HEALTHCLAIMAGENT.AI

Privacy Policy

By creating an account or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

Account Information. When you create an account, we collect your name, email address, password (managed by our authentication provider, Clerk), and practice information including practice name, address, NPI number, credential type, license number, and license state.

Denial and Appeal Information. When you use the Service to generate appeal letters, you provide denial details including insurance payer name, denial reason codes (CARC codes), CPT codes, ICD-10 diagnosis codes, dates of service, denied amounts, level of care, and stated denial rationale.

Protected Health Information (PHI). If you have accepted our BAA, you may input patient information including patient names, dates of birth, insurance member identification numbers, and claim numbers. Our handling of PHI is governed by the BAA and HIPAA, as described in Section 5 of this Privacy Policy.

Payment Information. If you subscribe to a paid tier or provide a payment method for Success Fee billing, your payment card information is collected and processed by Stripe, Inc. We do not store your full credit card number on our servers. We retain only the last four digits and card brand for display in your account settings.

Outcome Data. When you record appeal outcomes through the Service, you provide the result (won, partially won, or lost), the amount recovered, whether the parity argument was effective, payer response notes, and resolution time.

Communications. When you contact us at support@healthclaimagent.ai or through the Service, we collect the content of your communications.

1.2 Information Collected Automatically

Usage Data. We collect information about how you interact with the Service, including pages visited, features used, appeal generation requests, time spent on pages, and clickstream data.

Device and Browser Information. We collect your IP address, browser type and version, operating system, device type, and screen resolution.

Log Data. Our servers automatically record information including your IP address, access times, pages viewed, and the referring URL.

Cookies and Similar Technologies. We use essential cookies for authentication and session management. We do not use advertising cookies or tracking pixels. We do not serve ads in the Service.

Do Not Track Signals. Because we do not use third-party advertising or behavioral tracking technologies, our Service responds to browser “Do Not Track” (DNT) signals by default — there is no cross-site tracking to disable.

1.3 Information from Third Parties

Authentication Provider. We receive basic profile information (name, email, profile image) from Clerk when you create an account or sign in using OAuth providers (such as Google).

Clearinghouse Data. If you authorize Clearinghouse integration during onboarding, we may receive ERA/835 electronic remittance data for Claims processed through the Service, as described in the Terms of Service Section 4.5.

2. How We Use Your Information

2.1 To Provide and Operate the Service

We use your information to create and manage your account, to generate appeal letters using our AI pipeline, to retrieve relevant legal and clinical evidence from our knowledge base, to perform parity analysis under MHPAEA, to verify citations in generated appeal letters, to process payments and calculate Success Fees, to send transactional communications (such as outcome reminder emails and invoices), and to provide customer support.

2.2 To Improve the Service

We use De-Identified Data and Platform Data (as defined in the Terms of Service) to improve the accuracy and effectiveness of our AI models, to build and maintain the Payer Intelligence database, to train specialized AI models for extraction, parity analysis, and appeal generation, to analyze denial patterns and argument effectiveness across payers, and to enhance our knowledge base and retrieval algorithms. All data used for Service improvement is de-identified using the HIPAA Safe Harbor method before use. We never use individually identifiable patient information for model training or analytics.

2.3 To Ensure Security and Compliance

We use your information to detect and prevent fraud, abuse, and unauthorized access, to monitor for security incidents and breaches, to comply with legal obligations including HIPAA, to enforce our Terms of Service, and to maintain audit logs as required by HIPAA.

2.4 To Communicate With You

We may send you service-related communications including account verification emails, outcome reminder notifications (at 30, 60, and 90 days after appeal generation), invoices and payment confirmations, service announcements and updates, and responses to your support inquiries. We do not send marketing emails unless you opt in. You may not opt out of transactional communications necessary for the operation of the Service.

3. How We Share Your Information

3.1 We Do Not Sell Your Information

We do not sell, rent, or trade your personally identifiable information or Protected Health Information to any third party, for any purpose, under any circumstances.

3.2 Service Providers (Subcontractors)

We share information with third-party service providers who perform services on our behalf, subject to confidentiality obligations and, where PHI is involved, Business Associate Agreements. Our current service providers include:

Amazon Web Services, Inc. — Cloud infrastructure, AI model inference (Claude via AWS Bedrock), and data storage. AWS operates under a HIPAA BAA executed via AWS Artifact. Data is processed in the us-east-2 (Ohio) region.

