Privacy Policy

Your privacy and the security of your healthcare data are our top priorities

Last updated: January 20, 2025

1. Introduction

RAFGuard, Inc. ("RAFGuard," "we," "us," or "our") is committed to protecting the privacy and security of your personal information and Protected Health Information (PHI). This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our services, website, and applications.

As a healthcare technology company providing services to Medicare Advantage health plans, we are subject to the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws. This policy explains our practices in compliance with these regulations.

2. Information We Collect

2.1 Protected Health Information (PHI)

In providing our RADV audit defense services, we may collect and process PHI including:

  • Medical claims data and diagnosis codes
  • Medical charts and clinical documentation
  • Patient demographic information (when necessary for service delivery)
  • Healthcare provider information
  • Risk adjustment and HCC coding data

2.2 Business Information

We collect business-related information from our health plan clients including:

  • Organization contact information
  • User account credentials and access logs
  • Service usage analytics and performance metrics
  • Billing and payment information

2.3 Website and Application Data

When you visit our website or use our applications, we may collect:

  • IP addresses and device identifiers
  • Browser type and operating system information
  • Pages visited and time spent on our site
  • Cookies and similar tracking technologies
  • Contact form submissions and communication preferences

3. How We Use Information

3.1 Service Delivery

We use PHI and business information to:

  • Provide AI-powered evidence matching for HCC codes
  • Generate RADV audit defense analytics and reports
  • Create CMS-compliant delete files for unsupported codes
  • Monitor and improve our AI model accuracy
  • Provide customer support and technical assistance

3.2 Business Operations

We use business information to:

  • Process payments and manage billing
  • Communicate about service updates and improvements
  • Conduct security monitoring and fraud prevention
  • Comply with legal and regulatory requirements

3.3 Research and Development

We may use de-identified and aggregated data to improve our AI models and develop new features, always in compliance with HIPAA de-identification standards.

4. Information Sharing and Disclosure

4.1 Business Associate Relationships

As a Business Associate under HIPAA, we only use and disclose PHI as permitted by our Business Associate Agreements with covered entities and as required for our services.

4.2 Service Providers

We may share information with trusted third-party service providers who assist in our operations, including:

  • Cloud infrastructure providers (Google Cloud Platform)
  • Security and monitoring services
  • Payment processing services
  • Customer support platforms

All service providers are required to maintain appropriate safeguards and use information only for specified purposes.

4.3 Legal Requirements

We may disclose information when required by law, court order, or government regulation, or to protect our rights, property, or safety.

5. Data Security

5.1 Technical Safeguards

  • AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Customer-managed encryption keys (CMEK)
  • Virtual Private Cloud Service Controls (VPC-SC)
  • Multi-factor authentication and role-based access controls
  • Regular security assessments and penetration testing

5.2 Administrative Safeguards

  • Comprehensive employee training on HIPAA and data security
  • Background checks for all personnel with access to PHI
  • Incident response and breach notification procedures
  • Regular security policy reviews and updates

5.3 Physical Safeguards

  • Secure data centers with 24/7 monitoring
  • Restricted physical access to computing systems
  • Secure disposal of hardware and media

6. Data Retention

We retain information only as long as necessary to provide our services and comply with legal obligations:

  • PHI: Retained according to Business Associate Agreement terms and applicable regulations
  • Business Information: Retained for the duration of the business relationship plus 7 years
  • Website Data: Retained for up to 2 years unless longer retention is required by law

Upon termination of services, we securely delete or return PHI as specified in our agreements, unless retention is required by law.

7. Individual Rights

Under HIPAA and other applicable laws, individuals may have rights regarding their PHI, including:

  • Right to access their PHI
  • Right to request amendments to their PHI
  • Right to request restrictions on use and disclosure
  • Right to request confidential communications
  • Right to an accounting of disclosures

Requests should be directed to the covered entity (health plan) that originally provided the PHI, as we act as their Business Associate.

8. State Privacy Laws

8.1 California Consumer Privacy Act (CCPA)

California residents may have additional rights under the CCPA, including:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising privacy rights

8.2 Other State Laws

We comply with applicable state privacy laws, including those in Virginia, Colorado, Connecticut, and other states with comprehensive privacy legislation.

9. International Data Transfers

Our services are primarily provided within the United States. PHI is stored and processed in US-based data centers. Any international transfers of personal information are conducted with appropriate safeguards in place.

For European Union residents, we comply with applicable data protection laws and implement appropriate transfer mechanisms when necessary.

10. Third-Party Services

Our website and services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those external services. We encourage you to review the privacy policies of any third-party services you access.

We use the following third-party services that may collect information:

  • Google Analytics (website analytics)
  • Calendly (appointment scheduling)
  • Customer support platforms

11. Breach Notification

In the event of a security incident involving PHI, we will:

  • Immediately investigate and contain the incident
  • Notify affected covered entities within 60 days as required by HIPAA
  • Provide detailed information about the incident and mitigation steps
  • Cooperate with covered entities in any required individual notifications

For non-PHI security incidents, we will notify affected parties in accordance with applicable laws and our contractual obligations.

12. Children's Privacy

Our services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

  • Post the updated policy on our website
  • Update the "Last Updated" date
  • Notify customers of material changes via email or through our services
  • Obtain consent where required by applicable law

Continued use of our services after changes become effective constitutes acceptance of the updated policy.

14. Compliance and Auditing

We maintain comprehensive compliance programs including:

  • Annual HIPAA compliance assessments
  • SOC 2 Type II audits
  • Regular internal security reviews
  • Third-party penetration testing
  • Ongoing monitoring of regulatory changes

Audit reports and compliance documentation are available to customers upon request and subject to appropriate confidentiality agreements.

15. Data Subject Requests

To exercise your privacy rights or submit requests regarding your personal information:

  • For PHI-related requests: Contact your health plan directly
  • For business information requests: Email privacy@rafguard.com
  • For website-related requests: Use our contact form or email support@rafguard.com

We will respond to valid requests within the timeframes required by applicable law, typically within 30 days.

16. Contact Information

If you have questions about this Privacy Policy or our privacy practices, please contact us:

RAFGuard, Inc.

Privacy Officer

Email: privacy@rafguard.com

Phone: 1-800-RAF-GUARD

Address: 123 Healthcare Way, Suite 100, San Francisco, CA 94105

For urgent security matters or to report a potential data breach, please contact our security team immediately at security@rafguard.com or call our 24/7 security hotline.