Legal

HIPAA Notice of Privacy Practices

Effective Date: May 1, 2025 · Last Updated: May 1, 2025

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Our Role as a Business Associate

ExpertSigned operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. We receive Protected Health Information (PHI) from covered entities (such as medical practices and healthcare providers) solely for the purpose of preparing prior authorization letters and related medical documents on their behalf.

We do not provide healthcare services directly to patients. Our obligations under HIPAA arise from our Business Associate Agreements (BAAs) with our healthcare clients.

Protected Health Information We Handle

In the course of providing medical document preparation services, we may receive and process the following categories of PHI:

Patient name, date of birth, and contact information
Diagnosis codes (ICD-10) and procedure codes (CPT)
Treating physician information and NPI numbers
Insurance policy and member identification numbers
Clinical notes and supporting documentation provided by the requesting practice

How We Use and Disclose PHI

We use and disclose PHI only as permitted by our Business Associate Agreements and applicable law. Permitted uses include:

Document Preparation: Using PHI to draft prior authorization letters and supporting documents as requested by the covered entity.
Review and Sign-off: Sharing PHI with the licensed physician reviewer assigned to your document for the purpose of review and signature.
Legal Compliance: Disclosing PHI as required by law, including in response to valid legal process or government investigations.
Security Incident Response: Reporting security incidents involving PHI to the covered entity as required by our BAA.

We will not use or disclose PHI for any purpose other than those described above without written authorization from the covered entity or as otherwise required by law.

Safeguards We Maintain

ExpertSigned implements the following safeguards to protect PHI in accordance with the HIPAA Security Rule:

Administrative Safeguards: Workforce training on HIPAA requirements, designated privacy and security responsibilities, and documented policies and procedures.
Physical Safeguards: Restricted access to systems that process PHI, workstation use policies, and device and media controls.
Technical Safeguards: AES-256 encryption for PHI at rest, TLS 1.3 encryption for PHI in transit, access controls with unique user identification, and automatic logoff.
Subcontractor Agreements: All subcontractors and vendors who may have access to PHI are required to execute Business Associate Agreements with us.

Data Retention and Destruction

PHI is retained for a minimum of six (6) years from the date of creation or the date it was last in effect, whichever is later, in accordance with HIPAA requirements. After the applicable retention period, PHI is securely destroyed using industry-standard methods that render the information unreadable and unrecoverable. Raw call recordings, where applicable, are automatically deleted within 30 days of document delivery.

Breach Notification

In the event of a breach of unsecured PHI, ExpertSigned will notify the affected covered entity without unreasonable delay and in no case later than 60 days following discovery of the breach, in accordance with the HIPAA Breach Notification Rule. Notification will include the nature of the PHI involved, the persons who accessed or may have accessed the PHI, actions taken to mitigate harm, and steps taken to prevent future breaches.

Your Rights Regarding PHI

Because ExpertSigned acts as a Business Associate and not as a covered entity, individual patients should direct requests regarding their PHI (such as requests for access, amendment, or accounting of disclosures) to their healthcare provider. We will cooperate with covered entities in responding to such requests as required by our BAAs.

Changes to This Notice

We reserve the right to change this Notice at any time. Changes will be effective for all PHI we maintain, including PHI created or received before the effective date of the revised Notice. We will post the updated Notice on our website and update the effective date.

Contact Information

For questions about this HIPAA Notice or to report a privacy concern, please contact us at:

ExpertSigned — Privacy Officer
Email: expertsigned@gmail.com
Website: www.expertsigned.com

You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, if you believe your privacy rights have been violated. You will not be retaliated against for filing a complaint.