HOOTL
MedicalAssist

HIPAA Notice of Privacy Practices

Effective Date: March 22, 2026 · Last Updated: March 22, 2026
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. About This Notice

HOOTL MedicalAssist ("the Platform") is required by law to maintain the privacy of protected health information (PHI), to provide individuals with notice of our legal duties and privacy practices with respect to PHI, and to follow the terms of the notice that is currently in effect. This Notice of Privacy Practices ("Notice") describes how we may use and disclose PHI and your rights regarding that information.

This Notice applies to all PHI created, received, maintained, or transmitted by the Platform in connection with the medical denial appeal management services we provide.

2. Designated Record Set

Under HIPAA, the Designated Record Set includes the group of records maintained by or for a covered entity that is used, in whole or in part, to make decisions about individuals. For the purposes of this Platform, the Designated Record Set includes:

You have the right to access and request amendments to records in the Designated Record Set in accordance with Section 3 of this Notice. Requests should be directed to our Privacy Officer at privacy@hootl.com.

3. Uses and Disclosures of PHI

3.1 Treatment

We may use and disclose PHI to assist in the coordination of healthcare services related to denial appeals. This includes sharing case information with authorized healthcare providers within your practice who are involved in the patient's care or appeal process.

3.2 Payment

We may use and disclose PHI as necessary for payment-related activities, including generating appeal letters to insurers, documenting medical necessity for denied claims, and supporting reimbursement efforts for healthcare services.

3.3 Healthcare Operations

We may use and disclose PHI for healthcare operations, including quality assessment and improvement, case management, auditing, compliance activities, and business planning related to the denial appeal management process.

3.4 Business Associates

We may disclose PHI to our business associates who perform services on our behalf that involve the use or disclosure of PHI. All business associates are required to enter into Business Associate Agreements (BAAs) that obligate them to protect PHI in accordance with HIPAA. Our current business associates include:

3.5 Required by Law

We may use or disclose PHI when required to do so by federal, state, or local law, including for public health activities, health oversight activities, judicial and administrative proceedings, law enforcement purposes, and to avert a serious threat to health or safety.

3.6 Authorization-Based Disclosures

Other uses and disclosures of PHI not described in this Notice will be made only with your written authorization. You may revoke any authorization at any time by submitting a written request to our Privacy Officer, except to the extent that we have already taken action in reliance on the authorization.

4. Your Rights Regarding PHI

4.1 Right to Access

You have the right to inspect and obtain a copy of PHI maintained about you in our records. To request access, submit a written request to our Privacy Officer. We will respond within 30 days. We may charge a reasonable, cost-based fee for copies.

4.2 Right to Request Amendment

You have the right to request an amendment to PHI maintained in our records if you believe the information is inaccurate or incomplete. Submit amendment requests in writing to our Privacy Officer. We may deny the request under certain circumstances as permitted by HIPAA, and will provide a written explanation if denied.

4.3 Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI that we have made. This accounting will not include disclosures made for treatment, payment, or healthcare operations, or disclosures made with your authorization. Submit requests in writing to our Privacy Officer.

4.4 Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. While we are not required to agree to all restriction requests, we will accommodate reasonable requests where possible. We are required to agree to a restriction if the disclosure is to a health plan for payment or healthcare operations and the PHI pertains to a service that has been paid for in full out of pocket.

4.5 Right to Confidential Communications

You have the right to request that we communicate with you about your PHI in a specific way or at a specific location. We will accommodate reasonable requests.

4.6 Right to a Copy of This Notice

You have the right to obtain a paper or electronic copy of this Notice at any time. To request a copy, contact our Privacy Officer or download it from this page.

4.7 Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. You will not be retaliated against for filing a complaint.

5. Our Duties

We are required by law to:

6. Breach Notification

In the event of a breach of unsecured PHI, we will comply with the HIPAA Breach Notification Rule (45 CFR 164.400-414) according to the following specific timelines:

6.1 Individual Notification

We will notify each affected individual without unreasonable delay and no later than 60 calendar days after discovery of a breach. Notifications will be sent by first-class mail (or email if the individual has consented to electronic communication) and will include:

6.2 HHS Notification

For breaches affecting 500 or more individuals, we will notify the U.S. Department of Health and Human Services (HHS) Secretary no later than 60 calendar days after discovery of the breach, concurrent with individual notifications.

For breaches affecting fewer than 500 individuals, we will maintain a log of such breaches and submit it to HHS annually, no later than 60 days after the end of the calendar year in which the breaches were discovered.

6.3 Media Notification

For breaches affecting 500 or more individuals in a single state or jurisdiction, we will provide notice to prominent media outlets serving that state or jurisdiction no later than 60 calendar days after discovery.

6.4 Law Enforcement Delay

If a law enforcement official determines that notification would impede a criminal investigation or cause damage to national security, we may delay notification as permitted under 45 CFR 164.412.

7. Security Measures

We implement comprehensive administrative, physical, and technical safeguards to protect PHI, including:

8. Business Associate Agreements

If you are a Covered Entity under HIPAA and wish to use the Platform for managing PHI, a Business Associate Agreement (BAA) must be executed between your organization and HOOTL MedicalAssist prior to the submission of any PHI. To request a BAA, contact us at legal@hootl.com.

We maintain BAAs with all of our subcontractors and service providers who may access or process PHI on our behalf. These agreements require that our business associates implement appropriate safeguards, report security incidents, and comply with applicable HIPAA requirements.

9. Changes to This Notice

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI that we maintain. If we make material changes, we will post the revised Notice on this page with an updated effective date. We will also make the revised Notice available upon request.

10. Contact Information

For questions about this Notice, to exercise your rights, or to file a complaint, contact our Privacy Officer:

For general support inquiries, contact support@hootl.com.

← Back to home