Privacy Policy Background

Privacy Policy

Privacy Policy

At CombineHealth ("CombineHealth", "we", "us", or "our"), we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and protect information in relation to our services.

Coverage

This Privacy Policy describes our treatment of clients' data gathered when you upload the charts on our portal, but not the practices of companies we don't own or control or people that we don't manage.

Network Security

Private VPC Network: All services run within a secured private VPC, providing strong isolation and protection from external threats.

Advanced Network Security: Our infrastructure is protected around the clock by enterprise-grade firewalls and modern intrusion detection systems to ensure continuous monitoring and threat prevention.

Data Hosting and Infrastructure

AWS Cloud Hosting: Our platform is hosted on secure AWS servers within the United States, utilizing AWS's robust security infrastructure and compliance standards.

US-Based Data Storage: All patient data is stored exclusively on servers located in the U.S., ensuring full compliance with national healthcare data protection laws.

Data Security Measures

Role-based access Controls: We implement strict role-based access controls to ensure that only authorized individuals can access sensitive information.

Endpoint Security: All employee devices are equipped with advanced endpoint protection software to prevent unauthorized use and ensure secure access.

Compliance and Standards

HIPAA Compliance: Our platform is fully HIPAA compliant, with certification managed through a modern, AI-based automated system that ensures real-time monitoring, scalability, and continuous adherence to regulatory standards.

SOC 2 Compliance: We follow industry-leading data security practices and have achieved SOC 2 certification, demonstrating our commitment to the globally recognized standards for data protection and operational integrity.

Data Management and Privacy

Data Collection: We collect only the minimum necessary patient chart data required to accurately and efficiently perform medical billing activities. Our data handling practices are guided by the principle of data minimization and are fully aligned with industry-recognized privacy standards. All data collection is conducted with the utmost care to ensure that patient confidentiality is maintained at every step.

Data Sharing and Third-Party Access: We maintain a strict no-sharing policy when it comes to patient data—under no circumstances is data shared with external third parties. Within our organization, access to sensitive information is governed by rigorous internal controls. Only authorized personnel who require the data to perform their specific job functions—such as billing specialists or compliance officers—are granted access. These internal protocols are regularly reviewed to ensure they meet or exceed the highest standards of data security and confidentiality.

Client Data Handling

Data Download and Usage: Clients who choose to download data for offline use are required to strictly follow our prescribed security protocols to ensure the continued integrity and confidentiality of the data. Importantly, no Protected Health Information (PHI) is ever used in training or processing our AI models. This is a fundamental policy in line with HIPAA regulations, and any inclusion of PHI in model workflows is strictly prohibited.

Data Handling on the Portal: Once data is uploaded to our secure portal, it is stored in a controlled environment and cannot be downloaded in its original form. For transparency and operational needs, clients may access and download only the non-sensitive outputs—specifically, chart identifiers along with their corresponding ICD and CPT codes. This approach ensures that PHI remains protected while enabling clients to retrieve essential billing insights.

Endpoint Security: Every employee device is protected with advanced endpoint security software that monitors for malicious activity, enforces usage policies, and guards against unauthorized access. These protections are part of our broader security framework to ensure that all endpoints interacting with sensitive systems and data remain secure and compliant at all times.

Data Breach Response Plan

We are committed to protecting the confidentiality, integrity, and availability of all sensitive data, including Protected Health Information (PHI). To ensure a rapid and effective response to any potential security incidents, we have implemented a comprehensive Data Breach Response Plan, structured to align with leading privacy and security standards.

1. Incident Detection and Identification

We employ continuous monitoring tools and automated alerts across all systems and endpoints to detect anomalies, unauthorized access, and potential data breaches. All employees are trained to recognize and report suspicious activity, and a centralized log management system ensures timely visibility into all access and operational events.

2. Immediate Containment

Upon identification of a potential breach:

  • Our security team initiates containment procedures to isolate affected systems and prevent further unauthorized access.
  • All relevant access credentials may be temporarily disabled or reset.
  • Communication between compromised and secure systems is immediately severed, if necessary.

3. Investigation and Assessment

A thorough investigation is conducted by our internal Security Incident Response Team (SIRT), which may include:

  • Identifying the scope and root cause of the breach.
  • Determining what data was accessed or compromised.
  • Evaluating whether PHI or other regulated data was involved.
  • Capturing forensic evidence in a secure and tamper-proof manner.

This process follows standard digital forensics and incident response methodologies and is documented for future auditing and analysis.

4. Notification and Communication

If the breach involves PHI or other regulated data, we adhere to all applicable legal and regulatory notification requirements, including those under HIPAA, HITECH, and state laws.

Affected Clients: Will be notified within the legally mandated timeframes, and sooner if feasible, with a clear description of the breach, data affected, and steps being taken.

Regulatory Authorities: Breaches involving PHI are reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), as required.

Internal Stakeholders: Senior leadership and legal teams are informed immediately to coordinate mitigation, communication, and compliance efforts.

5. Mitigation and Remediation

Following containment and investigation, we implement corrective actions, which may include:

  • Patching vulnerabilities or misconfigurations.
  • Enhancing access controls and authentication mechanisms.
  • Conducting a full security audit of impacted systems.
  • Re-training staff on security awareness and protocol adherence.

A post-incident review is conducted to identify lessons learned and to improve future response effectiveness.

6. Documentation and Recordkeeping

All breach response activities are logged and documented, including:

  • Incident timeline
  • Investigation findings
  • Communication records
  • Technical remediation steps
  • Final incident report

This documentation supports future audits and continuous improvement of our security posture.

7. Continuous Improvement

We routinely test and update our Incident Response Plan through:

  • Annual table-top exercises
  • Simulated breach drills
  • Security risk assessments
  • Regular updates based on evolving threats and industry best practices

For any compliance related issues contact shikha@combinehealth.ai