Skip to main content
Legal

Privacy Policy

& HIPAA Notice of Privacy Practices

Last Updated: April 16, 2026  |  Effective Date: April 16, 2026

NOTICE:This document serves as both our general Privacy Policy and our HIPAA Notice of Privacy Practices (“NPP”) as required by 45 C.F.R. § 164.520. This notice describes how medical and personal information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

1. Who We Are

ezHealthRCM LLC (“ezHealthRCM,” “we,” “us,” or “our”) is a HIPAA-compliant Revenue Cycle Management (RCM) platform that provides medical billing, credentialing, denial management, and analytics services to healthcare providers. In the context of HIPAA, ezHealthRCM operates as a Business Associate to Covered Entities (healthcare providers, hospitals, and medical practices).

Privacy Officer Contact:
Email: privacy@ezhealthrcm.com

2. Information We Collect

2.1 Information You Provide

  • Account information: Provider name, practice name, NPI number, email address, phone number, and mailing address
  • Authentication credentials: Password (stored as a salted cryptographic hash — never in plaintext)
  • Claim information: Patient demographics, diagnosis codes (ICD-10), procedure codes (CPT/HCPCS), payer information, and claim amounts
  • Clinical data: Information necessary for claims processing, including encounter details, treatment dates, and clinical documentation
  • Payer credentials: Clearinghouse and payer portal credentials provided for EHR integration and claim submission (stored encrypted)
  • Communications: Messages and support requests submitted through our platform

2.2 Protected Health Information (PHI)

In the course of providing our Services, we receive, maintain, and transmit Protected Health Information (“PHI”) as defined under HIPAA. This includes patient demographic information, diagnosis and procedure codes, treatment dates, and other clinical data necessary for medical billing and claims processing. We treat all PHI with the highest level of protection required by HIPAA and the HITECH Act.

2.3 Automatically Collected Information

  • IP address, browser type, device type, and operating system
  • Pages visited, time spent, and navigation paths (via server logs)
  • Session tokens and authentication cookies

We do not use third-party advertising trackers or sell your data to data brokers.

3. How We Use Your Information

3.1 To Provide Services

  • Processing and submitting insurance claims (837 transactions) on behalf of providers
  • Receiving and reconciling remittance advice (835 ERA)
  • Managing denial appeals and payer communications
  • Providing credentialing and enrollment services
  • Delivering real-time analytics and revenue cycle reporting
  • Facilitating EHR integration and automated data workflows

3.2 Permitted Uses Under HIPAA

To the extent we handle PHI, we may use or disclose it:

  • Treatment, Payment, and Healthcare Operations (TPO): PHI may be used and disclosed to facilitate payment of healthcare claims and related operations
  • As required by law: We will disclose PHI when legally required, such as by court order or governmental inquiry
  • Business Associates: We may share PHI with authorized subcontractors under BAA agreements (see our Subprocessors page)

We will not use or disclose PHI for marketing purposes, will not sell PHI, and will not use PHI in a manner not described in this Notice without your written authorization.

4. How We Share Your Information

We do not sell your personal information. We share information only as follows:

  • At Your Direction: Insurance payers, clearinghouses, and other third parties you authorize us to contact for claims processing
  • Service Providers (Subprocessors): Technology vendors under strict contractual obligations. See our Subprocessors page.
  • Legal Requirements: When required by law, court order, or governmental authority
  • Safety: To protect the vital interests of you or another person
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations

5. Mobile Messaging Program

5.1 Data Sharing

  • Customer data is not shared with 3rd parties for promotional or marketing purposes.
  • Mobile opt-in and consent are never shared with anyone for any purpose. Any information sharing that may be mentioned elsewhere in this policy excludes mobile opt-in data.

5.2 EZ Health RCM LLC Messaging Terms and Conditions

  1. The messaging program consists of general conversational messaging to answer questions and provide support to customers.
  2. You can cancel the SMS service at any time. Just text ‘STOP’ to the phone number from which you received messages. After you send the SMS message ‘STOP’ to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. If you want to join again, just sign up as you did the first time and we will start sending SMS messages to you again.
  3. If you are experiencing issues with the messaging program you can reply with the keyword HELP for more assistance, or you can get help directly at arees@ezhealthrcm.com.
  4. Carriers are not liable for delayed or undelivered messages.
  5. As always, message and data rates may apply for any messages sent to you from us and to us from you. Message frequency will vary based on communication needs. If you have any questions about your text plan or data plan, it is best to contact your wireless provider.
  6. If you have any questions regarding privacy, please read our privacy policy contained in the rest of this document/page.

6. Your Rights Under HIPAA

Right of Access

You have the right to inspect and receive a copy of PHI we maintain about your patients. Requests will be fulfilled within thirty (30) days.

Right to Amend

You may request amendments to PHI if you believe it is incorrect or incomplete. We will respond within sixty (60) days.

Right to Accounting of Disclosures

You have the right to receive a list of disclosures of PHI made in the six (6) years prior to your request.

Right to Restrict

You may request restrictions on how we use or disclose PHI.

Right to Confidential Communications

You may request that we communicate with you about PHI in a specific way or at a specific location.

Right to Data Portability

You may request an export of your account data in a machine-readable format. Contact privacy@ezhealthrcm.com.

7. Data Security

  • Encryption at rest: AES-256 for all stored data including PHI
  • Encryption in transit: TLS 1.3 for all data transmission
  • Access controls: Role-based access; principle of least privilege
  • Authentication: Passwords stored as bcrypt hashes; account lockout after failed attempts
  • Audit logging: All access to PHI is logged and monitored
  • Incident response: Breach notification per HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414)
  • Penetration testing: Regular third-party security assessments

8. Subprocessors

All subprocessors with access to PHI have executed Business Associate Agreements. See our Subprocessors page for the complete list.

9. Data Retention

  • Active accounts: Duration of account and six (6) years thereafter
  • Claims records: Seven (7) years from claim closure, or as required by applicable state law
  • PHI: Six (6) years from creation or last effect (45 C.F.R. § 164.530(j))
  • Audit logs: Six (6) years minimum

10. How to File a Complaint

  • With ezHealthRCM: Email privacy@ezhealthrcm.com. We will not retaliate against you for filing a complaint.
  • With HHS/OCR: U.S. Department of Health and Human Services, Office for Civil Rights. Toll-free: 1-877-696-6775. Website: www.hhs.gov/ocr.

11. Contact Us

ezHealthRCM Privacy Officer

privacy@ezhealthrcm.com

For general inquiries, visit our Contact page.