Supabase, Inc. — Database hosting, authentication support, and vector search. Supabase operates under a HIPAA BAA available on their Pro plan and above. Data is encrypted at rest with AES-256.

Clerk, Inc. — User authentication and session management. Clerk processes account credentials (email, password hash, OAuth tokens) but does not access PHI.

Stripe, Inc. — Payment processing for subscription fees and Success Fee invoicing. Stripe processes payment card information and billing details but does not access PHI. Stripe is PCI-DSS Level 1 certified.

Resend, Inc. — Transactional email delivery for outcome reminders and invoices. Resend processes email addresses and message content but does not access PHI.

Anthropic, PBC — AI model provider. Claude models are accessed primarily via AWS Bedrock, with the Anthropic API used as a fallback. Anthropic processes denial details and service descriptions provided during appeal generation. Anthropic does not receive full medical records or direct patient identifiers.

Sentry (Functional Software, Inc.) — Error monitoring and application performance tracking. Sentry processes error reports, stack traces, and request metadata to help us identify and resolve issues. Sentry does not access PHI. Error reporting is sampled (not every request is reported) to minimize data collection.

Vercel, Inc. — Frontend application hosting and content delivery. Vercel serves the web application and maintains deployment and access logs. Vercel does not access PHI stored in the database.

Railway Corp. — Backend API hosting and compute infrastructure. Railway hosts the application server that processes appeal generation requests and maintains deployment logs.

3.3 Aggregated and De-Identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual. This includes Payer Intelligence analytics (payer-specific win rates, denial patterns, argument effectiveness scores), aggregate platform statistics (total appeals generated, average success rates by denial type), and de-identified research data published for educational or advocacy purposes. This data is de-identified using the HIPAA Safe Harbor method (45 C.F.R. § 164.514(b)), which requires the removal of 18 specified identifiers and that we have no actual knowledge that the remaining information could be used to identify an individual.

3.4 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation, court order, or subpoena, to protect and defend our rights or property, to prevent fraud or illegal activity, or to protect the personal safety of users or the public. If we receive a legal demand for PHI, we will notify the affected Covered Entity promptly unless prohibited by law from doing so.

3.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy. Any successor entity will be bound by the terms of existing BAAs.

4. Data Retention

4.1 Account Data

We retain your account information for as long as your account is active. Upon account termination, we retain account data for 30 days to allow data export, after which it is deleted unless retention is required by law.

4.2 Appeal and Denial Data

We retain appeal letters, denial details, and associated data for the duration of your account plus 120 days following termination (to allow completion of pending outcome reporting obligations under the Terms of Service).

4.3 Protected Health Information

PHI is retained only as long as necessary to provide the Service. Upon account termination, PHI is returned or destroyed within 60 days as specified in the BAA Section 5.4. If destruction is infeasible, protections are extended indefinitely.

4.4 De-Identified Data and Platform Data

De-identified data and Platform Data are retained indefinitely, as they are not subject to HIPAA restrictions. This data is essential for the continued improvement of the Service and the maintenance of the Payer Intelligence database.

4.5 Audit Logs

Audit logs recording access to and modifications of PHI are retained for a minimum of six (6) years as required by HIPAA.

4.6 Payment Records

Payment and invoicing records are retained for seven (7) years as required by applicable tax and accounting regulations.

5. HIPAA and Protected Health Information

5.1 Business Associate Relationship

When you input PHI into the Service, we act as your Business Associate under HIPAA. Our obligations with respect to PHI are governed by the BAA, which is incorporated into the Terms of Service by reference and is available at www.healthclaimagent.ai/baa.

5.2 PHI We Process

The PHI we process in connection with the Service is limited to patient names (used in appeal letter salutations and for your internal tracking), patient dates of birth, insurance member identification numbers, diagnosis codes (ICD-10) associated with identified individuals, procedure codes (CPT) associated with identified individuals, claim numbers and dates of service, and denied amounts associated with specific claims. We do not process or store full medical records, psychotherapy notes, or substance use disorder records protected under 42 C.F.R. Part 2 unless specifically provided by you for appeal generation.

