Privacy Policy

Effective Date: January 2021

RCM Plus ("we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website [rcmplus.org] ("Site") or engage with our medical billing, revenue cycle management, audit, and consulting services ("Services"). This policy also describes your rights and choices regarding your information.

Please read this policy carefully. By using our Site or Services, you acknowledge that you have read and understood this policy.

1. Who We Are

RCM Plus provides expert medical billing, coding, compliance audits, and revenue cycle management solutions to healthcare providers across the United States. As a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), we handle Protected Health Information (PHI) solely on behalf of and under the direction of our covered entity clients.

2. Information We Collect

We collect information in several ways, always with a lawful basis and in accordance with applicable privacy and healthcare regulations.

2.1 Information You Provide Directly

• Contact Form / Consultation Requests: Name, email address, phone number, practice name, and any other details you include in your message.
• Client Onboarding: When you engage our Services, we may collect business contact information, provider credentials, and billing system access details necessary to perform our work.
• Audit Requests: For billing audits, we receive temporary access to your billing and coding data solely for the duration of the audit.

2.2 Protected Health Information (PHI)

As a HIPAA Business Associate, we may receive PHI from our covered entity clients. This includes, but is not limited to, patient demographics, medical records, treatment codes, and insurance information. We access and use PHI only as permitted by the Business Associate Agreement (BAA) and HIPAA.

2.3 Information Collected Automatically

When you visit our Site, we may automatically collect certain information via cookies and similar technologies, including:

• IP address
• Browser type and version
• Pages visited and time spent
• Referring website

We use this data to improve our Site's functionality and user experience. You can control cookies through your browser settings.

3. How We Use Your Information

We use collected information for the following purposes:

• To respond to inquiries, provide quotes, and deliver our Services.
• To perform billing, coding, and revenue cycle management tasks as directed by our clients.
• To conduct billing audits and compliance reviews, with strict adherence to HIPAA's "minimum necessary" standard.
• To improve our Site and Services through aggregated, de‑identified analytics.
• To comply with legal obligations, enforce our terms, and protect our rights.

We do not sell, rent, or lease any personal information or PHI to third parties.

4. How We Share Information

We may share information under the following circumstances:

• With Service Providers: We engage trusted third‑party vendors (e.g., cloud hosting, email services) who are contractually bound to protect data and use it only on our behalf.
• As Required by Law: If compelled by a valid court order, subpoena, or government request, we will disclose information after providing notice to the affected client (where permitted by law).
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred, provided the successor entity adheres to this Privacy Policy.
• With Your Consent: We may share information with your explicit consent or at your direction.

5. HIPAA and Protected Health Information (PHI)

RCM Plus is a HIPAA‑compliant Business Associate. We handle all PHI in strict accordance with the:

• HIPAA Privacy Rule
• HIPAA Security Rule
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Applicable state healthcare privacy laws

Key commitments under our BAA and HIPAA obligations include:

• Using PHI only as necessary to perform our Services (e.g., claim submission, denial management, compliance audits).
• Implementing administrative, physical, and technical safeguards to protect PHI.
• Reporting any unauthorized use or disclosure of PHI to the covered entity without unreasonable delay.
• Ensuring that any subcontractors who handle PHI also comply with HIPAA requirements.

If a covered entity terminates our BAA, we will return or destroy all PHI in our possession, retaining no copies. For audit‑only engagements, we do not store PHI beyond the audit completion, and all data is securely purged.

6. Data Security

We employ industry‑standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest (TLS 1.2+, AES‑256).
• Role‑based access controls and multi‑factor authentication.
• Regular vulnerability assessments and penetration testing.
• Annual HIPAA training for all employees.
• Secure, SOC‑2 certified data centers.

Despite our safeguards, no electronic transmission or storage system is 100% secure. We encourage you to use caution when transmitting sensitive information online.

7. Data Retention and Deletion

7.1 General Business Information

We retain contact form submissions and business correspondence only as long as needed to serve the client relationship and as required by applicable law.

7.2 Protected Health Information (PHI)

PHI is retained solely for the duration of the active service agreement and any legally required period (e.g., state record‑keeping laws). After termination of the BAA, all PHI is returned to the covered entity or securely destroyed in accordance with HIPAA and NIST SP 800‑88 guidelines.

7.3 Audit Engagements

When performing a billing audit, we access your billing data temporarily and do not store any PHI or practice‑specific information beyond the completion of the audit. All data is purged from our systems within 30 days of delivering the final audit report, or earlier upon request.

7.4 Client Requests

Clients may request deletion of their non‑PHI business information at any time by contacting us at info@rcmplus.org. We will comply within a reasonable timeframe, subject to any legal retention obligations.

8. Your Privacy Rights

Depending on your jurisdiction and the nature of the information, you may have the following rights:

• Access and Portability: Request a copy of your personal data.
• Correction: Ask us to correct inaccurate or incomplete data.
• Deletion: Request that we delete your personal data, subject to legal exceptions.
• Restriction: Request limits on how we process your data.
• Non‑Discrimination: You will not be discriminated against for exercising your privacy rights.

To exercise any of these rights, please email us at info@rcmplus.org. We will respond within the timeframe required by applicable law.

Note for Covered Entities: All requests related to PHI must be handled through the covered entity; as a Business Associate, we cannot act on patient requests directly.

9. Cookies and Tracking Technologies

Our Site uses essential cookies and analytics tools (e.g., Google Analytics) to understand how visitors interact with our content. These cookies collect anonymized data and do not identify you personally. You may disable cookies in your browser settings, though this may affect Site functionality.

We do not use tracking cookies for advertising purposes.

10. Third‑Party Links

Our Site may contain links to third‑party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third‑party sites you visit.

11. Children's Privacy

Our Site and Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Effective Date" and will be effective as soon as it is accessible. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or would like to exercise your privacy rights, please contact us at:

RCM Plus
Email: info@rcmplus.org
Phone: +1‑732‑344‑8990
Address: United States

For covered entities with questions about our HIPAA compliance or Business Associate Agreements, please reach out to our Compliance Officer at the same email.

This Privacy Policy is designed to meet the requirements of HIPAA, HITECH, and general U.S. privacy laws. Nothing in this policy should be construed as a waiver of any legal protections.