Privacy Policy

Version1.0.3 Last Updated2024-02-27 APPROVED

1. Introduction

a. Purpose of the Privacy Policy: At AccuCode AI, we are committed to protecting the privacy and security of the personal and sensitive information we process in the course of providing our AI-powered healthcare document processing services. This Privacy Policy outlines how we collect, use, disclose, and safeguard the data entrusted to us by our clients, which include hospitals, clinics, and other healthcare providers. By clearly communicating our privacy practices, we aim to foster transparency and trust with our clients and their patients.

b. AccuCode AI’s Commitment to Protecting Privacy: Accucode recognizes the importance of maintaining the confidentiality and security of the healthcare data we process. We are dedicated to upholding the highest standards of privacy and complying with all applicable laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) in the United States and other relevant data protection regulations worldwide. Our commitment to privacy is integral to our mission of revolutionizing healthcare document processing while respecting the rights and privacy of individuals.

2. Information We Collect

a. Types of personal information collected: AccuCode AI collects various types of personal information from the healthcare documents we process, including but not limited to:

  • Patient names, addresses, and contact information
  • Patient demographic information such as age, gender, and date of birth
  • Medical record numbers and patient ID numbers
  • Diagnosis, treatment, and procedure information from patient charts and records
  • Health insurance policy numbers and coverage details
  • Other personal health information (PHI) necessary to provide our data abstraction, medical coding or billing services

b. How the information is collected: The personal information processed by AccuCode AI is collected from:

  • Healthcare provider organizations such as hospitals and clinics that are our customers
  • These providers securely transfer patient medical records, charts and other documents containing personal information to AccuCode AI
  • AccuCode AI does not collect personal information directly from patients

c. Purpose for collecting the information: AccuCode AI collects and processes this personal information for the purpose of:

  • Providing our AI-powered document abstraction, medical coding and billing services to healthcare provider customers
  • Automating and streamlining the insurance claims and verifications process on behalf of our providers
  • Improving the efficiency and accuracy of medical billing and claims submission
  • Personal information is used only for the business purposes it was collected for and not for other reasons

The personal information collected is necessary for AccuCode AI to analyze medical documentation, determine appropriate insurance codes, and submit claims on behalf of healthcare providers. AccuCode AI is committed to responsibly using AI technologies to process PHI, protect individual privacy rights, and maintain the confidentiality and security of all personal data handled.

3. How We Use the Information

We use the personal and health information we collect in the following ways:

a. To provide our AI healthcare automation services: We process patient charts, medical records, and other documents provided by hospitals and clinics in order to automate and streamline insurance billing and clinical abstraction using our artificial intelligence systems. This includes extracting relevant data from the documents, analyzing it, and generating insurance claims and bills.

b. To improve our services: We use the information to continuously monitor, test, and enhance the performance, accuracy, and capabilities of our AI insurance billing platform. This allows us to optimize our algorithms, fix any issues, and develop new features that better serve the needs of our healthcare provider clients and their patients.

c. For research and development of our AI systems: The de-identified health information we process helps to train and improve our machine learning models and natural language processing capabilities. Our data science and engineering teams analyze the data to identify patterns, correlations and opportunities to make our AI smarter and expand its knowledge. We never share or allow access to our proprietary AI models outside of AccuCode AI. Furthermore, we ensure that no real patient personally identifiable information (PII) is ever incorporated into the models during training - only de-identified data is used for R&D purposes.

d. Aggregation of de-identified data for analytics: We may compile and analyze aggregated, de-identified data across our platform to uncover trends, insights and benchmarks related to insurance billing, revenue cycle management, and the healthcare industry. This statistical data cannot be used to identify any individual patient. We may share these de-identified learnings with clients, partners, or publicly.

4. Information Sharing and Disclosure

At AccuCode AI, we are committed to protecting the privacy and confidentiality of the personal information entrusted to us. We do not sell any personal information to third parties under any circumstances.