5.3 De-Identification

Before using any patient-related data for model training, Payer Intelligence, or any purpose other than generating your specific appeal letters, we de-identify all information using the HIPAA Safe Harbor method (45 C.F.R. § 164.514(b)). This method requires the removal of 18 categories of identifiers, including names, geographic data smaller than a state, dates (except year) related to an individual, phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle and device identifiers, URLs and IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

5.4 Patient Rights

Patients whose PHI is processed through the Service retain their rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of their PHI. These rights are exercised through you (the Covered Entity), not directly through the Service. We will cooperate with you in fulfilling patient rights requests as described in the BAA.

5.5 Breach Notification

In the event of a Breach of Unsecured PHI, we will notify you within thirty (30) calendar days of discovery, as specified in BAA Section 3. You are responsible for notifying affected individuals and HHS as required by 45 C.F.R. §§ 164.404 and 164.408.

6. Data Security

6.1 Technical Safeguards

We implement the following technical safeguards to protect your information:

Encryption at rest using AES-256 for all data stored in our database, including PHI.

Encryption in transit using TLS 1.3 for all data transmitted between your browser, our servers, and our service providers.

Access controls using role-based permissions, multi-factor authentication for administrative access, and API key management with scoped permissions.

Audit logging of all access to and modifications of data, including PHI access, with logs retained for six (6) years.

Automated vulnerability scanning and regular security assessments.

6.2 Administrative Safeguards

We maintain written security policies and procedures, conduct workforce training on HIPAA and security requirements, perform periodic risk assessments as required by the HIPAA Security Rule, maintain a breach notification and incident response plan, and enforce minimum necessary access principles for all personnel.

6.3 Physical Safeguards

Our Service is hosted on cloud infrastructure (AWS, Supabase, Vercel, and Railway) that maintains SOC 2 Type II certification (or equivalent), physical access controls at data center facilities, and environmental controls including fire suppression, climate control, and redundant power.

6.4 Limitations

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee its absolute security.

7. Your Rights and Choices

7.1 Access and Export

You may access your account data, appeal history, and denial records at any time through the Service. You may export your data through the Service's export functionality or by contacting support@healthclaimagent.ai.

7.2 Correction

You may update your account information through the Settings page in the Service. For corrections to appeal or denial records, contact support@healthclaimagent.ai.

7.3 Deletion

You may request deletion of your account by contacting support@healthclaimagent.ai. Upon deletion, we will remove your personally identifiable information within 30 days, destroy PHI within 60 days as required by the BAA, retain de-identified data and Platform Data as permitted by the Terms of Service, and retain audit logs and payment records as required by law.

7.4 Communication Preferences

You may opt out of non-essential communications by contacting support@healthclaimagent.ai. You may not opt out of transactional communications necessary for the operation of the Service, including invoices, outcome reminders, and security notifications.

8. State-Specific Privacy Rights

8.1 Texas Privacy Rights

Under the Texas Data Privacy and Security Act (effective July 1, 2024), Texas residents have the right to confirm whether their personal data is being processed, access their personal data, correct inaccuracies in their personal data, delete their personal data, and obtain a copy of their personal data in a portable format. To exercise these rights, contact privacy@healthclaimagent.ai. We will respond within 45 days.

8.2 California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information. However, HIPAA-regulated information is exempt from CCPA. To the extent your information is not covered by HIPAA, you may request disclosure of the categories and specific pieces of personal information we have collected, request deletion of your personal information, and opt out of the sale of personal information (we do not sell personal information). To exercise these rights, contact privacy@healthclaimagent.ai.

8.3 Other State Privacy Laws

We comply with applicable state privacy laws in all jurisdictions where we operate. If your state provides additional privacy rights not listed above, contact privacy@healthclaimagent.ai to exercise those rights.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.

10. International Users

The Service is operated in the United States and is intended for use by behavioral health providers operating in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to such transfer and processing.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the revised Privacy Policy on the Service and sending an email notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any modification constitutes your acceptance of the modified Privacy Policy.

12. Contact Information

If you have questions about this Privacy Policy, your privacy rights, or our data practices, contact us at:

For HIPAA-related inquiries, including requests to access, amend, or receive an accounting of disclosures of PHI, contact compliance@healthclaimagent.ai.