Privacy Policy
Last Updated: December 5, 2025 • Effective Date: January 1, 2025
1. Introduction
Vantar Group LLC, doing business as ClaimRight ("ClaimRight," "we," "us," or "our"), is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard Protected Health Information (PHI) and other data when you use our AI-powered revenue cycle management services ("Services"). This policy applies to all users of ClaimRight's Services, including healthcare providers, their staff, and authorized representatives.
2. HIPAA Compliance
ClaimRight operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We sign Business Associate Agreements (BAAs) with all healthcare customers before processing any PHI. We comply with all applicable HIPAA Privacy, Security, and Breach Notification Rules. Our use and disclosure of PHI is limited to providing Services as outlined in our BAA and as required or permitted by law. We implement administrative, physical, and technical safeguards to protect PHI against unauthorized access, use, or disclosure.
3. Information We Collect
We collect several types of information: (a) Protected Health Information (PHI) including patient names, dates of birth, medical record numbers, diagnosis codes, procedure codes, claim numbers, insurance information, and payer details; (b) Account Information including your organization's name, address, contact information, billing details, and authorized user credentials; (c) Usage Data including IP addresses, browser types, device information, access times, pages viewed, and clickstream data; (d) Voice Data including recordings of AI-agent calls with payers (which may contain PHI) for quality assurance and training purposes; (e) Communication Data including emails, support tickets, chat messages, and phone calls with our support team.
4. How We Use Your Information
We use collected information for the following purposes: (a) Service Delivery: making automated calls to payers, verifying claim status, managing denials, generating transcripts and summaries, and processing revenue cycle operations; (b) Platform Operations: maintaining and improving our AI algorithms, monitoring system performance and uptime, detecting and preventing fraud or security threats, and troubleshooting technical issues; (c) Customer Support: responding to inquiries and support requests, providing technical assistance, and communicating service updates or maintenance schedules; (d) Compliance: meeting legal and regulatory obligations including HIPAA requirements, maintaining audit logs for seven (7) years, and responding to legal process or government requests; (e) Business Operations: billing and invoicing, analyzing usage patterns to improve Services (using de-identified data), and developing new features and capabilities.
5. Information Sharing and Disclosure
We do not sell, rent, or trade your information. We may share information only in the following circumstances: (a) Service Providers: with third-party vendors who assist in providing Services (cloud hosting, payment processing, customer support tools) under strict confidentiality agreements and BAAs where applicable; (b) Payers: with insurance companies and payers as necessary to verify claim status and process payments on your behalf; (c) Legal Requirements: when required by law, regulation, legal process, or government request, to protect our rights or property, to enforce our Terms of Service, or to protect the safety of users or the public; (d) Business Transfers: in connection with a merger, acquisition, or sale of assets, with appropriate safeguards for PHI; (e) Your Consent: with your explicit permission for purposes not otherwise described in this policy.
6. Data Security Measures
We implement comprehensive security measures to protect your data: (a) Encryption: all PHI is encrypted in transit using TLS 1.3 or higher and at rest using AES-256 encryption; (b) Access Controls: role-based access controls (RBAC), multi-factor authentication (MFA) for all administrative access, and regular access reviews and audits; (c) Infrastructure Security: HIPAA-compliant hosting in SOC 2 certified data centers, 24/7 security monitoring and intrusion detection, regular vulnerability scanning and penetration testing, and dedicated firewall and DDoS protection; (d) Employee Training: all employees complete HIPAA training upon hire and annually, background checks for employees with PHI access, and signed confidentiality agreements; (e) Incident Response: documented breach notification procedures, incident response team available 24/7, and regular disaster recovery drills.
7. Data Retention and Deletion
We retain data as follows: (a) PHI and Transaction Records: maintained for seven (7) years from the date of service to comply with healthcare regulations and audit requirements; (b) Audit Logs: retained for seven (7) years to meet HIPAA requirements; (c) Account Information: maintained for the duration of your subscription plus seven (7) years for legal and compliance purposes; (d) Voice Recordings: stored for ninety (90) days for quality assurance, then automatically deleted unless required for dispute resolution or compliance investigation. Upon termination of Services, you may export your data within thirty (30) days. We will securely delete or de-identify your data ninety (90) days after termination unless longer retention is required by law. Data deletion uses DOD-approved methods to ensure data cannot be recovered.
8. Your Rights and Choices
Under HIPAA and applicable privacy laws, you have the following rights: (a) Access: request access to PHI we maintain on behalf of your organization; (b) Amendment: request corrections to inaccurate or incomplete PHI; (c) Accounting of Disclosures: obtain a list of certain PHI disclosures we have made; (d) Restrictions: request limitations on how PHI is used or disclosed (we will consider but may not be required to agree to restrictions); (e) Confidential Communications: request communications through specific methods or locations; (f) Breach Notification: receive notification of breaches of unsecured PHI; (g) Complaint: file complaints with us or the U.S. Department of Health and Human Services Office for Civil Rights; (h) Data Export: export your data in CSV format compatible with major EHR systems. To exercise these rights, contact privacy@claimright.app or use the contact information in Section 12.
9. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience: (a) Essential Cookies: necessary for platform functionality (authentication, security, session management); (b) Analytics Cookies: help us understand how you use our Services to improve performance and user experience (we use aggregated, de-identified data); (c) Communication Cookies: remember your preferences for notifications and communications. You can control cookies through your browser settings. Disabling certain cookies may limit platform functionality. We do not use advertising or tracking cookies that share data with third parties for marketing purposes.
10. Children's Privacy
Our Services are designed for healthcare organizations and their authorized personnel. We do not knowingly collect personal information from individuals under 18 years of age. While our Services may process PHI related to pediatric patients, this information is collected from healthcare providers in their professional capacity, not directly from children. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@claimright.app.
11. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, Services, or legal requirements. We will notify you of material changes via email or through a prominent notice in the Services at least thirty (30) days before the effective date. Your continued use of Services after changes become effective constitutes acceptance of the updated Privacy Policy. We will maintain prior versions of this policy for your review upon request. The "Last Updated" date at the top of this policy indicates when it was most recently revised.
12. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact: Vantar Group LLC, Privacy Officer, 1 MetroTech Center, Brooklyn, NY 11201, Email: privacy@claimright.app, Phone: (888) 555-0199. For HIPAA-related inquiries or to file a complaint, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights at (800) 368-1019 or www.hhs.gov/ocr/privacy.