Privacy Policy

1. Information We Collect

1.1 Business Contact Information

When you contact us, request a pilot program, or engage our services, we may collect:

• Name, title, and professional role
• Organization name and type
• Business email address and phone number
• Business mailing address
• Information submitted through our contact or inquiry forms

1.2 Protected Health Information (PHI)

In the course of providing medical coding and clinical documentation services, we may receive, process, and transmit Protected Health Information (PHI) as defined under HIPAA. This includes patient medical records, claims data, encounter documentation, and related health information provided to us by our client healthcare organizations (covered entities).

MedCodex Health acts as a Business Associate under HIPAA. All PHI is handled exclusively for the purposes outlined in our Business Associate Agreements (BAAs) with covered entity clients. We do not use PHI for any purpose other than the specific services contracted.

1.3 Website Usage Information

When you visit our website, we may automatically collect:

• IP address and browser type
• Pages visited and time spent on pages
• Referring website addresses
• Device type and operating system

2. How We Use Your Information

We use collected information solely for the following purposes:

• Delivering contracted medical coding and CDI services
• Responding to inquiries and service requests
• Sending service updates, reports, and communications relevant to your account
• Improving our services and website functionality
• Complying with legal, regulatory, and contractual obligations
• Detecting and preventing security incidents or fraudulent activity

We do not sell, rent, trade, or otherwise disclose your personal information or PHI to third parties for marketing or commercial purposes.

3. HIPAA Compliance & Business Associate Obligations

MedCodex Health maintains strict HIPAA compliance protocols:

• We execute a Business Associate Agreement (BAA) with every covered entity client before accessing any PHI
• Access to PHI is restricted on a strict need-to-know basis
• All staff handling PHI receive regular HIPAA training and compliance education
• PHI is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256)
• We maintain audit logs of all PHI access and processing activities
• PHI is retained only for the duration specified in the BAA and applicable law
• We notify covered entity clients of any PHI breach in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414)

4. Data Security

We implement administrative, physical, and technical safeguards to protect all information including:

• End-to-end encryption for all data transmissions
• Secure, access-controlled file transfer protocols (SFTP, encrypted email)
• Multi-factor authentication for all system access
• Regular security risk assessments and vulnerability testing
• Employee background verification and confidentiality agreements
• Physical security controls at all operational facilities
• Incident response and disaster recovery plans

5. Data Retention

Business contact information is retained for as long as necessary to maintain our business relationship and comply with legal obligations. PHI is retained and disposed of in strict accordance with each client's BAA, applicable state law, and federal regulations — typically no longer than required by the client's retention schedule.

Upon termination of services, all PHI is returned to the client or securely destroyed per HIPAA requirements and the terms of the BAA.

6. Third-Party Disclosure

We do not disclose personal information or PHI to third parties except:

• To subcontractors who assist in service delivery and have executed appropriate BAAs and confidentiality agreements
• When required by law, court order, or government regulation
• To protect the rights, safety, or property of MedCodex Health or others
• With your explicit written consent

7. International Data Transfers

MedCodex Health is headquartered in India. When we process data on behalf of U.S.-based healthcare clients, such data is handled in accordance with HIPAA requirements and the terms of our BAAs. Appropriate contractual safeguards are in place for all cross-border data processing.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information (subject to legal and contractual obligations)
• Object to or restrict certain processing activities
• Data portability where applicable

Note: Patient rights regarding PHI must be directed to the covered entity (your healthcare provider or health plan), not to MedCodex Health as a Business Associate.

9. Cookies

Our website may use essential cookies to maintain session functionality and improve user experience. We do not use tracking or advertising cookies. You may disable cookies in your browser settings; however, some website features may not function properly.

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or regulatory guidance. We will post the updated policy on this page with a revised effective date. Continued use of our services after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions, concerns, or to exercise your rights, contact our Privacy Officer: