Privacy Policy

Effective Date: March 22, 2026 · Last Updated: March 22, 2026

HOOTL MedicalAssist ("we," "us," or "the Platform") is committed to protecting your privacy and safeguarding protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and all applicable state and federal privacy laws. This Privacy Policy describes how we collect, use, store, disclose, and protect your information when you use our medical denial appeal management platform.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, professional credentials, specialty, and optionally your National Provider Identifier (NPI) number.

1.2 Protected Health Information (PHI)

In the course of managing denial appeals, you may submit PHI including but not limited to:

Patient names, dates of birth, and medical record numbers
Insurance denial letters and Explanation of Benefits (EOB) documents
Medical records, clinical notes, and diagnostic information
CPT, ICD-10, and HCPCS codes
Treatment histories and prior authorization details
Appeal letters and supporting clinical evidence

1.3 Usage Data

We collect non-identifiable usage data such as browser type, device information, pages visited, feature usage patterns, and session duration. This data does not contain PHI and is used solely to improve the Platform.

2. How We Use Your Information

We use the information we collect to:

Provide and operate the denial appeal management platform
Generate AI-powered denial analysis and appeal letter drafts
Facilitate physician collaboration and case sharing within your practice
Maintain audit logs for HIPAA compliance
Communicate with you about your account and platform updates
Improve platform functionality, performance, and security

3. How We Store and Protect Your Information

3.1 Encryption

All protected health information is encrypted at rest using AES-GCM-256 encryption. Data in transit is protected using TLS 1.3. Encryption keys are managed securely and rotated periodically. PHI encryption keys are stored separately from the encrypted data using Cloudflare Workers secrets management.

3.2 Access Controls

Access to PHI is restricted through role-based access controls (RBAC). Only authenticated users within your practice can access case data. All access to PHI is logged in tamper-evident audit logs that record the user, action, timestamp, and affected records.

3.3 Infrastructure Security

The Platform is hosted on Cloudflare's global edge network, which provides DDoS protection, WAF (Web Application Firewall), and SOC 2 Type II certified infrastructure. Data is stored in Cloudflare D1 databases with encryption at rest.

4. Third-Party Services

We use the following third-party services in the operation of the Platform:

Anthropic Claude API — Used for AI-powered denial analysis, appeal letter generation, and clinical reasoning assistance. PHI submitted for AI analysis is processed in accordance with our Business Associate Agreement (BAA) with Anthropic. Anthropic does not retain PHI after processing and does not use it to train AI models.
Cloudflare — Provides hosting, CDN, DNS, database (D1), key-value storage, and edge computing infrastructure. Cloudflare operates under a BAA for HIPAA-covered workloads and maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications.

We do not sell, rent, or share your personal information or PHI with any third parties for marketing or advertising purposes.

5. Data Retention

We retain your information as follows:

Account data: Retained for the duration of your active account plus 30 days after account deletion to allow for recovery.
PHI and case data: Retained for a minimum of 6 years from the date of creation or last activity, as required by HIPAA regulations (45 CFR 164.530(j)).
Audit logs: Retained for a minimum of 6 years as required by HIPAA.
Usage analytics: Aggregated, de-identified data may be retained indefinitely for platform improvement.

Upon expiration of retention periods, data is securely deleted using cryptographic erasure methods.

6. Your Rights

As a user of the Platform, you have the following rights regarding your information:

Right to Access: You may request a copy of the PHI and personal data we hold about you or your patients' cases.
Right to Correction: You may request correction of inaccurate or incomplete PHI.
Right to Deletion: You may request deletion of your account and associated data, subject to legal retention requirements.
Right to Restriction: You may request that we restrict certain uses or disclosures of your PHI.
Right to an Accounting of Disclosures: You may request a list of disclosures of your PHI that we have made.
Right to Data Portability: You may request an export of your case data in a machine-readable format.

To exercise any of these rights, please contact us at privacy@hootl.com. We will respond to all requests within 30 days.

7. Breach Notification

In the event of a breach of unsecured PHI, we will:

Notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR 164.404).
Notify the U.S. Department of Health and Human Services (HHS) in accordance with 45 CFR 164.408.
If the breach affects 500 or more individuals, notify prominent media outlets in the affected jurisdiction.
Provide a description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

8. Cookies and Tracking

The Platform uses essential cookies and local storage for authentication, session management, and user preferences (such as theme selection). We do not use third-party tracking cookies, advertising pixels, or analytics services that track individual users across websites.

9. Children's Privacy

The Platform is designed for use by healthcare professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last Updated" date. Your continued use of the Platform after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: privacy@hootl.com
HIPAA Privacy Officer: privacy@hootl.com

← Back to home