Privacy Policy

HOOTL MedicalAssist ("we," "us," or "the Platform") is committed to protecting your privacy and safeguarding protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and all applicable state and federal privacy laws. This Privacy Policy describes how we collect, use, store, disclose, and protect your information when you use our medical denial appeal management platform.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, professional credentials, specialty, and optionally your National Provider Identifier (NPI) number.

1.2 Protected Health Information (PHI)

In the course of managing denial appeals, you may submit PHI including but not limited to:

• Patient names, dates of birth, and medical record numbers
• Insurance denial letters and Explanation of Benefits (EOB) documents
• Medical records, clinical notes, and diagnostic information
• CPT, ICD-10, and HCPCS codes
• Treatment histories and prior authorization details
• Appeal letters and supporting clinical evidence

1.3 Usage and Operational Data

We collect non-identifiable usage data such as browser type, device information, pages visited, feature usage patterns, and session duration. This data does not contain PHI and is used solely to improve the Platform.

We also collect and retain the following operational data as part of HIPAA-required audit logging and platform security:

• IP addresses: Your IP address is recorded in audit log entries for security monitoring. Full IP addresses are retained for 90 days, after which they are anonymized (last octet zeroed for IPv4, last 80 bits zeroed for IPv6). Anonymized records are retained for 7 years in accordance with HIPAA requirements.
• Cookie consent preferences: Your cookie consent choices are stored in browser localStorage and associated with your account in our audit records.
• Community posts and replies: Text content you post in the community forum is stored in our database associated with your account.
• Chat messages: Messages sent through the in-platform chat are stored in our database and accessible to other members of your practice.
• Password reset tokens: Cryptographic tokens for password reset are stored as SHA-256 hashes (not plaintext) and expire after 1 hour.
• MFA secrets: Multi-factor authentication secrets are stored encrypted in our database.
• Policy acknowledgment records: Timestamps of your HIPAA notice and Terms of Service acknowledgments are stored for compliance purposes.
• Active session tracking: Active session tokens are tracked to support logout and session revocation.

2. How We Use Your Information

We use the information we collect to:

• Provide and operate the denial appeal management platform
• Generate AI-powered denial analysis and appeal letter drafts
• Facilitate physician collaboration and case sharing within your practice
• Maintain audit logs for HIPAA compliance
• Communicate with you about your account and platform updates
• Improve platform functionality, performance, and security

3. How We Store and Protect Your Information

3.1 Encryption

All protected health information is encrypted at rest using AES-GCM-256 encryption. Data in transit is protected using TLS 1.3. Encryption keys are managed securely and rotated periodically. PHI encryption keys are stored separately from the encrypted data using Cloudflare Workers secrets management.

3.2 Access Controls

Access to PHI is restricted through role-based access controls (RBAC). Only authenticated users within your practice can access case data. All access to PHI is logged in tamper-evident audit logs that record the user, action, timestamp, and affected records.

3.3 Infrastructure Security

The Platform is hosted on Cloudflare's global edge network, which provides DDoS protection, WAF (Web Application Firewall), and SOC 2 Type II certified infrastructure. Data is stored in Cloudflare D1 databases with encryption at rest.

4. Third-Party Services

We use the following third-party services in the operation of the Platform:

• Anthropic Claude API — Used for AI-powered denial analysis, appeal letter generation, and clinical reasoning assistance. PHI submitted for AI analysis is processed in accordance with our Business Associate Agreement (BAA) with Anthropic. According to Anthropic's data processing agreement, Anthropic does not retain PHI after processing and does not use customer API data to train AI models. Users should review Anthropic's Privacy Policy for current and authoritative information on their data practices.
• Cloudflare — Provides hosting, CDN, DNS, database (D1), key-value storage, and edge computing infrastructure. Cloudflare operates under a BAA for HIPAA-covered workloads and maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications.

We do not sell, rent, or share your personal information or PHI with any third parties for marketing or advertising purposes.

4a. GDPR and International Data Transfers (EU/EEA Users)

If you are located in the European Union, European Economic Area, or United Kingdom, the following additional information applies to you under the General Data Protection Regulation (GDPR) and applicable national laws:

• Legal basis for processing: We process your personal data on the basis of (a) contractual necessity (to provide the Platform services), (b) legal obligation (HIPAA compliance and audit requirements), and (c) your explicit consent where required.
• Data Processing Agreement (DPA): EU-based healthcare organisations using this Platform as a data controller may request a Data Processing Agreement (DPA) in accordance with GDPR Article 28. To request a DPA, contact us at privacy@hootl.com with the subject line "DPA Request".
• International transfers: Data is processed on Cloudflare's global infrastructure, which may involve transfers outside the EU/EEA. Cloudflare participates in the EU-U.S. Data Privacy Framework and provides Standard Contractual Clauses (SCCs) for international transfers.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with applicable law.
• Data Protection Officer: For GDPR-related enquiries, contact us at privacy@hootl.com.

