Privacy Policy

1. Introduction & Scope

Welcome to Claimnology ("we," "our," or "us"). This Privacy Policy describes how Claimnology, a United States-based company operating at claimnology.ai, collects, uses, shares, and protects information when you access or use our AI-powered medical billing platform and related services (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including medical practices, billing companies, healthcare providers, and their authorized personnel. By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Business Associate Status: When processing Protected Health Information (PHI) on behalf of healthcare providers and billing companies, Claimnology acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We enter into Business Associate Agreements (BAAs) with our customers who are Covered Entities or Business Associates, and our use and disclosure of PHI is governed by these BAAs and applicable HIPAA regulations.

Our Services are designed to support HIPAA-aligned workflows and healthcare data protection requirements. We take the privacy and security of health information seriously and implement appropriate safeguards to protect the information entrusted to us.

Note: Claimnology is currently in development. As our platform evolves, we may update this Privacy Policy to reflect changes in our Services, data practices, or legal requirements. We will notify users of any material changes as described in Section 13.

2. Definitions

For purposes of this Privacy Policy, the following terms have the meanings set forth below:

• Protected Health Information (PHI): Individually identifiable health information that is created, received, maintained, or transmitted by a Covered Entity or Business Associate, as defined under HIPAA and its implementing regulations.
• Electronic Protected Health Information (ePHI): PHI that is created, stored, transmitted, or received in electronic form.
• Business Associate: A person or entity that performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of PHI, as defined under HIPAA.
• Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form in connection with certain transactions, as defined under HIPAA.
• Business Associate Agreement (BAA): A written contract between a Covered Entity and a Business Associate that establishes the permitted and required uses and disclosures of PHI by the Business Associate.
• Personal Information: Information that identifies, relates to, describes, or is reasonably capable of being associated with an individual, excluding PHI that is subject to HIPAA.
• De-identified Data: Health information that has been stripped of identifiers and cannot reasonably be used to identify an individual, as defined under HIPAA.

3. Information We Collect

3.1 Personal Information

We collect personal information that you provide directly to us, including:

• Name, email address, phone number, and mailing address
• Professional credentials and employment information
• Account registration information and authentication credentials
• Billing and payment information
• Communication preferences and correspondence with us

3.2 Health Information (PHI)

In the course of providing our Services, we may process Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), including:

• Patient demographic information (name, date of birth, address, contact information)
• Medical record numbers and patient identifiers
• Diagnosis codes, procedure codes, and treatment information
• Insurance information and policy numbers
• Superbills, medical claims, and related documentation
• Clinical notes and treatment history relevant to billing

We process PHI on behalf of healthcare providers and billing companies who are our customers. In most cases, we act as a Business Associate under HIPAA, and our use and disclosure of PHI is governed by Business Associate Agreements (BAAs) with our customers.

3.3 Billing and Financial Information

We collect and process billing and financial information necessary to provide our Services, including:

• Insurance claim data and submission records
• Payment and remittance information
• Denial and appeal documentation
• Revenue cycle management data and analytics
• Financial transaction records related to our Services

3.4 Technical & Usage Data

We automatically collect certain technical information when you use our Services, including:

• IP address, browser type, device information, and operating system
• Log files, access times, and usage patterns
• Cookies and similar tracking technologies (see Section 8)
• Error logs and performance metrics
• Feature usage and interaction data

4. How We Use Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, maintain, and improve our AI-powered medical billing platform, including parsing patient data, generating claims, submitting insurance claims, and processing denials
• Account Management: To create and manage user accounts, authenticate users, and provide customer support
• Communication: To send service-related notifications, respond to inquiries, and provide technical support
• Compliance & Legal: To comply with applicable laws, regulations, and legal processes, including healthcare regulations and data protection requirements
• Security: To detect, prevent, and address security threats, fraud, and unauthorized access
• Analytics & Improvement: To analyze usage patterns, improve our Services, develop new features, and conduct research. When used for AI model training and improvement, we use only de-identified data that has been stripped of all identifiers in accordance with HIPAA de-identification standards. We do not use identifiable PHI for AI model training or development.
• Business Operations: To process payments, manage billing, and conduct business analytics