We only share personal information in the following limited situations:

a. Healthcare Providers (Our Clients): We share relevant personal information with the healthcare providers who are our clients and from whom we receive patient charts and other documents for processing. This sharing is necessary to provide our AI-powered abstraction, coding & billing automation services and is carried out in compliance with applicable laws and regulations, such as HIPAA.

b. Service Providers Under Contract: We may engage trusted third-party service providers to assist us in delivering our services effectively. These service providers undergo a thorough vetting process to ensure they meet our stringent security and privacy standards, including compliance with HIPAA regulations. We require all service providers to sign a formal Business Associate Agreement (BAA) that legally obligates them to safeguard the personal information we share with them according to HIPAA laws and regulations.

Our service providers are only permitted to use the information for the specific purposes outlined in our contracts and are prohibited from using it for their own purposes or from disclosing it to others. They must implement appropriate technical, physical, and administrative safeguards to protect the confidentiality, integrity, and availability of the personal information they process on our behalf.

c. As Required by Law: In certain circumstances, we may be compelled to disclose personal information to comply with legal obligations, such as in response to a valid court order, subpoena, or government request. We will only disclose the minimum amount of information necessary to fulfill the legal requirement and will take steps to ensure the confidentiality of the data shared.

d. De-Identified or Aggregated Data: We may share de-identified or aggregated data that cannot be used to identify specific individuals with third parties for research, analysis, or other purposes. This data is stripped of all personally identifiable elements and is used in a manner that does not compromise the privacy of our business clients or their patients.

5. Data Security

a. Security Measures: AccuCode AI is committed to protecting the confidentiality, integrity, and availability of the personal information we process. We employ a comprehensive, defense-in-depth security program that includes:

  • Firewalls and intrusion detection systems to monitor and block unauthorized access attempts

  • Endpoint Detection and Response (EDR) software to detect, investigate and respond to advanced threats

  • Formal vulnerability and patch management program to identify, prioritize and remediate vulnerabilities

  • IP whitelisting and required access through Virtual Private Networks (VPNs) to reduce attack surface

  • Regular vulnerability scanning and penetration testing to identify and address security weaknesses

  • Timely installation of software patches and updates to remediate known vulnerabilities

  • Client-specific data segmentation and encryption to ensure that each client’s data is isolated and protected from unauthorized access

  • Data sovereignty measures to ensure that all data is stored and processed within the United States, in compliance with applicable laws and regulations

  • Comprehensive access logging and monitoring to track and audit all access to sensitive data, enabling detection and response to any unauthorized access attempts

  • Strict adherence to the principle of least privilege through Role-Based Access Control (RBAC), ensuring that users are granted only the minimum permissions necessary to perform their job functions

b. Data Encryption: All personal information is encrypted in transit and at rest using FIPS 140-3 compliant encryption algorithms. We use Transport Layer Security (TLS 1.3) for data in transit and AES-256 or stronger encryption for data at rest.

Each client’s data is segregated and encrypted with a unique client-specific key, which is rotated periodically. Encryption keys are generated using a hardware-based random number generator and stored in a secure, SOC-II compliant key management system with strict access controls and auditing.

Our encryption practices fully comply with FIPS 140-3, HIPAA and HITRUST requirements for protecting sensitive healthcare information.

c. Backup Security and Ransomware Prevention: All client data backups are encrypted with the same strong, client-specific encryption used for data at rest. Backups are retained for 180 days and securely destroyed thereafter.

To protect against ransomware, we employ:

  • Regular backups isolated from the main network and inaccessible to unauthorized users

  • Immutable backups that cannot be altered or deleted once written

  • Strict access controls and network segmentation to contain potential attacks

  • Continuous monitoring for suspicious activity and prompt incident response

  • Disaster Recovery and Business Continuity plans to ensure data availability and integrity

d. Access Controls & Employee Training: Access to personal data is strictly limited based on least privilege principles and controlled through secure multi-factor authentication.

All employees undergo mandatory annual training on HIPAA compliance, proper handling of personal information, identifying and reporting security incidents, secure development practices, and phishing awareness. Employees must pass assessments to demonstrate understanding and retention of training content.

Employees are bound by confidentiality agreements, and any violation of our privacy and security policies results in disciplinary action up to termination.

e. Third-Party Risk Management: AccuCode AI conducts thorough due diligence and ongoing monitoring of all third-party service providers and partners with access to personal data. All vendors must adhere to strict contractual requirements for data protection.

g. Incident Response and Breach Notification: In the event of a data breach, AccuCode AI will execute our Incident Response Plan to contain the incident, assess the impact, and restore the integrity of our systems. We will notify affected clients and relevant authorities in accordance with with the Arkansas Personal Information Protection Act (Ark. Code § 4-110-101 et seq.)

6. Data Retention

a. Personal Information: AccuCode AI will retain personal information only for as long as necessary to fulfill the purposes for which it was collected and to provide the services requested by our clients. Once the personal information is no longer needed for these purposes, we will securely delete or anonymize the data in accordance with our data destruction policies and applicable laws and regulations.

b. De-Identified Information: In order to improve our services and advance our research and development efforts, AccuCode AI may retain de-identified information derived from the processed healthcare documents for a longer period. This de-identified information will have all personally identifiable elements removed, making it impossible to associate the data with any specific individual. The retention of de-identified information will be in compliance with applicable laws and regulations, and will be used solely for the purposes of enhancing our AI algorithms, conducting research, and improving our service offerings.

7. Your Privacy Rights

At AccuCode AI, we respect privacy rights and are committed to providing you with the necessary tools to manage your personal information. As a business client, you have the following rights:

a. Right to access your personal information: You have the right to request access to the personal information we hold about you. Upon request, we will provide you with a copy of your personal information in a structured, commonly used, and machine-readable format.

b. Right to request corrections: If you believe that the personal information we hold about you is inaccurate, incomplete, or outdated, you have the right to request corrections. We will take reasonable steps to verify the accuracy of the information and make the necessary updates.

c. Right to request deletion: You have the right to request the deletion of your personal information from our systems. We will comply with your request unless we have a legal obligation to retain the information or if it is necessary for the establishment, exercise, or defense of legal claims.

d. How to submit a privacy request: To submit a privacy request, please follow these steps:

  1. Email privacy@accucodeai.com with the subject line “Privacy Request.”
  2. In the body of the email, clearly state the nature of your request (access, correction, or deletion) and provide the necessary details to help us process your request.
  3. Our privacy team will acknowledge receipt of your request within 5 business days and provide you with an estimated timeline for resolution.
  4. We may require additional information to verify your identity before processing your request to ensure the security of your personal information.

Please note that in some cases, we may not be able to fully comply with your request due to legal obligations. In such instances, we will provide you with a detailed explanation and work with you to find an appropriate solution.

8. Policy Updates

a. Privacy Policy Updates: AccuCode AI reserves the right to update or modify this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. We encourage you to review this Privacy Policy regularly to stay informed about how we collect, use, and protect your information.

b. Privacy Policy Update Notice: In the event of any significant changes to this Privacy Policy, AccuCode AI will provide notice to our clients through email, prominent notice on our website, or other appropriate communication channels. It is your responsibility to review the updated Privacy Policy and ensure your continued agreement with its terms.

9. Contact Us

a. Contact Information: If you have any questions, concerns, or requests regarding this Privacy Policy or AccuCode AI’s privacy practices, please contact our Privacy Officer at:

  AccuCode AI, Inc.
  815 Technology Dr
  Unit 241124
  Little Rock, AR 72223

  (501) 442-4421
  privacy@accucode.com

We are committed to addressing your privacy concerns and will strive to respond to your inquiry in a timely manner.