Privacy Policy – MedBillHero

At MedBillHero, your privacy is our priority. This Privacy Policy explains how we collect, use, protect, and share your information when you use our application and services, including our integration with Medicare via the CMS Blue Button 2.0 API.

1. Information We Collect

We may collect the following types of information:

Personal Information: Your name, email address, and account details.
Health Information (with your explicit consent):
- Medicare claims (Parts A, B, and D)
- Prescriptions
- Provider visits and procedures
- Coverage and demographics
User-Submitted Documents: Insurance cards, Explanation of Benefits (EOBs), and medical bills.
Usage Data: Application activity, access times, IP address.
Analytics Data: Collected via PostHog, which is configured not to collect any personally identifiable information (PII) or PHI. We use this data solely to improve performance and usability.

2. How We Use Your Information

We use your data to:

Provide insights into your medical bills and insurance coverage
Detect billing issues and help generate appeal letters (if applicable)
Improve our services and user experience
Communicate with you about your account and services

We do not sell your data. We only share it with trusted service providers when necessary to operate our platform. We limit access to and use of your PHI to the minimum necessary to accomplish the intended purpose.

3. Disclosure to Trusted Vendors

We may share your information with infrastructure and analytics vendors under strict data protection agreements. These vendors include:

Cloud infrastructure (e.g. Amazon Web Services), with whom we maintain a signed Business Associate Agreement (BAA)
Analytics providers (e.g. PostHog) that are configured to avoid collecting any PII or PHI
Support systems, solely for providing user-requested assistance

All vendors are contractually obligated to maintain the security and confidentiality of your data.

4. CMS Blue Button 2.0 API Integration

By connecting your Medicare account, you authorize MedBillHero to securely access your CMS data via the Blue Button 2.0 API. This allows us to retrieve your claims, coverage, and provider information.

You may revoke access at any time via your Medicare account at https://www.medicare.gov/my/connected-apps
All access is logged and auditable.

5. How We Protect Your Data

We take the security of your information seriously:

All data is encrypted both in transit and at rest
PHI is stored securely in AWS with BAA coverage
Access is strictly limited to authorized personnel
We conduct regular security audits and penetration testing
Access and activity logs are maintained for auditing and compliance

In the event of a breach involving your PHI, we will notify you in accordance with HIPAA requirements.

6. Mailing and HIPAA Compliance

We use Mailgun (a Sinch company) as our email service provider for transactional and account-related communications. We have entered into a HIPAA-compliant Business Associate Agreement (BAA) with Mailgun. Emails sent via this service are encrypted end-to-end, and Mailgun does not retain or view the contents of the messages once they are sent. This ensures secure handling of any Protected Health Information (PHI) transmitted through our emails.

7. Your Rights

You have the right to:

Request a copy of your data
Ask us to correct or delete your data
Revoke our access to your Medicare information
Request restrictions on how we use/share your PHI
Request confidential communications
An accounting of disclosures (who we shared PHI with)
File a privacy complaint with us or with the U.S. Department of Health and Human Services

To exercise any of these rights, contact us at support@medbillhero.com.

8. Data Retention

We retain your data only as long as necessary to provide services or meet our legal obligations. You may request deletion of your data at any time.

9. Our Legal Obligations Under HIPAA

MedBillHero complies with the Health Insurance Portability and Accountability Act (HIPAA). We are legally required to:

Protect the privacy and security of your health information
Notify you of any breaches that may compromise your data
Provide this Notice of Privacy Practices
Abide by the terms outlined here

If you believe your privacy rights have been violated, you may file a complaint with us at support@medbillhero.com or with the U.S. Department of Health and Human Services at https://www.hhs.gov/hipaa/for-individuals/index.html. We will not retaliate against you for filing a complaint.

10. Artificial Intelligence and Machine Learning

MedBillHero uses artificial intelligence and machine learning technologies to analyze your Medicare claims and provide insights. This includes large language models and proprietary algorithms that process your health information to generate summaries, detect potential billing errors, and answer questions about your claims.

AI Data Protection: We do not use your personal health information to train third-party AI models. All AI processing is configured with enterprise privacy settings to prevent data retention and model training.

For complete details about our AI technology, data usage, model limitations, and your rights regarding AI-generated content, please review our AI Technology & Data Disclaimer.

11. Changes to This Policy

We may update this policy as our services evolve or as regulations change. If we make material changes, we will notify you via email or through the application.

12. Business Transfers

In the event MedBillHero is sold, merged, or transfers assets, your PHI will remain protected under HIPAA. Any acquiring entity will either:

Be bound by this Privacy Policy, or
Provide you 30 days' notice of any changes to privacy practices

We will notify you before any transfer that affects your PHI.

MedBillHero Privacy Policy