Introduction and Scope
ClaimsCure Medical Billing Services ("ClaimsCure," "we," "us," or "our") provides professional medical billing, coding, claims management, and revenue cycle services to healthcare providers throughout the United States. As a HIPAA Business Associate, we are committed to protecting the privacy and security of Protected Health Information (PHI) and personal data.
Important: This Privacy Policy applies to information collected through our services and website. For specific information about our HIPAA compliance requirements, please refer to our separate HIPAA Compliance Statement and Business Associate Agreement (BAA).
This policy describes our practices regarding the collection, use, disclosure, and protection of information in accordance with:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- Gramm-Leach-Bliley Act (GLBA) where applicable
- State privacy and data protection laws
Information We Handle
2.1 Protected Health Information (PHI)
In providing medical billing services, we may receive, create, maintain, or transmit PHI on behalf of our Covered Entity clients, including but not limited to:
- Patient demographic information (name, address, date of birth, contact details)
- Health insurance information and policy numbers
- Medical diagnosis and treatment information (ICD-10, CPT codes)
- Billing and payment records
- Other information necessary for healthcare claims processing
2.2 Business Information
We collect information about healthcare providers and organizations we work with:
- Provider names, NPI numbers, and professional credentials
- Practice information and tax identification numbers
- Billing and financial information for service provision
- Contact information for authorized personnel
2.3 Technical and Website Data
When you interact with our website, we may collect:
- IP address, browser type, and device information
- Pages visited and time spent on our site
- Information provided through contact forms or service inquiries
- Cookies and similar tracking technologies (see Section 7)
Note: We do not use PHI for marketing purposes, and we adhere strictly to the HIPAA Minimum Necessary Standard in all our operations.
How We Use Information
3.1 PHI Usage
We use PHI solely to provide contracted medical billing services, including:
- Electronic claims submission to health plans
- Payment posting and reconciliation
- Patient billing and statement generation
- Denial management and appeals processing
- Reporting and analytics for our clients
- Compliance with legal and regulatory requirements
3.2 Business Information Usage
We use business information to:
- Provide and improve our medical billing services
- Communicate with clients about services and updates
- Process payments and generate invoices
- Comply with legal and contractual obligations
- Maintain accurate business records
3.3 Legal Basis for Processing
Our processing of information is based on:
- Contractual Necessity: Performance of services under our agreements
- Legal Obligation: Compliance with HIPAA and other laws
- Legitimate Interests: Business operations and service improvement
- Consent: Where required and obtained for specific purposes
Information Disclosure Practices
4.1 Permitted Disclosures
We may disclose PHI as permitted by HIPAA and our Business Associate Agreements:
- To healthcare providers and their authorized staff for treatment purposes
- To health plans and insurance companies for payment processing
- To government agencies as required by law (CMS, IRS, etc.)
- To our HIPAA-compliant subcontractors bound by BAAs
- As authorized by the Covered Entity or individual
4.2 Legal Requirements
We may disclose information when legally required:
- To comply with court orders, subpoenas, or legal processes
- To government regulatory agencies during audits or investigations
- To law enforcement when required by applicable law
- To protect rights, property, or safety of ClaimsCure, our clients, or others
Important Limitation: We do not sell, rent, or trade PHI for marketing purposes. All disclosures are made in accordance with HIPAA requirements and our contractual obligations.
Data Security Measures
We implement comprehensive security measures aligned with HIPAA Security Rule requirements:
5.1 Administrative Safeguards
- Comprehensive HIPAA training for all workforce members
- Regular risk assessments and management plans
- Role-based access controls and authentication procedures
- Incident response and breach notification procedures
- Business Associate Agreements with all subcontractors
5.2 Physical Safeguards
- Secure facility access controls and monitoring
- Workstation security policies and procedures
- Secure disposal of physical records containing PHI
- Device and media controls for portable devices
5.3 Technical Safeguards
- Encryption of data in transit (TLS 1.2+) and at rest
- Firewalls, intrusion detection, and prevention systems
- Regular security updates and patch management
- Audit controls and system activity monitoring
- Secure backup and disaster recovery procedures
Data Retention and Destruction
We retain PHI and business records in accordance with:
- HIPAA requirements (minimum 6 years from creation or last effective date)
- State medical record retention laws (varies by state, typically 7-10 years)
- Contractual obligations with clients
- Business needs and legal requirements
When information is no longer needed, we securely destroy it using methods that render PHI unusable, unreadable, or indecipherable, including:
- Paper records: Cross-cut shredding or pulping
- Electronic media: Secure deletion following NIST guidelines
- Physical media: Degaussing or physical destruction
Retention Schedule: We maintain detailed retention schedules and conduct regular reviews to ensure compliance with all applicable requirements.
Cookies and Tracking Technologies
Our website uses cookies and similar technologies to:
- Improve website functionality and user experience
- Analyze website traffic and performance metrics
- Remember user preferences and settings
- Provide secure access to client portals
Important: We do not use cookies to collect PHI. Cookies are used only for website functionality and analytics purposes.
7.1 Cookie Management
You can control cookie settings through your browser:
- Most browsers allow you to refuse cookies or delete existing ones
- You can usually find cookie settings in your browser's "Preferences" or "Settings" menu
- Note that disabling cookies may affect website functionality
7.2 Third-Party Services
We may use third-party services that use cookies:
- Google Analytics: For website analytics (anonymized data)
- Security Services: For DDoS protection and security monitoring
- Payment Processors: For secure payment processing
These services have their own privacy policies, and we review them regularly for compliance.
Individual Rights and Choices
Critical Notice for Patients: As a HIPAA Business Associate, we do not have a direct relationship with patients regarding PHI. All patient requests regarding PHI access, amendment, or accounting of disclosures should be directed to the healthcare provider (Covered Entity) who is the custodian of the medical records.
8.1 Website Users
Website users may exercise the following rights:
- Access: Request access to personal information we hold
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of personal information (subject to legal requirements)
- Opt-out: Opt out of marketing communications
- Data Portability: Request data in a structured, machine-readable format
8.2 Business Clients
Business clients may:
- Access and update account information through secure portals
- Request information about our data handling practices
- Request termination of services and data handling as per our agreement
- Receive regular reports on data processing activities
8.3 Exercise Your Rights
To exercise your rights, please contact us using the information in Section 13. We will respond to requests within 30 days, as required by applicable law.
Breach Notification Procedures
In accordance with HIPAA and HITECH requirements, we have implemented comprehensive breach notification procedures:
- Prompt Investigation: Immediate investigation of potential breaches upon discovery
- Timely Notification: Notification to affected Covered Entities without unreasonable delay (within 60 days of discovery)
- Cooperation: Full cooperation with Covered Entities in their breach notification obligations
- Documentation: Maintenance of detailed documentation for all breaches and responses
- Remediation: Implementation of corrective actions to prevent future breaches
Notification Process: In the event of a breach involving PHI, we will provide the Covered Entity with all information necessary for them to fulfill their notification obligations to affected individuals, HHS OCR, and state authorities as required.
Children's Privacy
Our services and website are not directed to children under the age of 13. We do not knowingly collect personal information from children.
Procedure: If we become aware that we have collected personal information from a child under 13 without parental consent, we will take immediate steps to remove that information from our systems and notify the appropriate parties.
For healthcare services involving minors, PHI is handled in accordance with state laws regarding minor consent and parental access rights.
International Data Transfers
ClaimsCure is based in the United States and our services are intended for U.S. healthcare providers. We do not intentionally transfer PHI outside the United States.
- All data processing occurs within the United States
- Our infrastructure and personnel are located in the U.S.
- We use U.S.-based data centers and service providers
- Any international transfers would only occur with appropriate safeguards and compliance with applicable laws
Policy Updates and Changes
We may update this Privacy Policy periodically to reflect changes in:
- Our information practices and services
- Legal and regulatory requirements
- Industry standards and best practices
- Technological developments
When we make changes, we will:
- Update the "Last Updated" date at the top of this policy
- Post the updated policy on our website with version history
- Notify business clients of material changes as required by our agreements
- Provide a summary of significant changes when appropriate
Recommendation: We encourage you to review this Privacy Policy periodically to stay informed about how we protect information. The continued use of our services after changes constitutes acceptance of the updated policy.
Contact Information
For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:
- ClaimsCure Medical Billing Services
- Privacy Officer
- Email: privacy@claimscure.com
- Phone: +1 (301)-739-8880
- Website: www.claimscure.com
- Mailing Address: Available upon request for security reasons
For HIPAA-Related Inquiries: Patients should contact their healthcare provider (Covered Entity) for HIPAA-related questions or to exercise privacy rights regarding their medical records.
Key Definitions
- Protected Health Information (PHI)
- Individually identifiable health information that is protected under HIPAA, including demographic information, medical history, test results, insurance information, and other data that can be used to identify an individual.
- Business Associate (BA)
- A person or entity who performs functions or activities on behalf of a Covered Entity that involve the use or disclosure of PHI, including claims processing, data analysis, and billing services.
- Covered Entity (CE)
- A healthcare provider, health plan, or healthcare clearinghouse that is subject to HIPAA regulations and creates, receives, maintains, or transmits PHI.
- Business Associate Agreement (BAA)
- A written contract between a Covered Entity and a Business Associate that establishes the permitted uses and disclosures of PHI, outlines security requirements, and defines breach notification responsibilities.
- Minimum Necessary Standard
- The HIPAA requirement that when using or disclosing PHI, Covered Entities and Business Associates must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Breach
- The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA that compromises the security or privacy of the PHI.
Acceptance and Governing Law
By using our services or website, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please do not use our services or website.
15.1 Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the State of Maryland, without regard to its conflict of law principles.
15.2 Dispute Resolution
Any disputes arising from this Privacy Policy will be resolved through binding arbitration in accordance with the rules of the American Arbitration Association, to be held in Montgomery County, Maryland.
15.3 Severability
If any provision of this Privacy Policy is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.
End of Privacy Policy
This document represents our commitment to protecting privacy and complying with all applicable laws and regulations.