Effective Date: December 28, 2025
HIPAA & HITECH Compliant
Our Commitment to Privacy
One Care MBS LLC is committed to protecting the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical billing and revenue cycle management services.
We maintain the highest standards of data security and will never sell or misuse your Protected Health Information.
Our Role Under HIPAA
One Care MBS LLC acts as a Business Associate to healthcare providers. As a Business Associate, we:
- Handle PHI only as permitted by law and Business Associate Agreements (BAAs)
- Implement administrative, physical, and technical safeguards to protect PHI
- Ensure all employees are trained in HIPAA compliance
- Maintain detailed policies and procedures for PHI handling
- Report any breaches of unsecured PHI according to HITECH requirements
- Provide transparency in how we use and disclose PHI
Business Associate
We operate under strict BAAs with all covered entities
Certified Compliance
Regular audits ensure ongoing HIPAA adherence
Staff Training
Continuous education on privacy regulations
Information We Collect
To provide comprehensive medical billing services, we may access and process the following types of information:
Patient Information
- Demographic information (name, date of birth, address, contact details)
- Insurance information (policy numbers, coverage details, authorization codes)
- Medical information necessary for billing (diagnosis codes, procedure codes, dates of service)
- Billing and payment history
Practice Information
- Healthcare provider credentials and identification numbers (NPI, Tax ID)
- Practice location and contact information
- Electronic Health Record (EHR) system data relevant to billing
- Financial and operational data
Website and Communication Data
- Contact form submissions and email communications
- Website usage data (IP address, browser type, pages visited)
- Cookies and similar tracking technologies
How We Use PHI
Protected Health Information is used solely for authorized purposes as outlined in our Business Associate Agreements. These purposes include:
Treatment, Payment, and Healthcare Operations (TPO)
- Payment Processing: Submitting claims to insurance companies and processing payments
- Claims Management: Following up on denied or rejected claims
- Eligibility Verification: Confirming patient insurance coverage and benefits
- Revenue Cycle Management: Managing the entire billing cycle from patient registration to payment collection
Compliance and Quality Assurance
- Conducting audits to ensure billing accuracy and compliance
- Quality improvement initiatives
- Responding to regulatory inquiries
- Training and education purposes (de-identified data only)
Operational Purposes
- Customer service and support
- Analytics and reporting for practice management
- System maintenance and security
We do NOT: Sell PHI, use PHI for marketing purposes, or disclose PHI except as permitted by law and our Business Associate Agreements.
Information Disclosure
We may disclose information only in the following circumstances:
Required by Law
- To comply with legal obligations and court orders
- To report suspected abuse or neglect
- To prevent serious threats to health or safety
- To law enforcement when required by law
Business Associates
- To subcontractors or vendors who assist in providing our services
- Only under written agreements requiring the same level of privacy protection
- With minimum necessary information principle
Healthcare Providers
- To covered entities (your healthcare providers) with whom we have Business Associate Agreements
- For treatment, payment, and healthcare operations
With Your Authorization
- Any use or disclosure not otherwise permitted requires your written authorization
- You may revoke authorization at any time in writing
Safeguards and Security Measures
We maintain comprehensive administrative, technical, and physical safeguards to protect PHI:
Administrative Safeguards
- Designated Privacy and Security Officers
- Written policies and procedures for PHI handling
- Regular risk assessments and security audits
- Workforce training and sanctions for violations
- Business Associate Agreements with all vendors
Technical Safeguards
- Encryption of PHI in transit and at rest (AES-256 encryption)
- Multi-factor authentication for system access
- Automatic logoff after periods of inactivity
- Audit logs and monitoring of system access
- Regular software updates and security patches
- Firewall protection and intrusion detection systems
Physical Safeguards
- Secure facilities with controlled access
- Video surveillance and alarm systems
- Secure disposal of physical records (shredding)
- Workstation security measures
- Locked storage for physical documents containing PHI
256-bit Encryption
Military-grade encryption for all PHI
Access Controls
Role-based access and authentication
Secure Servers
SOC 2 certified data centers
Breach Notification
In the unlikely event of a breach of unsecured PHI, we will handle it in full compliance with HITECH breach notification rules:
Immediate Actions
- Contain and mitigate the breach immediately
- Conduct thorough investigation within required timeframes
- Document all findings and corrective actions
Notification Procedures
- To Covered Entities: Notification within 60 days of discovery
- To Affected Individuals: Through covered entity, if required
- To HHS: Notification as required by federal law
- Media Notice: For breaches affecting 500+ individuals in a state
We have never experienced a data breach in over 10+ years of operation. Our proactive security measures and continuous monitoring help prevent incidents before they occur.
Your Privacy Rights
Under HIPAA, individuals have certain rights regarding their PHI. While these rights are typically exercised through your healthcare provider, we support these rights:
- Right to Access: Request copies of your health information
- Right to Amendment: Request corrections to inaccurate information
- Right to Accounting: Request a list of certain disclosures
- Right to Restriction: Request limits on uses and disclosures
- Right to Confidential Communications: Request communications through specific means
- Right to Notification: Be notified of breaches affecting your information
To exercise these rights, please contact your healthcare provider or our Privacy Officer using the contact information provided below.
Data Retention
We retain PHI and other information in accordance with:
- HIPAA requirements (minimum 6 years from date of creation or last use)
- State-specific retention requirements
- Business Associate Agreement terms
- Internal operational needs
When no longer needed, PHI is securely destroyed using industry-standard methods including shredding of physical documents and secure deletion of electronic data.
Cookies and Website Tracking
Our website uses cookies and similar technologies to enhance user experience:
Types of Cookies We Use
- Essential Cookies: Necessary for website functionality
- Analytics Cookies: Help us understand website usage (Google Analytics)
- Functional Cookies: Remember your preferences
You can control cookie preferences through your browser settings. Note that disabling cookies may affect website functionality.
Note: We do not use cookies to collect or store PHI.
Third-Party Services
We may use trusted third-party services to help deliver our services. These partners include:
- Secure cloud hosting providers (AWS, Microsoft Azure)
- Electronic Data Interchange (EDI) clearinghouses
- Email service providers
- Analytics platforms
All third-party vendors are required to sign Business Associate Agreements and maintain appropriate safeguards for PHI.
Children's Privacy
Our services are designed for healthcare practices treating patients of all ages. When processing PHI for minor patients, we:
- Follow all applicable laws regarding minors' health information
- Respect parental rights and guardian authorization
- Apply additional safeguards for sensitive information
Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make changes:
- The updated policy will be posted on our website
- The "Effective Date" at the top will be updated
- For material changes, we will notify covered entities directly
- Continued use of our services constitutes acceptance of changes
Contact Information
If you have questions or concerns about our privacy practices, please contact:
Filing a Complaint
If you believe your privacy rights have been violated, you may file a complaint with:
- Our Privacy Officer at the contact information above
- The U.S. Department of Health and Human Services Office for Civil Rights
You will not be retaliated against for filing a complaint.