Health & Institute
A DBA of Health and Psychiatrists Consultants LLC
Effective Date: 5/12/2026
1. Overview and Security Commitment
1.1. Health and Psychiatrists Consultants LLC, a Florida limited liability company doing business as Health & Institute (the “Company,” “Institute,” “we,” “us,” or “our”), is committed to maintaining a comprehensive data security and compliance framework designed to protect the confidentiality, integrity, availability, and lawful use of personal information, student records, learning activity data, assessment records, institutional partner information, payment-related records, and other data processed in connection with the website located at https://healthandinstitute.com (the “Platform”).
1.2. The Institute’s principal place of business and contact details for purposes of this Data Security & Compliance Page are:
Health & Institute
A DBA of Health and Psychiatrists Consultants LLC
3919 Tampa Road
Oldsmar, Florida 34677, USA
Phone: +1 (321) 233-1516
Email: [email protected]
1.3. The Institute recognizes that digital education platforms may process sensitive information relating to admissions, enrollment, tuition, assessments, course progress, certificate eligibility, institutional partnerships, workforce-readiness pathways, and learning analytics. Accordingly, the Institute applies commercially reasonable administrative, technical, and organizational safeguards intended to reduce the risk of unauthorized access, misuse, loss, alteration, or disclosure of such information.
1.4. This page is intended to explain the Institute’s data security and compliance posture in a transparent manner. It does not create a contractual warranty, guarantee absolute security, or represent that every system, vendor, user device, learner environment, partner workflow, or third-party platform is independently certified unless expressly stated in a written agreement or formal certification report.
2. Scope of Data Security Coverage
2.1. This Data Security & Compliance Page applies to information processed in connection with the Platform, student admissions, program enrollment, learning management systems, assessment workflows, certificate issuance, support communications, institutional partnership inquiries, tuition/payment administration, and related educational or administrative activities.
2.2. Data protected under this framework may include, without limitation, applicant information, student records, identity and contact details, program selections, LMS activity, module progress, assessment attempts, scores, completion records, certificate information, communications with Institute personnel, payment status, institutional inquiry data, support tickets, and technical logs.
2.3. The Institute’s security framework also applies to internal operational systems used to manage student records, administer courses, support institutional partners, communicate with learners, and monitor Platform functionality.
2.4. This page does not govern the independent security practices of third-party websites, external employers, affiliated entities, public social media platforms, payment processors, learning technology providers, or partner organizations except to the extent such providers are engaged by the Institute and subject to applicable contractual controls.
3. Regulatory and Compliance Framework
3.1. The Institute’s data security program is designed to align with applicable legal and regulatory obligations, including U.S. consumer protection and privacy expectations, state data breach notification laws, contractual data protection commitments, and generally accepted information security principles.
3.2. The Federal Trade Commission (“FTC”) expects organizations to implement reasonable security practices appropriate to the nature and volume of personal information they collect and process. The FTC has also emphasized that companies should know what personal information they collect, limit access to it, securely store it, and dispose of it when no longer needed. (Health and Institute)
3.3. Where applicable, the Institute may also apply security principles aligned with recognized frameworks such as SOC 2 trust services criteria, vendor security controls, role-based access, audit logging, incident response, encryption, and data minimization. Any reference to such frameworks must be interpreted subject to the SOC 2 / Security Claims Disclaimer set forth in this document.
3.4. Because the Institute is primarily an educational and professional training platform, its data security obligations may differ from those applicable to a licensed healthcare provider, public university, government school, or HIPAA-covered clinical care entity. Where the Institute provides HIPAA training, healthcare-adjacent curriculum, or simulated healthcare workflows, such training does not automatically cause all Institute systems or student records to constitute Protected Health Information (“PHI”) under HIPAA.
4. Categories of Information Protected
4.1. The Institute applies safeguards to multiple categories of information, including personal identifying information, student application data, enrollment records, LMS activity, assessment results, certificate issuance records, support communications, payment-related information, institutional partner data, technical metadata, analytics data, and security logs.
4.2. Information processed by the Institute may include sensitive student or professional information, including educational background, professional experience, career interests, program performance, assessment outcomes, communication history, payment status, and partner pathway eligibility.
4.3. The Institute does not knowingly require learners to submit actual patient records, third-party PHI, employer PHI, clinical charts, or protected healthcare data through public website forms, general admissions channels, unsecured communications, or ordinary coursework unless expressly authorized through a controlled and legally appropriate process.
4.4. Learners, applicants, partners, and users are responsible for avoiding unnecessary submission of highly sensitive information, including Social Security numbers, full government identification numbers, payment credentials, patient records, medical records, employer confidential files, passwords, or third-party protected data, unless specifically requested through secure Institute-approved channels.
5. Administrative Safeguards
5.1. The Institute maintains administrative safeguards designed to establish responsibility, accountability, and governance over personal information and student records.
5.2. Administrative safeguards may include internal policies governing data access, confidentiality expectations, acceptable use, staff responsibilities, student record handling, incident escalation, vendor oversight, retention practices, and security-aware operations.
5.3. Access to student, applicant, assessment, payment, and institutional information is intended to be limited to authorized personnel whose roles require such access for legitimate educational, administrative, operational, compliance, support, or security purposes.
5.4. Personnel and contractors who handle sensitive information may be subject to confidentiality obligations, access limitations, and internal training or procedural requirements intended to reduce the risk of misuse or unauthorized disclosure.
5.5. The Institute may periodically review internal access needs, data handling practices, service provider arrangements, security procedures, and operational risks to improve its compliance posture.
6. Technical Safeguards
6.1. The Institute implements commercially reasonable technical safeguards designed to protect electronic information against unauthorized access, alteration, loss, misuse, or disclosure.
6.2. Technical safeguards may include secure hosting environments, encryption in transit where appropriate, authentication controls, role-based permissions, secure session management, password protections, activity logging, malware protection, vulnerability monitoring, platform configuration controls, and restricted administrative access.
6.3. The Institute may use access logs, security logs, technical diagnostics, device data, IP addresses, timestamps, and system activity records to monitor Platform performance, investigate suspicious activity, enforce account security, support LMS functionality, and protect against misuse.
6.4. Where third-party platforms such as learning management systems, payment processors, communication tools, cloud service providers, or analytics vendors are used, technical safeguards may depend partly on the controls implemented by those third parties.
7. Physical and Environmental Safeguards
7.1. The Institute implements reasonable physical and environmental safeguards designed to protect devices, facilities, records, and environments used to access or process personal information.
7.2. Such safeguards may include controlled access to workspaces, secure handling of devices, restrictions on unauthorized viewing or disclosure of sensitive information, secure storage of any physical records where applicable, and procedures for protecting devices used in administrative or educational operations.
7.3. Where users, students, contractors, instructors, or institutional partners access Institute systems from remote environments, each user remains responsible for maintaining appropriate device security, network security, privacy, and confidentiality in their own environment.
8. Learning Management System Security
8.1. The Institute may deliver training through third-party learning management systems, student portals, assessment platforms, communication tools, and digital course environments. The website currently references iSpring Learn as the learning management system used for course delivery, performance analytics, and scalable learning experiences. (Health and Institute)
8.2. LMS-related security measures may include authenticated user access, session management, course-level access controls, progress tracking, assessment controls, permission-based administrative access, and technical logging.
8.3. LMS activity data may be used to maintain student records, evaluate course progress, determine assessment completion, issue certificates, investigate academic integrity concerns, provide support, and improve program delivery.
8.4. The Institute is not responsible for security limitations arising from user-side compromise, shared credentials, insecure devices, weak passwords, public Wi-Fi networks, browser vulnerabilities, or unauthorized access resulting from a user’s failure to protect account credentials.
9. Student Account Security and Credential Management
9.1. Students and users are responsible for safeguarding account credentials, including usernames, passwords, email access, LMS credentials, and any authentication factors used to access Institute systems.
9.2. Users shall not share, transfer, sell, lend, disclose, or permit unauthorized access to any Institute account, LMS account, course access, assessment access, certificate portal, or student record system.
9.3. The Institute may suspend, restrict, reset, or terminate access where it reasonably suspects unauthorized access, credential sharing, impersonation, fraud, academic misconduct, automated misuse, or security risk.
9.4. Users must promptly notify the Institute if they suspect unauthorized access to their account or compromise of their credentials.
10. Assessment Integrity and Academic Security
10.1. The Institute may use technical and administrative methods to protect the integrity of assessments, assignments, simulations, course progress, certificates, and student records.
10.2. Such methods may include review of LMS logs, IP addresses, timestamps, account activity, assessment attempts, submission patterns, similarity indicators, administrative flags, and support communications.
10.3. The Institute may process and retain such information to investigate cheating, plagiarism, impersonation, credential sharing, unauthorized assistance, misuse of AI tools, automated submissions, or other academic integrity concerns.
10.4. Where misconduct is reasonably suspected, the Institute may suspend access, invalidate assessment attempts, withhold certificates, revoke certificates, require identity verification, deny retakes, or take other appropriate administrative action in accordance with Institute policies.
11. Data Minimization and Purpose Limitation
11.1. The Institute endeavors to collect and process only the information reasonably necessary to provide educational, administrative, compliance, support, security, payment, and institutional services.
11.2. Personal information is intended to be used only for disclosed educational, operational, legal, security, analytics, support, and institutional purposes.
11.3. The Institute may use aggregated, anonymized, or de-identified information for curriculum improvement, analytics, reporting, institutional planning, marketing analysis, and quality assurance, provided such information does not reasonably identify an individual.
12. Vendor and Third-Party Service Provider Management
12.1. The Institute may engage third-party service providers to support website hosting, LMS delivery, payment processing, communications, analytics, cloud storage, security monitoring, CRM operations, admissions processing, and institutional administration.
12.2. Where service providers process personal information on behalf of the Institute, the Institute uses commercially reasonable efforts to require such providers to protect information, use it only for authorized purposes, and maintain appropriate safeguards.
12.3. Third-party vendors may be subject to their own security frameworks, privacy policies, data processing terms, and platform limitations. The Institute does not control every aspect of third-party vendor operations, but it may conduct reasonable vendor review and oversight based on the nature of the service and the sensitivity of the data involved.
12.4. The Institute is not responsible for unauthorized access, outage, data loss, service interruption, or security failure caused by third-party systems beyond its reasonable control, except to the extent required by applicable law or written agreement.
13. Payment and Transaction Security
13.1. Where tuition, application fees, program fees, administrative charges, or other payments are processed, the Institute may use third-party payment processors to handle payment transactions.
13.2. Payment processors may collect and process payment card information, billing data, transaction identifiers, payment status, and related information under their own security and privacy standards.
13.3. The Institute does not intend to store full payment card numbers where payment processing is performed by third-party processors.
13.4. Users are responsible for ensuring that payment information is submitted only through authorized and secure payment channels.
14. HIPAA Training and Healthcare Data Handling Position
14.1. The Institute may provide training related to HIPAA, healthcare privacy, healthcare data integrity, documentation, confidentiality, and U.S. healthcare regulatory concepts. The website references HIPAA compliance training and federal data integrity training as part of its educational offerings. (Health and Institute)
14.2. The Institute’s provision of HIPAA training does not mean that every data system, user account, student record, or course interaction is governed by HIPAA as PHI.
14.3. Students are prohibited from submitting real patient records, patient identifiers, clinical charts, protected health information, employer PHI, or client confidential data into public website forms, ordinary assignments, general communications, or non-designated training channels.
14.4. If a course uses simulated healthcare scenarios, de-identified training examples, or sample documentation, such materials are intended for educational use only and must not be treated as real patient records.
