Privacy Policy

1. Information We Collect

1.1 Personal Information

When you visit our website or contact us, we may collect:

• Name, email address, phone number, and mailing address
• Practice name, specialty, and professional credentials
• Information you provide in contact forms or service inquiries
• Communication preferences and correspondence history

1.2 Protected Health Information (PHI)

As a medical billing service provider, we process PHI on behalf of our healthcare provider clients, including:

• Patient demographic information (names, dates of birth, addresses)
• Insurance information and policy numbers
• Medical record numbers and account identifiers
• Diagnosis codes, procedure codes, and treatment information
• Billing and payment information

1.3 Technical Information

We automatically collect certain technical information when you visit our website:

• IP address and browser type
• Device information and operating system
• Pages visited, time spent, and referring website
• Cookies and similar tracking technologies (see Section 6)

2. How We Use Your Information

2.1 Personal Information Usage

We use your personal information to:

• Respond to inquiries and provide customer service
• Process service requests and deliver our medical billing services
• Send important updates about our services and your account
• Improve our website, services, and user experience
• Comply with legal obligations and enforce our terms of service

2.2 PHI Usage

We use and disclose PHI only as permitted by HIPAA and our Business Associate Agreements (BAAs) with healthcare providers:

• To perform medical billing and revenue cycle management services
• To submit claims to insurance payers and process payments
• To conduct denial management and appeals processes
• To provide reporting and analytics to our healthcare provider clients
• As required by law or court order

3. HIPAA Compliance Statement

Our HIPAA compliance program includes:

• Business Associate Agreements (BAAs): We execute comprehensive BAAs with all healthcare provider clients
• Privacy Rule Compliance: We maintain policies and procedures that comply with HIPAA Privacy Rule requirements
• Security Rule Compliance: We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
• Breach Notification: We maintain incident response procedures compliant with HIPAA Breach Notification Rule
• Workforce Training: All employees receive comprehensive HIPAA training upon hire and annually thereafter
• Minimum Necessary Standard: We access and use only the minimum necessary PHI to accomplish our business functions

4. Data Security Measures

We implement comprehensive security measures to protect your information from unauthorized access, use, or disclosure:

4.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Secure Access Controls: Multi-factor authentication and role-based access controls
• Firewall Protection: Enterprise-grade firewalls and intrusion detection systems
• Regular Security Audits: Third-party penetration testing and vulnerability assessments
• Automatic Session Timeout: Inactive sessions are automatically terminated

4.2 Physical Safeguards

• Secure, access-controlled data centers with 24/7 monitoring
• Locked server rooms with biometric access controls
• Video surveillance and alarm systems
• Secure disposal procedures for physical media

4.3 Administrative Safeguards

• Written information security policies and procedures
• Designated Privacy and Security Officers
• Regular risk assessments and security reviews
• Background checks for all employees with PHI access
• Confidentiality agreements with all workforce members

5. Third-Party Services

We may share information with trusted third-party service providers who assist us in operating our business. All third parties are carefully vetted and required to maintain appropriate security measures.

5.1 Service Providers

• Cloud Hosting: HIPAA-compliant hosting providers with BAAs in place
• Clearinghouses: Electronic data interchange for claim submission
• Payment Processors: PCI-DSS compliant payment processing services
• Communication Tools: Encrypted email and secure messaging platforms
• Analytics Services: Website analytics (anonymized data only)

Important: We execute Business Associate Agreements with any third party that has access to PHI. These agreements ensure HIPAA compliance and limit how PHI can be used.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your website experience and analyze site usage. Cookies do not contain PHI.

6.1 Types of Cookies We Use

• Essential Cookies: Required for website functionality (cannot be disabled)
• Analytics Cookies: Help us understand how visitors use our site
• Preference Cookies: Remember your settings and preferences
• Marketing Cookies: Track effectiveness of our marketing campaigns (optional)

6.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling cookies may affect website functionality. You can also manage your cookie preferences through our cookie consent banner.

7. Your Privacy Rights

7.1 Rights Regarding Personal Information

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal requirements)
• Opt-Out: Unsubscribe from marketing communications at any time
• Data Portability: Request your data in a portable format

7.2 Rights Regarding PHI (for Patients)

If you are a patient of one of our healthcare provider clients, you have rights under HIPAA regarding your PHI. These rights are managed by your healthcare provider, not by Healix RCM. Please contact your healthcare provider directly to exercise these rights:

• Right to access your medical and billing records
• Right to request amendments to your PHI
• Right to receive an accounting of disclosures
• Right to request restrictions on uses and disclosures
• Right to receive confidential communications

8. Protected Health Information (PHI) Handling

8.1 PHI Access and Use

We access PHI only for the following permitted purposes:

• Performing medical billing and coding services
• Submitting and tracking insurance claims
• Managing denials and filing appeals
• Processing patient payments and statements
• Generating reports for our healthcare provider clients
• Complying with legal and regulatory requirements

8.2 PHI Retention and Disposal

We retain PHI in accordance with HIPAA requirements and our Business Associate Agreements:

• Retention Period: Minimum 6 years from date of creation or last use
• Secure Disposal: Electronic media is securely wiped; physical documents are shredded
• Client Termination: PHI is returned or destroyed upon termination of services (per BAA)

8.3 PHI De-Identification

When using data for quality improvement or analytics, we de-identify PHI according to HIPAA standards, removing all 18 HIPAA identifiers to create a limited data set or fully de-identified data.

9. Data Breach Notification Procedures

We maintain comprehensive incident response procedures to detect, respond to, and mitigate security incidents and data breaches.

9.1 Incident Detection and Response

• 24/7 security monitoring and intrusion detection systems
• Immediate investigation of suspected security incidents
• Documentation of all security incidents and response actions
• Mitigation steps to prevent further unauthorized access

9.2 Breach Notification Timeline

In the event of a breach involving PHI, we will:

• Covered Entity Notification: Notify affected healthcare provider clients without unreasonable delay, and no later than 60 days from discovery
• Documentation: Provide detailed information about the breach, affected individuals, and mitigation steps
• Regulatory Reporting: Assist clients with required notifications to HHS and affected individuals
• Remediation: Implement corrective actions to prevent future incidents

10. Contact Information for Privacy Concerns

We take your privacy seriously. If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Filing a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights:

No Retaliation: You will not be retaliated against for filing a complaint.

11. Children's Privacy

Our website is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a new "Last Updated" date.

Material Changes: If we make material changes to how we handle PHI, we will notify our healthcare provider clients and provide the updated policy as required by our Business Associate Agreements.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, please contact us using the information in Section 10.