MedAdvocate

Privacy Policy

MedAdvocate ("we," "us," or "our") is committed to protecting your privacy and the confidentiality of your health information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Services"). This policy complies with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws.

By using our Services, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Protected Health Information (PHI)

In order to provide our billing dispute services, we collect and process Protected Health Information as defined by HIPAA, including:

• Medical bills, invoices, and statements from healthcare providers
• Explanation of Benefits (EOB) documents from insurance companies
• Dates of service and treatment information
• Provider names and healthcare facility information
• Insurance policy information and member identification numbers
• Diagnostic and procedure codes

1.2 Personal Information

We collect personal information necessary to provide our Services and maintain your account:

• Name, email address, and contact information
• Account credentials (encrypted passwords)
• Payment information (processed securely through third-party payment processors)
• Communication preferences and correspondence with our support team

1.3 Usage Information

When you use our Services, we automatically collect certain technical information:

• Device information (device type, operating system, unique device identifiers)
• Application usage data (features accessed, time spent, interaction patterns)
• Log data (IP addresses, access times, error logs)
• Mobile network information

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

• Analyze medical bills to identify potential errors and overcharges
• Generate professional dispute letters for your review and delivery to your provider
• Provide customer support and respond to your inquiries

2.2 Service Improvement

• Improve our artificial intelligence algorithms and dispute success rates
• Enhance user experience and application functionality
• Develop new features and services
• Conduct research and analytics (using de-identified data)

2.3 Legal and Operational Purposes

• Process payments and manage billing
• Detect and prevent fraud, security threats, and technical issues
• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and protect our rights and property

3. How We Share Your Information

We do not sell, rent, or trade your personal information or PHI. We share your information only in the following circumstances:

3.1 Service Providers

We engage trusted third-party service providers who assist us in operating our Services. These providers have access to your information only to perform specific tasks on our behalf and are contractually obligated to maintain its confidentiality and security. Our service providers and the data they receive include:

• Amazon Web Services (AWS) — Cloud infrastructure, data storage, and compute services. Your medical bill images, analysis results, and account information are stored on AWS servers in the United States.
• Anthropic — AI-powered bill analysis. Images of your uploaded medical bills are transmitted to Anthropic's Claude AI service for analysis to identify potential billing errors. Images are used solely for this analysis purpose.
• Lob, Inc. — Physical mail delivery. When you elect to mail a dispute or negotiation letter through MedAdvocate, your full name, mailing address, your provider's name and mailing address, and the letter content are transmitted to Lob to print and deliver the letter via USPS on your behalf.
• Stripe, Inc. — Payment processing. When you make a payment, your payment information is transmitted directly to Stripe and is not stored by MedAdvocate. Stripe's privacy policy governs the handling of your payment data.
• Postmark (ActiveCampaign) — Email delivery. Your email address and letter content may be transmitted to Postmark to deliver email copies of your dispute letters.
• Google LLC — Address display. Your home address may be used to render a map image on your account profile page via the Google Maps Static API.

Where required by HIPAA, we enter into Business Associate Agreements with service providers that handle Protected Health Information.

3.2 Mail Delivery to Healthcare Providers

When you choose to send a dispute or negotiation letter through MedAdvocate, we transmit your name, mailing address, your provider's name and address, and your letter content to Lob, Inc., our physical mail partner, who prints and mails the letter via USPS on your behalf. This transmission is a core part of the service you request and is authorized by your use of the "Send Letter" feature.

3.3 Legal Requirements

We may disclose your information when required by law, including to:

• Comply with legal processes, court orders, or government requests
• Respond to claims that content violates the rights of third parties
• Protect the rights, property, or safety of MedAdvocate, our users, or the public
• Prevent or investigate potential fraud, security, or technical issues

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide you with choices regarding your information.

3.5 With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

4. HIPAA Compliance and Your Rights

4.1 Business Associate Status

MedAdvocate functions as your Business Associate under HIPAA. This means we are legally obligated to:

• Use and disclose your PHI only as permitted by HIPAA and this Privacy Policy
• Implement appropriate safeguards to protect your PHI
• Report any breaches of unsecured PHI as required by law
• Make your PHI available to you upon request

4.2 Your HIPAA Rights

Under HIPAA, you have the following rights regarding your PHI:

Right to Access: You have the right to access and obtain a copy of your PHI that we maintain. To request access, contact us using the information provided at the end of this policy.

Right to Amendment: You may request that we amend your PHI if you believe it is incorrect or incomplete. We will respond to your request within 60 days.

Right to Accounting of Disclosures: You may request an accounting of certain disclosures of your PHI made by us in the six years prior to your request.

Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI. We are not required to agree to your request but will consider it carefully.

Right to Request Confidential Communications: You may request that we communicate with you about your PHI through alternative means or at alternative locations.

Right to be Notified of a Breach: You have the right to be notified if there is a breach of your unsecured PHI.

5. Data Security

We implement comprehensive security measures to protect your information from unauthorized access, use, alteration, and disclosure:

5.1 Technical Safeguards

• End-to-end encryption for data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 encryption
• Multi-factor authentication for account access
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems

5.2 Administrative Safeguards

• Role-based access controls limiting employee access to PHI
• Comprehensive employee training on HIPAA compliance and data security
• Business Associate Agreements with all vendors handling PHI
• Incident response and breach notification procedures

5.3 Physical Safeguards

• Secure data centers with restricted physical access
• Environmental controls and disaster recovery systems
• Regular backups and redundancy measures

While we implement robust security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but continuously work to enhance our protections.

6. Data Retention

We retain your information for as long as necessary to provide our Services and comply with legal obligations:

• Account information: Retained while your account is active and for six (6) years after account closure
• PHI: Retained for six (6) years from the date of creation or last use, as required by HIPAA
• Billing and financial records: Retained for seven (7) years as required by tax laws
• Usage data and logs: Retained for up to two (2) years for security and operational purposes

After the retention period expires, we securely delete or de-identify your information. You may request earlier deletion of your information, subject to our legal and operational requirements.

7. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately so we can delete the information.

8. State-Specific Privacy Rights

8.1 California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete your personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

8.2 Other State Rights

Residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and Utah) have similar rights. Contact us to exercise your rights under applicable state law.

9. International Data Transfers

Our Services are based in the United States, and your information is stored and processed in the United States. If you access our Services from outside the United States, you consent to the transfer of your information to the United States. We comply with applicable data protection laws regarding international transfers.

10. Third-Party Links and Services

Our Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your information.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our platform with a new "Last Updated" date
• Sending you an email notification to the address associated with your account
• Displaying a prominent notice within the application

Your continued use of the Services after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you must stop using our Services.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

MedAdvocate Privacy Officer
Email: team@medadvocate.net
Website: www.medadvocate.net

We will respond to your request within thirty (30) days. If you believe we have violated your privacy rights, you also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.