Privacy Policy
Effective Date: April 18, 2026
Last Updated: April 18, 2026
HIPAA Notice: This Privacy Policy describes how GMB Billing Firm collects and uses information in connection with our website and services. For information about how we handle Protected Health Information (PHI) on behalf of covered entities, please see our HIPAA Compliance page and Business Associate Agreement.
1. Information We Collect
1.1 Information You Provide
When you use our services, we may collect:
- Contact Information: Name, email address, phone number, business address
- