Privacy Policy

When employer clients engage with MedicalBills.com, we receive health plan utilization reports, claims data, and plan configuration information as provided by the client or their TPA. Data may be provided in de-identified form (PHI-stripped) or under a signed Business Associate Agreement.

For authenticated users, we collect email addresses for account access. We also collect usage information automatically, including pages visited and device information (browser type, operating system). We use cookies to maintain sessions and improve the platform.

We use client data solely to provide the services described in our engagement agreements:

• Benchmarking claims against market rates, Medicare reference rates, and peer employer data
• Identifying billing errors, overcharges, and recovery opportunities
• Generating monthly analysis reports and savings documentation
• Authenticating user identity and maintaining secure account access
• Improving our benchmarking accuracy and analytical capabilities

We do not sell client data to third parties. We do not use health plan data for advertising, marketing to plan members, or any purpose beyond the contracted engagement.

We implement security measures appropriate for the sensitivity of health plan data:

• AES-256 encryption at rest for all stored data
• TLS 1.3 encryption in transit for all data transfers
• Row Level Security (RLS) ensuring organizational data isolation
• HIPAA-compliant audit logging with 7-year retention
• Passwordless authentication (magic links) to eliminate credential-based vulnerabilities
• Regular security assessments and infrastructure monitoring

For full details on our security controls, infrastructure providers, and compliance roadmap, visit our Trust & Security page at medicalbills.com/trust.

We use SOC 2 Type II certified infrastructure providers to operate the platform:

• Supabase (SOC 2 Type II) — database, authentication, and file storage
• Vercel (SOC 2 Type II) — application hosting and content delivery

Each provider is bound by contractual obligations for data protection. A full list of subprocessors is available upon request and is provided as part of our Business Associate Agreement process.

Client engagement data is retained for the duration of the service relationship. Upon termination, clients may request deletion of all associated data by contacting support@medicalbills.com.

Audit logs are retained for 7 years in compliance with HIPAA requirements. Anonymized, aggregated benchmarking data (which cannot identify any individual or organization) may be retained to improve our analytical capabilities.

Clients and authorized users have the right to:

• Access the data we hold related to their organization
• Request correction of inaccurate information
• Request deletion of their account and associated data
• Receive copies of their analysis reports and findings
• Opt out of non-essential communications

To exercise any of these rights, contact support@medicalbills.com. We will respond within 30 days.

We may update this Privacy Policy as our services or regulatory requirements evolve. We will notify clients of material changes by posting the updated policy with a revised effective date. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us at support@medicalbills.com.