MedBillHero Privacy Policy

Effective Date: June 4, 2025

Last updated: June 15, 2025

At MedBillHero, your privacy is our priority. This Privacy Policy explains how we collect, use, protect, and share your information when you use our application and services, including our integration with Medicare via the CMS Blue Button API.

1. Information We Collect

We may collect the following types of information:

  • Personal Information: Your name, email address, and account details.
  • Health Information (with your explicit consent):
    • Medicare claims (Parts A, B, and D)
    • Prescriptions
    • Provider visits and procedures
    • Coverage and demographics
  • User-Submitted Documents: Insurance cards, Explanation of Benefits (EOBs), and medical bills.
  • Usage Data: Application activity, access times, IP address.
  • Analytics Data: Collected via PostHog, which is configured not to collect any personally identifiable information (PII) or PHI. We use this data solely to improve performance and usability.

2. How We Use Your Information

We use your data to:

  • Provide insights into your medical bills and insurance coverage
  • Detect billing issues and help generate appeal letters (if applicable)
  • Improve our services and user experience
  • Communicate with you about your account and services

We do not sell your data. We only share it with trusted service providers when necessary to operate our platform.

3. Disclosure to Trusted Vendors

We may share your information with infrastructure and analytics vendors under strict data protection agreements. These vendors include:

  • Cloud infrastructure (e.g. Amazon Web Services), with whom we maintain a signed Business Associate Agreement (BAA)
  • Analytics providers (e.g. PostHog) that are configured to avoid collecting any PII or PHI
  • Support systems, solely for providing user-requested assistance

All vendors are contractually obligated to maintain the security and confidentiality of your data.

4. CMS Blue Button Integration

By connecting your Medicare account, you authorize MedBillHero to securely access your CMS data via the Blue Button API. This allows us to retrieve your claims, coverage, and provider information.

  • You may revoke access at any time via your Medicare account at medicare.gov.
  • We only request the minimum scopes required to offer our services.
  • All access is logged and auditable.

5. How We Protect Your Data

We take the security of your information seriously:

  • All data is encrypted both in transit and at rest
  • PHI is stored securely in AWS with BAA coverage
  • Access is strictly limited to authorized personnel
  • We conduct regular security audits and penetration testing
  • Access and activity logs are maintained for auditing and compliance

In the event of a breach involving your PHI, we will notify you in accordance with HIPAA requirements.

6. Mailing and HIPAA Compliance

We use Mailgun (a Sinch company) as our email service provider for transactional and account-related communications. We have entered into a HIPAA-compliant Business Associate Agreement (BAA) with Mailgun. Emails sent via this service are encrypted end-to-end, and Mailgun does not retain or view the contents of the messages once they are sent. This ensures secure handling of any Protected Health Information (PHI) transmitted through our emails.

7. Your Rights

You have the right to:

  • Request a copy of your data
  • Ask us to correct or delete your data
  • Revoke our access to your Medicare information
  • File a privacy complaint with us or with the U.S. Department of Health and Human Services

To exercise any of these rights, contact us at support@medbillhero.com.

8. Data Retention

We retain your data only as long as necessary to provide services or meet our legal obligations. You may request deletion of your data at any time.

9. Our Legal Obligations Under HIPAA

MedBillHero complies with the Health Insurance Portability and Accountability Act (HIPAA). We are legally required to:

  • Protect the privacy and security of your health information
  • Notify you of any breaches that may compromise your data
  • Provide this Notice of Privacy Practices
  • Abide by the terms outlined here

If you believe your privacy rights have been violated, you may file a complaint with us at support@medbillhero.com or with the U.S. Department of Health and Human Services at hhs.gov/hipaa. We will not retaliate against you for filing a complaint.

10. Changes to This Policy

We may update this policy as our services evolve or as regulations change. If we make material changes, we will notify you via email or through the application.

← Back to Home