14.5. Completion of HIPAA training does not make a student, employer, contractor, client, healthcare practice, system, workflow, or organization HIPAA compliant. Compliance depends on appropriate implementation of policies, safeguards, legal agreements, supervision, training, technology, access controls, and organizational governance.
15. Security of Institutional Partner and Employer Data
15.1. The Institute may process information submitted by institutional partners, employer partners, agencies, organizations, or prospective partners seeking program information, workforce development support, learner cohorts, prospectuses, or partnership discussions.
15.2. Such information may include organizational contact details, partnership goals, training needs, cohort requirements, communications, proposal details, and operational preferences.
15.3. The Institute treats institutional partner information as confidential business information to the extent commercially reasonable and uses it for partnership review, proposal preparation, communications, planning, reporting, and related administrative purposes.
15.4. Any exchange of confidential institutional data beyond preliminary inquiry information should be governed by a separate written agreement where appropriate.
16. Incident Response and Breach Management
16.1. The Institute maintains procedures designed to identify, assess, contain, investigate, remediate, and document suspected security incidents involving personal information or Institute systems.
16.2. In the event of a data breach involving personal information, the Institute will provide notices as required by applicable federal or state law.
16.3. Incident response may include internal review, vendor coordination, system access restriction, password resets, forensic review, user notification, regulatory notification, law enforcement cooperation, and implementation of corrective measures where appropriate.
16.4. The Institute may delay notification where permitted by law at the request of law enforcement or where necessary to determine the scope of an incident.
17. Data Retention and Secure Disposal
17.1. The Institute retains information for as long as reasonably necessary to fulfill educational, administrative, operational, legal, compliance, verification, payment, security, and dispute-resolution purposes.
17.2. Student records, certificate records, assessment results, LMS activity, payment records, communications, and academic integrity records may be retained for multiple years where necessary to verify completion, resolve disputes, maintain academic records, comply with law, enforce policies, or protect Institute interests.
17.3. When information is no longer reasonably required, the Institute may delete, anonymize, de-identify, archive, or securely dispose of such information in accordance with applicable policies and legal requirements.
17.4. Deletion requests may be limited where retention is necessary for certificate verification, legal compliance, payment records, fraud prevention, dispute resolution, security, or academic integrity purposes.
18. Access Controls and Role-Based Permissions
18.1. The Institute endeavors to ensure that access to sensitive information is limited to personnel, contractors, vendors, or authorized partners with a legitimate need to access such information.
18.2. Access may be role-based and limited according to function, such as admissions, student support, instruction, technical administration, finance, compliance, security, or management.
18.3. The Institute may modify, revoke, or restrict access privileges when a role changes, access is no longer required, misconduct is suspected, or security risk is identified.
19. Monitoring, Logging, and Auditability
19.1. The Institute may monitor, log, and review Platform activity, LMS activity, account access, system events, administrative actions, error reports, and security alerts for operational, security, compliance, academic integrity, and support purposes.
19.2. Logging may include timestamps, IP addresses, account identifiers, device details, activity records, assessment interactions, support events, and administrative actions.
19.3. Monitoring and logging are intended to support system integrity, investigation of misuse, dispute resolution, certificate verification, academic quality, and security incident response.
20. Marketing, Analytics, and Data Use Compliance
20.1. The Institute may use analytics and marketing tools to understand user engagement, improve admissions workflows, measure campaign performance, analyze program interest, and enhance Platform usability.
20.2. The Institute intends that marketing, analytics, and advertising practices remain consistent with applicable consumer protection laws and truthful advertising standards.
20.3. Analytics or marketing tools must not be interpreted as evidence of enrollment acceptance, certificate eligibility, employment eligibility, placement eligibility, or academic achievement.
20.4. The Institute does not knowingly use tracking technologies to process real patient PHI or confidential employer healthcare records.
21. SOC 2 / Security Claims Disclaimer
21.1. The Platform may reference SOC 2, Type II SOC 2 compliance, data integrity, LMS security, HIPAA training, or other security-related standards. The website currently includes public language referencing “Type II SOC 2 Compliance” and states that being SOC 2 Type II compliant reflects a commitment to rigorous security practices and safeguarding data integrity. (Health and Institute)
21.2. Unless expressly stated in a current written certification, audit report, vendor attestation, or formal compliance statement issued or made available by the Institute, any reference to SOC 2, Type II SOC 2, security compliance, data integrity, platform security, or similar terminology may refer to internal security practices, vendor systems, LMS provider controls, infrastructure provider controls, or general security positioning, and shall not be construed as an unconditional representation that every Institute system, workflow, vendor, student device, partner environment, or user interaction is independently SOC 2 certified.
21.3. SOC 2 reports, where applicable, are generally issued by independent auditors in relation to defined systems, controls, periods, and trust services criteria. Any SOC 2 representation must therefore be interpreted only within the scope, period, system boundaries, and limitations of the applicable report.
21.4. The Institute does not represent or warrant that it maintains any specific third-party certification, including SOC 2, ISO 27001, HITRUST, or similar certification, unless expressly stated in writing and supported by applicable documentation.
21.5. Any security statement on the Platform is not a guarantee of absolute security, uninterrupted service, breach immunity, complete risk elimination, or protection against all cyber threats.
21.6. Prospective institutional partners, enterprise customers, or other parties requiring formal compliance evidence should request written documentation directly from the Institute and should not rely solely on public website language.
22. No Guarantee of Absolute Security
22.1. Although the Institute implements commercially reasonable safeguards, no electronic system, website, LMS, cloud platform, communication tool, payment processor, or data transmission method can guarantee absolute security.
22.2. Users acknowledge that cyber threats, unauthorized access attempts, malware, phishing, credential compromise, user-side device insecurity, vendor outages, internet failures, and system vulnerabilities may occur despite reasonable precautions.
22.3. The Institute disclaims liability for unauthorized access, loss, disclosure, delay, outage, or compromise caused by circumstances beyond its reasonable control, including user negligence, credential sharing, insecure networks, third-party failures, force majeure events, or sophisticated cyberattacks, except to the extent such disclaimer is prohibited by applicable law.
23. User Security Responsibilities
23.1. Users, students, applicants, institutional partners, and staff play an important role in maintaining security.
23.2. Users are responsible for safeguarding credentials, using secure devices, avoiding credential sharing, maintaining updated browsers, using reliable internet connections, avoiding public or unsecured networks for sensitive activity, and promptly reporting suspected unauthorized account access.
23.3. Students should not download, store, or transmit Institute materials, assessment content, certificates, or student data through insecure channels or unauthorized third-party platforms.
23.4. Users must not attempt to bypass Platform security controls, interfere with system integrity, probe for vulnerabilities, scrape content, misuse APIs, upload malicious files, or engage in unauthorized access.
24. Continuous Improvement and Evolving Standards
24.1. The Institute treats data security and compliance as ongoing operational responsibilities.
24.2. Policies, safeguards, vendor arrangements, platform configurations, and operational controls may be reviewed and updated periodically in response to evolving legal requirements, security threats, educational technology changes, institutional needs, and industry practices.
24.3. Updates to security practices may be implemented without prior notice where necessary to protect the Platform, users, student records, institutional data, or Institute operations.
25. Relationship to Privacy Policy and Other Documents
25.1. This Data Security & Compliance Page is intended to supplement, and not replace, the Institute’s Privacy Policy, Cookie Policy, Terms and Conditions, Disclaimer Page, Accessibility Statement, Student Code of Conduct, Tuition and Refund Policy, and any applicable enrollment or institutional agreement.
25.2. In the event of conflict between this page and a separately executed written agreement signed by authorized representatives of the Institute, the separately executed agreement shall control solely with respect to the subject matter covered therein.
26. Contact Information
For questions, requests, or notices relating to data security, privacy, or compliance:
Health & Institute
A DBA of Health and Psychiatrists Consultants LLC
3919 Tampa Road
Oldsmar, Florida 34677, USA
Phone: +1 (321) 233-1516
Email: [email protected]