Privacy Policy

Last updated: 10/12/2025

1. Introduction

HealthFees.org respects your privacy. This policy explains how we handle personal data and Protected Health Information (PHI). When we receive, create, maintain, or transmit PHI, we follow the HIPAA privacy rules. This Notice of Privacy Practices explains how we may use and disclose PHI, your rights, and our duties.

2. Who We Are and When HIPAA Applies

HealthFees.org provides tools and services for healthcare price transparency and related analytics. We may act as a business associate to covered entities such as health plans, providers, and their vendors. We may also receive PHI directly from you with your consent when you use our services. In those situations, HIPAA applies to the PHI we handle.

3. Information We Collect

We handle two categories of information:

  • Personal data: identity, contact, technical, and usage data collected through our website and apps.
  • PHI: information that identifies you and relates to your past, present, or future health, healthcare, or payment for healthcare.

Examples of PHI we may handle (depending on the service) include: patient identifiers (e.g., name, email, phone), dates of service, insurance plan information, and procedure/diagnosis/billing codes. We may collect PHI from you, your authorized representative, covered entity clients, and their vendors where permitted.

4. Uses and Disclosures of PHI Permitted by HIPAA

4.1 Treatment

To support your care and the coordination of care (for example, sharing information with a provider involved in your treatment when you ask us to).

4.2 Payment

To obtain payment or support activities related to payment (for example, verifying eligibility or benefits or processing billing data if our service supports these functions).

4.3 Healthcare Operations

To run and improve our services, including quality assessment, auditing, security monitoring, analytics that do not identify you, customer support, and compliance activities.

4.4 As Required by Law

When a law requires the use or disclosure, including public health reporting, health oversight activities, certain law enforcement requests, judicial and administrative proceedings, and to avert a serious threat to health or safety.

4.5 De-identification and Limited Data Sets

We may create de-identified data in accordance with HIPAA and use or disclose it without restriction. We may also use and disclose a Limited Data Set under a data use agreement for research, public health, or healthcare operations.

5. Uses and Disclosures of PHI Requiring Your Authorization

We will obtain your written authorization for any use or disclosure of PHI not described in Section 4. This includes:

  • Most uses and disclosures of psychotherapy notes (if we ever receive them)
  • Marketing communications that are not otherwise permitted by HIPAA
  • Sale of PHI

You may revoke an authorization at any time in writing. Revocation does not affect prior uses and disclosures made in reliance on your authorization.

6. Your Rights Under HIPAA

  • Right to Access: Request to see or get a copy of your PHI in paper or electronic form.
  • Right to Request Amendment: Ask us to amend PHI you believe is incorrect or incomplete.
  • Right to an Accounting of Disclosures: Request a list of certain disclosures of PHI made in the past six years, excluding disclosures for treatment, payment, operations, and certain other disclosures.
  • Right to Request Restrictions: Request restrictions on how we use or disclose your PHI; we are not required to agree except in limited cases where you pay out of pocket in full and request that information not be shared with a health plan.
  • Right to Request Confidential Communications: Ask us to contact you at a specific address, email, or phone number.
  • Right to Receive a Paper Copy: Request a paper copy of this Notice at any time.
  • Right to Breach Notification: Be notified if a breach of your unsecured PHI occurs.

To exercise these rights, contact us using the details in Section 13. We may require requests in writing and verification of your identity.

7. Our Legal Duties Regarding PHI

  • Maintain the privacy and security of your PHI
  • Provide you with this Notice and follow the terms of the Notice currently in effect
  • Notify you following a breach of unsecured PHI
  • Disclose PHI to you or your personal representative when required by law

We will not use or disclose your PHI for any purpose not described here without your authorization.

8. Notification of Access to PHI for Administrative Functions

To operate our services, certain members of our workforce and approved vendors may have limited, role-based access to PHI for administrative purposes, including:

  • Customer support to resolve issues you report
  • Security operations to investigate and remediate alerts
  • System maintenance, backups, and continuity testing
  • Billing reconciliation and audit
  • Compliance reviews and quality assurance

We use the minimum necessary PHI for these tasks. All access is logged and monitored. Workforce and vendors are subject to confidentiality obligations, training, and sanction policies. Vendors that handle PHI must sign Business Associate Agreements when required.

9. Business Associates and Subcontractors

We may use third-party service providers for hosting, storage, logging, monitoring, email, ticketing, and related functions. Where these providers handle PHI on our behalf, we execute Business Associate Agreements and require appropriate safeguards. We remain responsible for how our business associates and their subcontractors handle PHI on our behalf.

10. Safeguards, Minimum Necessary, and Retention

We apply administrative, technical, and physical safeguards to protect PHI, including access controls, encryption in transit and at rest, network security, audit logging, workforce training, vendor reviews, and incident response. We follow the minimum necessary rule when using or disclosing PHI. We retain PHI only as long as needed for the purposes described in this Notice or as required by law or contract, and then securely delete or de-identify it.

11. Complaints

If you believe your privacy rights have been violated, you may submit a complaint to HealthFees.org at the contact listed below. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint.

12. Changes to This Notice

We may change this Notice. Changes apply to PHI we already have and to any new PHI we receive. When we make a material change, we will update the “Last updated” date and post the new Notice on our website. We will provide copies on request.

13. Contact Us

If you have questions, want to exercise your rights, or wish to submit a complaint, contact:

Email: privacy@healthfees.org

Mailing Address: [Your Company Address]

Attention: Privacy Officer

14. Additional Website Privacy Information

In addition to PHI, we collect personal data about your use of our website and services. We use it to provide and improve services, communicate with you, and comply with law. We apply appropriate security controls and honor your rights as required by applicable law.