5. Data Retention

We retain your information as follows:

• Account data: Retained for the duration of your active account plus 30 days after account deletion to allow for recovery.
• PHI and case data: Retained for a minimum of 7 years from the date of creation or last activity. This exceeds the minimum 6-year HIPAA requirement (45 CFR 164.530(j)) to accommodate state law requirements that may mandate longer retention.
• Audit logs: Retained for a minimum of 7 years as required by our retention policy. Full IP addresses within audit logs are anonymized after 90 days.
• Usage analytics: Aggregated, de-identified data may be retained indefinitely for platform improvement.

Upon expiration of retention periods, data is securely deleted using cryptographic erasure methods.

6. Your Rights

As a user of the Platform, you have the following rights regarding your information:

• Right to Access: You may request a copy of the PHI and personal data we hold about you or your patients' cases.
• Right to Correction: You may request correction of inaccurate or incomplete PHI.
• Right to Deletion: You may request deletion of your account and associated data, subject to legal retention requirements. Please note that when you have used AI-assisted features, PHI may have been transmitted to the Anthropic API for processing. While we will delete all data held within our platform, data previously sent to Anthropic is subject to Anthropic's own data retention and deletion policies under our BAA. We recommend contacting Anthropic directly at anthropic.com if you have specific concerns about data previously processed by their API.
• Right to Restriction: You may request that we restrict certain uses or disclosures of your PHI.
• Right to an Accounting of Disclosures: You may request a list of disclosures of your PHI that we have made.
• Right to Data Portability: You may request an export of your case data in a machine-readable format.

To exercise any of these rights, please contact us at privacy@hootl.com. We will respond to all requests within 30 days.

7. Breach Notification

In the event of a breach of unsecured PHI, we will:

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR 164.404).
• Notify the U.S. Department of Health and Human Services (HHS) in accordance with 45 CFR 164.408.
• If the breach affects 500 or more individuals, notify prominent media outlets in the affected jurisdiction.
• Provide a description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

8. Cookies and Tracking

The Platform uses essential cookies and local storage for authentication, session management, and user preferences (such as theme selection). We do not use third-party tracking cookies, advertising pixels, or analytics services that track individual users across websites.

8a. Internal Operational Metrics

The Platform records internal operational metrics for each API request. These metrics include: the service and action invoked, response time, HTTP status code, and a pseudonymized user identifier (an internal numeric ID, not your email or name). This identifier is a pseudonymized personal data element under GDPR Article 4(5) because it can be re-identified by joining it with the users table. Metrics are retained for 365 days and are accessible only to administrators.

If you decline non-essential tracking via the cookie consent banner, your user identifier is omitted from all operational metrics records. Aggregate metrics (call counts, error rates, response times) continue to be recorded without user attribution for security monitoring and capacity planning, which constitute legitimate interests under GDPR Article 6(1)(f).

8b. Client Error Reporting

The Platform automatically reports unhandled JavaScript errors to our server via the /api/audit/client-error endpoint. This is an essential data processing activity required to detect and remediate security vulnerabilities and functionality failures that could affect protected health information. Error reports include: the error message, the JavaScript file name, and the line number where the error occurred. They do not include PHI, query string parameters, or session tokens. Error reports are retained in the audit log for 7 years as required by HIPAA.

8a. State-Specific Privacy Rights

Depending on your state of residence, you may have additional privacy rights under applicable state law. We honor these rights for all users regardless of location where operationally feasible.

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of personal information we have collected, subject to certain exceptions (including HIPAA retention obligations).
• Correct: Request correction of inaccurate personal information.
• Opt-Out: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary.
• Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

HIPAA Exemption: Personal information that constitutes Protected Health Information (PHI) under HIPAA is exempt from CCPA to the extent HIPAA applies. PHI in HOOTL MedicalAssist is governed by our HIPAA Notice of Privacy Practices and applicable BAA rather than CCPA.

To submit a CCPA rights request, contact us at privacy@hootl.com with subject line "California Privacy Rights Request." We will respond within 45 days as required.

Other State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws have similar rights to access, correct, delete, and opt out of sale/sharing of personal information. These rights apply to non-PHI personal information. Submit requests to privacy@hootl.com.

9. Children's Privacy

The Platform is designed for use by healthcare professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last Updated" date. Your continued use of the Platform after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

• Email: privacy@hootl.com
• HIPAA Privacy Officer: privacy@hootl.com