top of page
Modern Architecture

Privacy Policy

Medibillx Inc.

Purpose and Scope

Overview

MediBillX Inc. (“MediBillX”, “we”, “our” or “us”) provides medical billing, revenue cycle management (RCM), accounts receivable (AR) management, credentialing, denial management, and related services to healthcare providers in the United States. This Privacy Policy describes how we collect, use, store, disclose, and protect personal information  including Protected Health Information (PHI)  obtained through our website, client portals, forms, communications (email, phone, SMS), integrations, and offline interactions (collectively, the “Services” or “Sites”).

This Policy applies to:

  • Patients, providers, practice staff, and other individuals whose data MediBillX receives in connection with the Services;

  • Visitors and users of mediBillx.com and any other MediBillX online property; and

  • Any other individuals who provide information to MediBillX in the course of business

​

 Definitions (key terms)

  • PHI (Protected Health Information): any individually identifiable health information as defined by HIPAA, including diagnoses, treatment, billing data, and patient identifiers.

  • PII (Personally Identifiable Information): any information that identifies an individual (name, email, phone, SSN, etc.).

  • Covered Entity: a health plan, healthcare clearinghouse, or healthcare provider subject to HIPAA.

  • Business Associate: an entity that performs services for a Covered Entity that involves PHI. MediBillX typically acts as a Business Associate with respect to the PHI we process.

  • De-identified Data: information stripped of identifiers, meeting HIPAA safe harbor or expert determination standards.

  • You/Your/User: any individual or entity using our Services.

​

Information we collect

A. Information you provide directly

  • Provider and practice information (name, practice name, NPI, address).

  • Patient data submitted by providers (name, DOB, medical record numbers, treatment codes, insurance information).

  • Contact information (email, phone, mailing address) for providers, staff, or patients when required.

  • Payment and billing data (insurance claims, patient responsibility, payment method details).

  • Communications: emails, call notes, ticket logs, SMS transcripts (where consented).

B. Automatically collected information

  • Technical/log data (IP address, device type, OS, browser, timestamps).

  • Cookies and analytics (pages visited, session duration, referral source).

  • System logs for API calls, EHR/EMR integrations, uploads.

C. Information from third parties

  • Data from EHR/EMR systems, clearinghouses, payers, or public NPI registries.

  • Vendor-provided data necessary to deliver Services.

 

Why we collect it (purposes)

We collect and use data for the following lawful purposes:

  1. Performance of Services / Contractual necessity — processing and submitting claims, posting payments, handling appeals and denials, credentialing, provider onboarding, and other RCM tasks.

  2. Communications — sending billing status notifications, account updates, appointment reminders (where applicable), and customer service responses.

  3. Legal & Regulatory Compliance — compliance with HIPAA, HITECH, state law, payer rules, audits, and government subpoenas.

  4. Security & Fraud Prevention — to detect security incidents, fraudulent activity, or unauthorized access.

  5. Operational Improvements — product/portal development, analytics, performance monitoring (using aggregated or de-identified data when possible).

  6. Business Management — invoicing, collections, vendor management, and internal reporting.

​

Legal basis & HIPAA status

  • When MediBillX handles PHI on behalf of a provider, the processing is governed by a Business Associate Agreement (BAA) executed with the provider (a Covered Entity). The BAA sets permissible uses and safeguards.

  • Non-PHI personal data is processed under legitimate business interest or consent where applicable.

 

How we share and disclose data

We do not sell personal information or PHI. Data disclosures occur only in the following limited circumstances:

  1. With covered entities (your provider) — for claim submission, reconciliation, credentialing, or as otherwise authorized.

  2. With authorized business associates or vendors — e.g., clearinghouses, payment processors, cloud hosting (all under BAAs or written contracts obligating HIPAA-level security).

  3. Legal requirements — in response to law enforcement, court orders, regulatory investigations, or mandatory public health reporting.

  4. Mergers or acquisitions — in the event of corporate transactions, with notice to affected parties as required by law.

  5. De-identified / aggregated data — shared only where it cannot be re-identified and only under contractual safeguards or applicable law.

 

Messaging: Terms, consent, and privacy

6.1 Messaging Terms & Conditions (SMS, MMS, RingCentral, push)

By providing a phone number and consenting, you agree to receive informational, transactional, and service-related messages from MediBillX, including:

  • Account and billing notifications (e.g., “Your claim status updated”).

  • Appointment or scheduling reminders if the provider elects this service.

  • Critical service alerts (system outages, access issues).

Message frequency will vary by account and activity. Message & data rates may apply as per carrier. Support: reply HELP or email support@medibillx.com. To opt out, reply STOP to any message or contact privacy@medibillx.com. We will honor STOP requests in a timely manner and cease marketing messages immediately. (We do not send marketing SMS unless you have expressly opted in.)

6.2 Messaging Privacy

  • No mobile info for marketing: We do not share, sell, or rent mobile numbers or SMS-originated opt-in data to third parties for marketing or promotional use.

  • Retention: Messaging consent and opt-in records are retained to honor preferences, comply with regulations, and for audit.

  • Security: SMS data is treated securely; live PHI is transmitted only via secure, HIPAA-compliant vendor channels (e.g., RingCentral under BAA).

 

Cookies, tracking, and analytics

We use cookies and similar technologies for these purposes:

  • Essential cookies — session management and authentication.

  • Functional cookies — to remember preferences (language, region).

  • Performance/analytics cookies — to measure and improve site performance (Google Analytics, server logs).

  • Advertising cookies — only for website visitors (not for patients’ PHI). We may use non-PHI aggregated data with advertising partners, but we do not use PHI for ad targeting.

You may manage cookie preferences through the site’s cookie banner or your browser settings. Blocking cookies may limit functionality.

 

Data security measures

MediBillX maintains administrative, technical, and physical safeguards including, but not limited to:

  • Encryption — TLS 1.2+ for data in transit; AES-256 (or equivalent) at rest.

  • Access controls — role-based access, least privilege, strong authentication (MFA for admin users).

  • Logging & monitoring — central logging for suspicious activity, regular review, and incident detection systems.

  • Vendor management — BAAs, security questionnaires, and periodic audits for high-risk vendors.

  • Backups & disaster recovery — encrypted backups, tested recovery plans, offsite replication.

  • Workforce training — annual HIPAA/security training, signed confidentiality agreements, background checks where required.

 

Data retention and deletion

  • Retention periods: We retain PHI and related business records for at least the period required by applicable law and the terms of our agreements (commonly 6 years for billing records under Medicare rules and many state laws). Certain records may be retained longer where required (e.g., malpractice exposure, contract terms).

  • Deletion / de-identification: Upon expiration of retention obligations, data is securely destroyed or de-identified per HIPAA safe harbor or expert-determination methods.

  • Account closure: If a provider relationship terminates, we retain data as required by contract and law but will stop active processing and can provide archival exports to the provider on request.

 

Breach response & notification

If MediBillX discovers a breach of unsecured PHI or other personal data:

  1. Contain and assess — immediate containment, triage, and forensic analysis.

  2. Notify covered entity — we notify the affected Covered Entity and provide necessary details for their HIPAA obligations.

  3. Regulatory reporting — as required, report to HHS OCR, state Attorneys General, or other authorities. HIPAA: reported without unreasonable delay and not later than 60 days for reportable breaches. (We follow the timeline required by the applicable statute.)

  4. Consumer notification — affected individuals will be notified as required by law, including practical steps to mitigate risk.

  5. Remediation & corrective action — we implement security measures to prevent recurrence and provide post-incident analysis.

 

De-identification & research

De-identified data may be used for analytics, product improvement, benchmarking, or research. De-identification follows HIPAA safe harbor (removal of 18 identifiers) or expert determination. De-identified data is not PHI and may be shared with third parties under contract terms that forbid re-identification.

 

State-specific rights & notices

California (CCPA/CPRA)

California residents may have rights to:

  • Know categories of personal data collected, sold, or shared.

  • Access the specific pieces of personal data collected.

  • Delete personal data (subject to exceptions).

  • Opt-out of sale/sharing (we do not sell PHI).

  • Limit use of sensitive personal information (if applicable).

Requests under California law must be submitted via privacy@medibillx.com or the web form. We will verify the requestor’s identity and respond within the statutory timeframe (generally 45 days, with one extension as permitted by law).

Other states (Texas, Florida, etc.)

We comply with state breach notification laws and other obligations. Specific rights and timelines may vary by state; residents should contact privacy@medibillx.com for state-specific procedures.

 

Access, correction, and data subject requests

To request access, correction, deletion, or portability:

  1. Submit request by email to privacy@medibillx.com or via the portal/contact form.

  2. Identity verification — we may require ID or other verification to prevent unauthorized disclosures.

  3. Processing timeline — we will acknowledge requests within 10 business days and respond substantively within the legal timeframe (e.g., 45 days under CCPA; HIPAA usually 30 days with possible extensions).

  4. Scope & limitations — we will comply to the extent permitted by law; requests for deletion may be limited where retention is required by law or contract.

 

Minors & children

Our Services are not intended for individuals under 13. We do not knowingly collect data from children under 13. If we learn we have collected such data without parental consent, we will promptly remove it.

 

Data transfers & international processing

Data may be processed and stored in the United States and in systems of our vendors. If you access our Services from outside the U.S., by using MediBillX you consent to transfer and processing of your data in the U.S. and other jurisdictions. For transfers outside the U.S., we use appropriate safeguards required by applicable law.

 

Vendor management and Business Associate Agreements

All vendors that handle PHI must sign a BAA. For non-PHI vendors, we use contractual data protection addenda requiring reasonable security and confidentiality. Vendors are assessed before onboarding and periodically thereafter.

Explanation: Vendor management reduces third-party risk and is required for HIPAA compliance.

 

Employee & workforce privacy

MediBillX collects and processes employee data for HR, payroll, benefits, and compliance purposes. Employee data is protected and accessed only by authorized HR and management staff. Workforce members receive privacy and HIPAA training.

Explanation: include employee data handling to be thorough.

 

Audits, compliance & contact

We conduct regular compliance reviews, risk assessments, and audits. Questions, complaints, or requests should be directed to:


MediBillX Inc. Privacy Office
Email: info@medibillx.com
Phone: +1 (281) 500-5660
Mail: 3200 Wilcrest Dr., Ste 170-250, Houston, TX 77042
 

You may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), or other applicable state authorities.

 

Changes to this Policy

We reserve the right to update this Policy. We will post the revised Policy on our website with an updated “Effective Date.” For material changes impacting your rights, we will attempt to give notice (email or site banner) before changes take effect.

 

Sample consent & disclosure language 

Online form consent (box text):
“By providing my phone number and email address I consent to receive service-related messages from MediBillX (calls, SMS, email) regarding billing, claim status, and account updates. Reply STOP to unsubscribe. Message and data rates may apply. Consent is not required to purchase services.”

Verbal consent script (during onboarding):
“MediBillX can send you text messages about claim statuses, billing alerts, and service updates. Message and data rates may apply. You may reply HELP for help or STOP to opt out at any time. Do you consent to receive these messages?”

Breach notification example (provisional text):
“If your personal information was affected by a security incident on [date], MediBillX will provide notice describing the nature of the breach, the types of information involved, steps we are taking to investigate and mitigate, and practical steps individuals can take to protect themselves.”

 

Implementation checklist (for internal use)

  • Execute BAAs with all Covered Entities and PHI-processing vendors.

  • Maintain vendor security questionnaires and periodic audits.

  • Configure logs, monitoring, and MFA for administrative access.

  • Implement cookie banner & consent management on website.

  • Implement HELP/STOP SMS automation and retention.

  • Publish this Policy (privacy page), cookie policy, and messaging policy.

  • Train workforce annually on HIPAA, phishing, and secure handling.

  • Maintain breach response plan and run tabletop exercises.

 

Legal disclaimer

This Policy is for general guidance. It does not constitute legal advice. For legal certainty (especially on state-specific obligations, CCPA/CPRA, or special payer requirements), consult your counsel.

​

Acknowledgment & Acceptance

By using MediBillX Services or submitting information to MediBillX, you acknowledge that you have read and understand this Privacy Policy and consent to MediBillX’s collection, use, and disclosure practices as described.

​

Contact Us

If you have any questions about this Privacy Policy, You can contact us:

By email: info@medibillx.com

By visiting this page on our website: https://medibillx.com/

By phone number: (281) 500-5660

By mail: 3200 Wilcrest Dr. Ste 170-250 Houston, TX 77042, USA

Contact us

For any questions or concerns call
or fill out our form 
+1 (281) 500 5660

Thanks for submitting!

3200 Wilcrest Dr. Houston, TX 77042

© 2025 by MediBillx Inc. All rights reserved.

Privacy Policy

bottom of page