HIPAA Compliance

Our Commitment to Protecting Your Health Information

1. Our Commitment to HIPAA Compliance

At Medical Bill, protecting your health information is our highest priority. We understand that when you share your medical bills and insurance information with us, you're trusting us with sensitive data that requires the highest level of protection.

We are committed to maintaining full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and implementing comprehensive safeguards to protect your Protected Health Information (PHI) at every stage of our service.

2. What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for the protection of sensitive patient health information. It consists of several key rules:

  • Privacy Rule: Establishes standards for the use and disclosure of Protected Health Information (PHI)
  • Security Rule: Sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards
  • Breach Notification Rule: Requires notification to affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI
  • Enforcement Rule: Establishes penalties for HIPAA violations and procedures for investigations and hearings

Medical Bill complies with all applicable provisions of HIPAA and the HITECH Act (Health Information Technology for Economic and Clinical Health Act) as they relate to our role in handling your health information.

3. Administrative Safeguards

We implement comprehensive administrative safeguards to manage the selection, development, implementation, and maintenance of security measures:

  • Security Officer: A designated security officer is responsible for developing and implementing our security policies and procedures
  • Workforce Training: All team members receive regular HIPAA training upon hire and annually thereafter, and must formally acknowledge our privacy and security policies
  • Access Management: Strict role-based policies governing who can access PHI, under what circumstances, and for what purposes. Access is granted on a need-to-know basis only
  • Risk Assessment: Regular and thorough risk assessments to identify, evaluate, and address potential vulnerabilities in our systems and processes
  • Incident Response: Documented procedures for identifying, responding to, and mitigating security incidents, including clear escalation paths and communication protocols
  • Contingency Planning: Comprehensive disaster recovery, emergency operations, and data backup procedures to ensure the continued availability and integrity of PHI
  • Sanctions Policy: Clear sanctions for workforce members who violate HIPAA policies, up to and including termination

4. Physical Safeguards

Our physical security measures protect the facilities and equipment used to store and process PHI:

  • Cloud Infrastructure: We use HIPAA-eligible cloud services (AWS) that maintain SOC 2 Type II certification and undergo regular third-party audits
  • Data Center Security: Physical access to data centers is strictly controlled with 24/7 security personnel, biometric access controls, multi-factor authentication, and continuous video surveillance
  • Geographic Redundancy: Data is replicated across multiple availability zones to ensure durability and availability while remaining within the United States
  • Workstation Security: All workstations that access PHI use full-disk encryption, are protected by strong authentication mechanisms, and have automatic screen locks
  • Device and Media Controls: Strict policies governing the use, transfer, and disposal of electronic media and mobile devices that may contain or access PHI

5. Technical Safeguards

We implement robust technical safeguards to protect ePHI across all systems and processes:

Access Controls

  • Unique user identification assigned to every system user for accountability and traceability
  • Role-based access controls (RBAC) aligned with job functions and the principle of least privilege
  • Automatic session timeout and logoff for inactive sessions to prevent unauthorized access
  • Multi-factor authentication (MFA) required for all administrative and developer access

Encryption

  • Data in Transit: All data transmitted over networks is encrypted using TLS 1.3, the latest and most secure transport protocol
  • Data at Rest: All stored data is encrypted using AES-256 encryption managed through AWS Key Management Service (KMS) with automatic key rotation
  • Field-Level Encryption: Highly sensitive fields (such as SSN, insurance member IDs, and dates of birth) receive additional application-layer encryption beyond the baseline storage encryption

Audit Controls

  • Comprehensive, tamper-resistant logging of all access to and modifications of PHI
  • Automated monitoring and real-time alerting for suspicious or anomalous activity patterns
  • Regular review and analysis of audit logs by designated security personnel
  • Long-term retention of audit records in compliance with HIPAA requirements (minimum 6 years)

Integrity Controls

  • Data validation mechanisms to ensure the accuracy and completeness of PHI
  • Checksums and digital signatures to detect any unauthorized modifications to data
  • Regular backups with automated integrity verification and restoration testing
  • Version control for all documents and configurations affecting PHI processing

Transmission Security

  • All API communications secured with HTTPS and certificate pinning where applicable
  • Fax transmissions to healthcare providers use HIPAA-compliant fax services with encrypted delivery confirmation
  • End-to-end security for all communications containing PHI

6. Business Associate Agreements

Medical Bill enters into Business Associate Agreements (BAAs) with all third-party vendors and subcontractors who may create, receive, maintain, or transmit PHI on our behalf. These agreements ensure that our partners also maintain HIPAA compliance and implement appropriate safeguards.

Our key business associates include:

  • Cloud Infrastructure: AWS (Amazon Web Services) — HIPAA-eligible services covered under the AWS BAA
  • AI/ML Services: AI model providers that process bill images and documents — operating under strict BAAs with data handling restrictions
  • Fax Services: HIPAA-compliant fax transmission providers for sending appeals and receiving responses from healthcare providers
  • Payment Processing: Payment processors that handle subscription billing (note: payment processors typically do not handle PHI)

We regularly review and assess our business associates' compliance with their BAA obligations and HIPAA requirements.

7. Your HIPAA Rights

Under HIPAA, you have specific rights regarding your Protected Health Information. Medical Bill is committed to facilitating the exercise of these rights:

  • Right to Access: You may request access to and copies of your PHI that Medical Bill maintains. We will respond to such requests within 30 days
  • Right to Amendment: You may request corrections to inaccurate or incomplete PHI in our records. We will review and respond to amendment requests within 60 days
  • Right to Accounting of Disclosures: You may request an accounting of certain disclosures of your PHI that Medical Bill has made, covering the six years prior to the request
  • Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI, although we are not required to agree to all restrictions
  • Right to Confidential Communications: You may request that we communicate with you about your health information in a specific manner or at a specific location
  • Right to a Copy of Notices: You have the right to receive a paper copy of our privacy notices upon request

To exercise any of these rights, please contact us at support@medicalbill.pro. We may require verification of your identity before processing your request to protect against unauthorized disclosure.

8. Breach Notification

In the unlikely event of a breach of unsecured PHI, Medical Bill will act promptly and transparently:

  • Individual Notification: We will notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach, via first-class mail or email (if the individual has agreed to electronic notice)
  • HHS Notification: We will notify the U.S. Department of Health and Human Services (HHS) of the breach. For breaches affecting 500 or more individuals, notification will be made within 60 days. For smaller breaches, notification will be made annually
  • Media Notification: For breaches affecting 500 or more individuals in a single state or jurisdiction, we will notify prominent media outlets serving that area within 60 days
  • Content of Notification: All breach notifications will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what Medical Bill is doing to investigate and mitigate the breach, and contact information for follow-up questions

9. Questions About HIPAA Compliance

We are committed to transparency about our HIPAA compliance practices. If you have any questions about how we protect your health information, wish to exercise your HIPAA rights, or have concerns about our privacy or security practices, please do not hesitate to contact us:

Email: support@medicalbill.pro

We take every inquiry seriously and will respond to your questions and concerns promptly.