HIPAA Notice of Privacy Practices

Who We Are and Why This Notice Applies

MedErase Inc. ("MedErase") acts as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). When you authorize us to work on your medical bill case, we may receive, create, and maintain Protected Health Information ("PHI") — individually identifiable health information — on your behalf.

This Notice of Privacy Practices describes our obligations and your rights under HIPAA with respect to your PHI. We are required by law to maintain the privacy of your PHI, to provide you with notice of our legal duties and privacy practices, and to follow the terms of this Notice.

What Is Protected Health Information

PHI includes information that identifies you (or could reasonably be used to identify you) that relates to your past, present, or future physical or mental health or condition; the provision of health care to you; or past, present, or future payment for health care. This includes information in your medical records, billing statements, Explanation of Benefits documents, insurance correspondence, and any other documents you provide to us in connection with your case.

How We May Use and Disclose Your PHI

As a Business Associate, our use and disclosure of your PHI is governed by our Business Associate Agreement with you (incorporated into your Client Services Agreement) and HIPAA. We use and disclose your PHI only as permitted or required under HIPAA and as described below.

Uses and Disclosures Permitted Without Your Written Authorization

For the purposes of performing our Services (Treatment, Payment, and Health Care Operations):

Services performance: We use your PHI to perform the medical bill negotiation and advocacy Services you have engaged us for, including reviewing your medical bills, preparing disputes, submitting appeals, applying for financial assistance, and communicating with your healthcare providers and insurers on your behalf.

Payment activities: We may use and disclose your PHI to healthcare providers, insurance companies, and collection agencies as necessary to perform the billing review, dispute, and negotiation Services you have authorized. For example, we may submit your diagnosis and procedure codes to an insurer when filing an appeal.

Healthcare operations: We may use your PHI for internal quality improvement, training, and compliance purposes. Such use is de-identified or limited to the minimum necessary to accomplish the operational purpose.

As required by law: We will disclose your PHI when required to do so by federal, state, or local law, including in response to a valid court order, subpoena, or government investigation.

To avert a serious threat to health or safety: We may disclose PHI to appropriate authorities if we believe in good faith that such disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

For law enforcement purposes: We may disclose PHI to law enforcement officials under specific circumstances as permitted by HIPAA, such as to identify or locate a suspect or to report a crime.

Uses and Disclosures Requiring Your Written Authorization

Except as described above, we will not use or disclose your PHI without your written authorization. You may revoke your authorization in writing at any time, except to the extent that we have already taken action in reliance on the authorization.

The following uses and disclosures always require your written authorization, regardless of other circumstances: most uses and disclosures of psychotherapy notes; uses and disclosures of PHI for marketing purposes; sales of PHI; and uses and disclosures not otherwise described in this Notice.

Minimum Necessary Standard

We make reasonable efforts to limit our use and disclosure of your PHI to the minimum necessary to accomplish the intended purpose. We apply this standard when requesting PHI from your healthcare providers and when sharing PHI with our service providers.

Your Rights Regarding Your PHI

You have the following rights with respect to your PHI that we maintain:

Right to Access: You have the right to inspect and receive a copy of your PHI that we maintain in our designated record set. We will respond to your request within 30 days. We may charge a reasonable cost-based fee for providing copies.

Right to Request Amendment: If you believe that PHI we hold is incorrect or incomplete, you may request that we amend it. We will respond within 60 days. If we deny your request, we will explain our reasons and describe your options.

Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your PHI, other than for purposes of treatment, payment, or health care operations, or disclosures made with your authorization. This accounting covers the six years prior to your request.

Right to Request Restrictions: You have the right to request restrictions on how we use or disclose your PHI for our own services or to individuals involved in your care. We are not required to agree to your request unless the request is to restrict disclosure to a health plan for payment or health care operations when you have paid out of pocket in full.

Right to Confidential Communications: You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. We will accommodate reasonable requests.

Right to a Paper Copy of This Notice: You have the right to a paper copy of this Notice, even if you have agreed to receive it electronically. Contact us at the address below to request one.

Right to Receive Notice of a Breach: If there is a breach of your unsecured PHI, we are required by law to notify you promptly, including what happened, what information was involved, what we are doing about it, and what you can do to protect yourself.

How We Protect Your PHI

We maintain administrative, physical, and technical safeguards to protect your PHI against unauthorized access, use, and disclosure. These include:

Encryption of PHI transmitted electronically and PHI stored digitally. Physical security controls for any paper records. Access controls limiting PHI access to workforce members who need it to perform their job. Workforce training on HIPAA requirements and our privacy policies. Business Associate Agreements with all subcontractors who receive PHI on our behalf.

Changes to This Notice

We reserve the right to change the terms of this Notice and to make the new Notice effective for all PHI we maintain. We will post any revised Notice on our website with a new effective date. You may obtain any revised Notice by contacting us.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be retaliated against for filing a complaint.

To file a complaint with HHS: hhs.gov/hipaa/filing-a-complaint or call 1-800-368-1019.

Contact Our Privacy Officer

For questions about this Notice or to exercise your rights, contact our Privacy Officer:

MedErase Inc. — Privacy Officer
3333 Michelson Drive, Irvine, CA 92612
Email: privacy@mederase.com
Phone: +1 (877) 512-0293