5. How We Share Information

5.1 Service Providers & Subprocessors

We may share information with third-party service providers and subprocessors who perform services on our behalf. Categories of service providers include:

• Cloud Hosting & Infrastructure: Providers that host our Services and store data
• AI/ML Technology Providers: Providers of artificial intelligence and machine learning services used in our platform (all such providers are bound by BAAs or equivalent agreements)
• Payment Processors: Financial service providers that process payments
• Data Analytics & Business Intelligence: Tools used for analytics and reporting (using only de-identified or aggregated data)
• Customer Support Platforms: Communication and support tools
• Security & Monitoring Services: Providers of security, monitoring, and incident response services
• Email & Communication Services: Providers of email and messaging services

All service providers and subprocessors are contractually obligated to protect your information and use it only for the purposes for which it was shared. When PHI is involved, we ensure that all subprocessors are bound by appropriate Business Associate Agreements (BAAs) or equivalent data protection agreements that meet or exceed HIPAA requirements. We maintain a list of subprocessors that may access PHI, and we will notify customers of material changes to this list.

We do not sell, rent, or share PHI or personal information for marketing or advertising purposes, and we do not permit our service providers to use such information for their own marketing purposes.

5.2 Legal & Regulatory Disclosures

We may disclose information when required by law, regulation, legal process, or governmental request, including:

• Compliance with HIPAA and other healthcare regulations
• Response to subpoenas, court orders, or other legal processes
• Protection of rights, property, or safety of Claimnology, our users, or others
• Investigation of potential violations of our Terms of Service
• Prevention of fraud or abuse

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this Privacy Policy.

5.4 With Your Consent

We may share information with third parties when you have provided explicit consent for such sharing, or as otherwise described at the time of collection.

6. Data Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information, particularly Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), in accordance with HIPAA Security Rule requirements. Our security measures include:

6.1 Administrative Safeguards

• Designated security officers and privacy officers responsible for security and compliance
• Workforce training programs on HIPAA, security, and privacy requirements
• Access controls and role-based permissions with the principle of least privilege
• Regular security risk assessments and vulnerability scans
• Security incident response and breach notification procedures
• Business Associate Agreements (BAAs) with all service providers that access PHI
• Audit logs and monitoring of system activity and access to PHI
• Policies and procedures for workforce members regarding access to and use of PHI

6.2 Technical Safeguards

• Encryption of ePHI in transit using TLS/SSL (minimum TLS 1.2) for all data transmissions
• Encryption of ePHI at rest using industry-standard encryption algorithms (AES-256 or equivalent)
• Multi-factor authentication (MFA) for user accounts and administrative access
• Strong password requirements and password management policies
• Network security controls, firewalls, and intrusion detection/prevention systems
• Regular security updates, patch management, and vulnerability remediation
• Secure backup and disaster recovery procedures with tested recovery plans
• Access controls and authentication mechanisms to prevent unauthorized access
• Audit controls to record and examine activity in systems containing ePHI
• Automatic logoff and session timeout features

6.3 Physical Safeguards

• Secure data center facilities with restricted physical access controls
• Environmental controls, monitoring, and protection against hazards
• Device encryption for laptops, mobile devices, and portable media
• Secure disposal procedures for hardware and media containing PHI
• Workstation security measures and controls

While we strive to protect your information using industry-standard security practices, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining security practices that meet or exceed HIPAA requirements and industry standards.

7. Breach Notification

In the event of a breach of unsecured PHI, we will comply with HIPAA Breach Notification Rule requirements, which include:

• Individual Notification: We will notify affected individuals of a breach without unreasonable delay and in no case later than 60 days following discovery of the breach. Notification will be provided by first-class mail (or email if the individual has agreed to electronic notice) and will include a description of the breach, types of information involved, steps individuals should take to protect themselves, and contact information for questions.
• Media Notification: If a breach affects more than 500 residents of a state or jurisdiction, we will notify prominent media outlets serving that state or jurisdiction within 60 days of discovery.
• HHS Notification: We will notify the Secretary of the U.S. Department of Health and Human Services (HHS) of breaches. For breaches affecting 500 or more individuals, notification will be provided without unreasonable delay and in no case later than 60 days following discovery. For breaches affecting fewer than 500 individuals, we will maintain a log and notify HHS annually.
• Business Associate Notification: If we discover a breach as a Business Associate, we will notify the Covered Entity without unreasonable delay and in no case later than 60 days following discovery, in accordance with our Business Associate Agreements.

We maintain an incident response plan and will investigate all suspected breaches promptly. We will also take immediate steps to mitigate any harmful effects of a breach and prevent future occurrences.

8. Data Retention

We retain information for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the type of information and applicable legal requirements:

• Protected Health Information (PHI): Retained in accordance with HIPAA requirements and Business Associate Agreements. HIPAA requires retention of certain records for a minimum of six years from the date of creation or last use, whichever is later. State laws may require longer retention periods. We will retain PHI for the period specified in our Business Associate Agreements or as required by applicable law, whichever is longer.
• Billing and Claims Data: Retained as required by tax, accounting, and healthcare regulations. Federal tax law generally requires retention of financial records for seven years. Healthcare billing records may be subject to longer retention requirements depending on state law and payer requirements.
• Account Information: Retained while your account is active and for a reasonable period thereafter (typically 90 days to 1 year) to comply with legal obligations, resolve disputes, and enforce our agreements.
• Audit Logs and Security Records: Retained for security, compliance, and troubleshooting purposes, typically for one to two years, or as required by applicable regulations.
• De-identified Data: May be retained indefinitely for analytics, research, and service improvement purposes, as de-identified data is not subject to HIPAA retention requirements.

Upon termination of your account or our Services, we will securely delete or anonymize your information in accordance with our retention policies and applicable law, unless we are required to retain it for legal or regulatory purposes.

9. User Rights & Choices

Depending on your location and the type of information, you may have certain rights regarding your personal information:

9.1 Access & Correction

You may request access to, correction of, or updates to your personal information by contacting us using the information provided in Section 13. For Protected Health Information, access and amendment rights are typically governed by HIPAA and your healthcare provider's Notice of Privacy Practices.

9.2 Deletion

You may request deletion of your personal information, subject to our legal and contractual obligations to retain certain information. We will honor deletion requests to the extent permitted by law.

9.3 Data Portability

You may request a copy of your data in a structured, machine-readable format, where technically feasible and permitted by law.

9.4 Opt-Out

You may opt out of certain communications, such as marketing emails, by using the unsubscribe link in our emails or by contacting us. You may not opt out of service-related communications that are necessary for the operation of our Services.

9.5 State-Specific Rights

California Residents: If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect, use, and share
• The right to delete personal information (subject to exceptions)
• The right to opt out of the sale or sharing of personal information (we do not sell personal information)
• The right to non-discrimination for exercising your privacy rights
• The right to correct inaccurate personal information

Other State Residents: Residents of other states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut) may have similar rights. Please contact us to exercise your rights.

10. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your use of our Services. Cookies are small text files placed on your device that help us:

• Remember your preferences and settings
• Authenticate your identity and maintain your session
• Analyze usage patterns and improve our Services
• Provide personalized content and features

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our Services. We do not use cookies to track you across third-party websites for advertising purposes.

11. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us immediately.

12. Third-Party Links & Services

Our Services may contain links to third-party websites, applications, or services that are not operated by Claimnology. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices or content of third-party services.

13. International Data Transfers

Claimnology is based in the United States, and our Services are primarily intended for users in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated.

By using our Services, you consent to the transfer of your information to the United States and processing in accordance with this Privacy Policy. We take appropriate measures to ensure that your information receives an adequate level of protection in the United States.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website with a new "Last Updated" date
• Sending an email notification to registered users (for material changes)
• Displaying a prominent notice on our Services

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: