Portal at portal.ewbc.com.
This policy applies only to the patient portal. For information about how EWBC uses and protects medical information (protected health information or “PHI”), please refer to EWBC’s HIPAA Notice of Privacy Practices (NPP).
Information Collected Through the Portal
The patient portal involves two categories of information:
Medical Information (PHI)
This includes imaging results, clinical notes, appointment history, messages exchanged with clinical staff, and other information used for diagnosis, treatment, payment, or healthcare operations. PHI is governed by HIPAA and EWBC’s Notice of Privacy Practices.
Portal Account&Technical Information (Non‑PHI)
This includes your username, password, contact information, device or browser information, login activity, portal usage data, and security logs. This information supports portal functionality and is generally not part of your designated medical record.
How EWBC Uses Portal Information
Clinical Care (PHI)
EWBC uses PHI as permitted by HIPAA and as described in the HIPAA Notice of Privacy Practices, including for treatment, payment, and healthcare operations.
Portal Functionality (Non‑PHI)
Portal account and technical information is used to:
- Create and manage portal accounts
- Authenticate users
- Maintain security and system integrity
- Support portal performance and availability
- Provide technical and customer support
Portal Vendor
EWBC partners with a third-party vendor, Avairis, to operate and maintain the patient portal. Avairis stores and processes portal data on EWBC’s behalf, maintains appropriate administrative, technical, and physical safeguards, and is bound by a Business Associate Agreement (BAA).
Avairis may not use or disclose PHI except as permitted by HIPAA and its agreement with EWBC.
Data Retention
Medical Records (PHI)
EWBC retains medical records, including PHI accessible through the portal, in accordance with applicable federal and New York State medical record retention laws and HIPAA requirements. Medical records cannot be deleted upon request except as permitted by law.
Portal Account&Technical Information (Non‑PHI)
Portal account information is retained for as long as a patient maintains an active portal account. Upon account deactivation or inactivity, EWBC or its portal vendor may retain certain technical, audit, and security data as required for compliance, system integrity, or legal purposes.
Vendor Retention Practices
The portal vendor may retain access logs, audit logs, and system activity records according to its platform architecture and contractual obligations. EWBC does not independently control vendor system-level data retention schedules.
Specific Retention Periods for Portal Technical Data
Data type | Retention period |
Portal login logs | 7 years |
Audit logs | 7 years |
Device/browser metadata | 90 days |
Security logs | 7 years |
Portal account data (automatic deletion after inactivity) | 3 years of inactivity |
These retention periods reflect portal platform settings for technical and security data and may be extended if required to support legal, compliance, or security obligations.
Data Deletion Requests
Medical Records (PHI)
Under HIPAA, EWBC cannot delete medical records upon request. Patients’ rights regarding PHI are described in EWBC’s HIPAA Notice of Privacy Practices. To exercise those rights (for example, to request access or an amendment), patients should contact EWBC’s Privacy Official.
Portal Account Deactivation
Patients may request deactivation of their portal account and removal of certain non‑PHI portal account information where permitted by law and system limitations. In addition, certain portal account data may be deleted automatically after 3 years of inactivity.
Requests may be submitted to:
EWBC Privacy Official
Shannon DeMay
170 Sawgrass Drive
Rochester, NY 14620
(585) 758-7027
sdemay@ewbc.com
Cookies, Tracking, and Technical Data
The patient portal uses session cookies, security cookies, and technical logs for authentication, cybersecurity, and system performance. The portal does not use marketing, advertising, or cross-site tracking technologies.
Patient Rights Under HIPAA
EWBC’s HIPAA Notice of Privacy Practices describes patients’ rights regarding their protected health information, including the rights to access, request amendments, request restrictions, and request confidential communications.
Requests to exercise these rights are handled by EWBC’s Privacy Office and may require a written request submitted to the Privacy Official. Internal procedures and any applicable forms are maintained by EWBC and are not published as part of the Notice of Privacy Practices.
Changes to This Policy
EWBC may update this policy as needed. Any updates will be posted on portal.ewbc.com.