Privacy Policy

1. Information We Collect

1.1 Account Information

• Personal Information: Name, email address, phone number, and professional credentials
• Provider Information: Healthcare facility name, NPI numbers, practice specialty, and billing information
• Authentication Data: Username, encrypted passwords, and session tokens
• Billing Information: Payment details processed securely through Stripe (we do not store credit card numbers)

1.2 Medical Documents and Data

• Uploaded Documents: Insurance denial letters, medical records, lab results, and imaging reports
• Processed Medical Content: De-identified medical information extracted from your documents
• Generated Appeals: AI-generated appeal letters and related metadata
• Medical Classifications: Diagnoses, treatments, procedures, and medical necessity justifications

1.3 Technical Information

• Usage Data: Feature usage, session duration, and platform interaction patterns
• Device Information: Browser type, operating system, IP address, and device identifiers
• Performance Data: System response times, error logs, and service performance metrics
• Security Logs: Authentication attempts, access patterns, and security events

2. HIPAA Compliance and Medical Data Protection

2.1 PHI De-identification Process

• Automatic PII Removal: Our system automatically removes patient names, addresses, phone numbers, Social Security numbers, and other direct identifiers
• Medical Content Preservation: We preserve medical diagnoses, treatments, medications, test results, and clinical justifications necessary for appeal generation
• Age Categorization: Specific birthdates are converted to age ranges (e.g., "elderly adult" instead of exact age)
• Geographic Anonymization: Specific addresses removed while preserving relevant geographic regions for insurance purposes

2.2 Data Minimization

We only process the minimum amount of medical information necessary to generate effective insurance appeals. Our AI system focuses on:

• Medical necessity justifications
• Clinical evidence and documentation
• Treatment protocols and guidelines
• Insurance policy and coverage criteria

2.3 Security Safeguards

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Audit Logging: Comprehensive logging of all data access and modifications
• Regular Security Assessments: Penetration testing and vulnerability assessments
• Staff Training: Regular HIPAA and security training for all personnel

3. How We Use Your Information

3.1 Core Platform Services

• Appeal Generation: Process medical documents to create AI-powered insurance appeal letters
• Vector Similarity Search: Find similar successful appeals to improve generation quality
• Account Management: Provide access to your appeals, settings, and platform features
• Billing and Subscription: Process payments and manage subscription services

3.2 AI Training and Improvement

• Model Training: Use de-identified, positively-rated appeals to improve our AI models (only with provider consent)
• Quality Enhancement: Analyze appeal success patterns to enhance generation algorithms
• Medical Knowledge Base: Build comprehensive medical appeals knowledge base for improved outcomes

3.3 Platform Analytics

• Usage Analytics: Understand platform usage to improve user experience
• Performance Monitoring: Monitor system performance and reliability
• Success Rate Analysis: Track appeal success rates to optimize our AI models

4. Information Sharing and Disclosure

4.1 No Sale of Medical Data

We never sell, lease, or commercially exploit your medical information or patient data.

4.2 Limited Sharing for Platform Operations

• AI Processing Partners: Azure OpenAI for appeal generation (under strict data processing agreements)
• Cloud Infrastructure: Microsoft Azure for secure hosting and data processing
• Payment Processing: Stripe for secure payment processing (no medical data shared)
• Security Services: Cloudflare for DDoS protection and web application firewall

4.3 Legal Requirements

We may disclose information only when required by law, such as:

• Valid court orders or subpoenas
• Legal obligations under HIPAA or other healthcare regulations
• Protection against fraud or security threats
• Emergency situations involving imminent harm

5. Data Retention and Deletion

5.1 Retention Periods

• Account Data: Retained while your account is active and for 3 years after closure
• Generated Appeals: Retained for 7 years in accordance with medical record retention requirements
• De-identified Training Data: Retained indefinitely for AI model improvement (cannot be linked back to individuals)
• Billing Records: Retained for 7 years for tax and accounting purposes
• Security Logs: Retained for 2 years for security analysis and compliance

5.2 Data Deletion Rights

• Account Deletion: You may request complete account deletion at any time
• Appeal Deletion: Individual appeals may be deleted upon request (subject to legal retention requirements)
• Training Data Opt-out: You may opt out of contributing data to AI training

6. Your Rights and Choices

6.1 Access and Correction

• View and download all your data through your account dashboard
• Correct inaccurate personal or provider information
• Request copies of generated appeals and processing history

6.2 Privacy Controls

• Training Data Participation: Opt in or out of contributing to AI training
• Analytics Preferences: Control participation in usage analytics
• Communication Preferences: Manage email notifications and updates

6.3 Data Portability

• Export your appeals and data in standard formats
• Transfer data to other healthcare technology platforms
• Receive machine-readable copies of your information

7. International Data Transfers

Your data is primarily processed and stored in the United States using Microsoft Azure's secure cloud infrastructure. If data is transferred internationally, we ensure:

• Appropriate safeguards under GDPR and other applicable laws
• Standard contractual clauses for international transfers
• Equivalent levels of data protection in all jurisdictions

8. Children's Privacy

MedAppeals is designed for healthcare professionals and is not intended for use by individuals under 18. We do not knowingly collect personal information from minors. If we become aware of such collection, we will delete the information promptly.

9. Third-Party Services

9.1 Integrated Services

• Azure OpenAI: AI processing under Microsoft's data protection agreements
• Stripe: Payment processing with industry-standard security
• Cloudflare: Security and performance optimization

9.2 Analytics and Monitoring

We use privacy-focused analytics tools that do not track individual users or share data with advertising networks.

10. Security Incidents

In the event of a security incident affecting your data:

• We will notify you within 72 hours of discovery
• We will provide details about the nature and scope of the incident
• We will outline steps taken to address the incident and prevent recurrence
• We will comply with all breach notification requirements under HIPAA and other applicable laws

11. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will:

• Notify users of material changes via email and platform notifications
• Provide 30 days' notice before changes take effect
• Maintain previous versions for reference
• Obtain consent for changes that expand data collection or use

12. Contact Information

13. State-Specific Rights

13.1 California Residents (CCPA/CPRA)

California residents have additional rights including:

• Right to know what personal information we collect and how it's used
• Right to delete personal information (subject to legal retention requirements)
• Right to opt-out of sale (note: we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

13.2 European Residents (GDPR)

EU/EEA residents have rights including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure (right to be forgotten)
• Right to data portability
• Right to object to processing