HIPAA Notice

01Our commitment

Healthcare practices trust us with sensitive patient information every day. We treat that trust as the foundation of our business. Our HIPAA program is built around three principles:

• Privacy by default — PHI is used and disclosed only as necessary to perform the services in our agreements, or as otherwise permitted or required by law.
• Security at every layer — administrative, physical, and technical safeguards protect PHI throughout its lifecycle.
• Accountability — documented policies, signed BAAs, ongoing training, vendor oversight, and a designated Privacy Officer responsible for compliance.

02Our role under HIPAA

HIPAA distinguishes between two main categories of regulated entities:

• Covered Entities — healthcare providers, health plans, and clearinghouses that create or maintain PHI in the ordinary course of providing healthcare.
• Business Associates — organizations that perform functions or services on behalf of a Covered Entity that involve the use or disclosure of PHI.

MedBillingTech is typically a Business Associate. When we provide medical billing, credentialing, payer enrollment, or revenue cycle management services, we operate under a written Business Associate Agreement (BAA) with each Covered Entity. The BAA defines our obligations, permitted uses and disclosures, safeguards, and breach notification responsibilities.

03What is PHI

Protected health information includes any individually identifiable health information transmitted or maintained in any form — electronic, paper, or oral — by a Covered Entity or Business Associate. Examples we routinely handle include:

• Patient demographic information (name, date of birth, address, contact information)
• Insurance and subscriber information
• Diagnoses, procedure codes, and treatment information necessary for billing
• Claim, payment, and remittance information
• Authorization, eligibility, and benefits information
• Provider and practice identifiers (NPI, taxonomy, license, DEA)

04Permitted uses & disclosures

We use and disclose PHI only as necessary to perform the services described in our agreement with the Covered Entity, or as otherwise permitted or required by law. Common permitted purposes include:

• Treatment, payment, and healthcare operations — submitting claims, posting payments, working denials, and supporting day-to-day RCM activities.
• Required by law — disclosures mandated by federal, state, or local law, court order, or lawful subpoena.
• For our own management and administration — limited internal uses such as quality assurance, training, and auditing, consistent with HIPAA and the BAA.
• To subcontractors — only where bound by a written agreement requiring at least the same protections we are bound to under the BAA.

We do not sell PHI. We do not use or disclose PHI for marketing without authorization. We do not use PHI to train external machine learning or AI models.

05Minimum necessary

When using or disclosing PHI, we apply the minimum necessary standard: only the information reasonably needed to accomplish the intended purpose is accessed, used, or shared. Our access controls, role definitions, and workflow design are built around this principle.

06Safeguards we maintain

We implement administrative, physical, and technical safeguards in line with the HIPAA Security Rule.

Administrative safeguards

• Designated Privacy Officer and Security Officer
• Documented HIPAA Privacy and Security policies and procedures
• Risk analysis and risk management program with documented mitigation
• Workforce screening, onboarding, sanction policy, and termination procedures
• Incident response and disaster recovery plans, tested periodically
• Vendor risk reviews and signed Business Associate Agreements

Physical safeguards

• Restricted access to facilities and workstations handling PHI
• Clean-desk policy and secure storage of any printed materials
• Secure disposal of paper and media containing PHI
• Workstation use policies governing acceptable handling of PHI

Technical safeguards

• Unique user IDs, role-based access controls, and least-privilege provisioning
• Multi-factor authentication for systems containing PHI
• Encryption of PHI in transit (TLS) and at rest where supported
• Audit logging and monitoring of access to PHI
• Automatic session timeouts and access reviews
• Endpoint protection, patching, and configuration baselines

07Workforce training

Every member of our workforce who may come into contact with PHI completes HIPAA Privacy and Security training as part of onboarding and refreshes that training periodically. Training covers permitted uses and disclosures, minimum necessary, secure handling of PHI, password and device hygiene, social engineering, and incident reporting. Workforce members are bound by confidentiality agreements and a documented sanction policy.

08Subcontractors

Where we engage subcontractors to assist in services that involve PHI, we execute a written agreement with each one requiring them to follow protections at least as strict as those we are bound to under the BAA. Subcontractors are reviewed before engagement and on an ongoing basis.

09Breach notification

In the event of a confirmed or suspected breach of unsecured PHI, MedBillingTech will:

• Promptly investigate, contain, and document the incident
• Notify the affected Covered Entity in accordance with the BAA and HIPAA Breach Notification Rule timelines
• Provide the information needed for the Covered Entity to fulfill its own notification obligations to affected individuals, the U.S. Department of Health and Human Services, and, where applicable, the media and state regulators
• Cooperate with reasonable mitigation, remediation, and audit activity

10Patient rights

HIPAA gives patients several rights regarding their PHI. These rights are exercised through the Covered Entity (your healthcare provider or practice), which is the legal custodian of the medical record. The Covered Entity’s Notice of Privacy Practices (NPP) describes how to exercise these rights, which generally include:

• The right to access and obtain a copy of PHI in a designated record set
• The right to request an amendment to PHI believed to be inaccurate or incomplete
• The right to an accounting of certain disclosures of PHI
• The right to request restrictions on certain uses and disclosures
• The right to request confidential communications by alternative means or location
• The right to receive a paper copy of the NPP on request
• The right to file a complaint without fear of retaliation

If a patient contacts MedBillingTech directly with a request, we will route the request to the appropriate Covered Entity and assist with fulfillment as required by our BAA.

11Business Associate Agreement

MedBillingTech enters into a written Business Associate Agreement with every Covered Entity client before any PHI is exchanged. Our standard BAA addresses the requirements of 45 CFR §§ 164.504(e) and 164.314, including permitted uses and disclosures, safeguards, reporting obligations, subcontractor requirements, individual rights, return or destruction of PHI on termination, and audit rights.

Practices preparing to onboard with us will receive our BAA as part of the engagement package. We are also able to review and execute a Covered Entity’s preferred BAA in most cases.

12Complaints

If you believe your privacy rights have been violated, or that MedBillingTech has not complied with HIPAA, you may file a complaint with our Privacy Officer (see Section 14) or directly with the U.S. Department of Health and Human Services, Office for Civil Rights:

• U.S. Department of Health and Human Services, Office for Civil Rights
• 200 Independence Avenue, S.W., Washington, D.C. 20201
• Phone: 1-877-696-6775
• Web: hhs.gov/ocr

MedBillingTech will not retaliate against any individual for filing a complaint.

13Updates to this notice

MedBillingTech may update this HIPAA Notice from time to time to reflect changes in law, regulation, technology, or our practices. Material changes will be reflected by an updated “Last updated” date above and, where appropriate, communicated to active clients.

14Contact our Privacy Officer

For HIPAA questions, BAA requests, audit support, or to report a privacy or security concern, please contact: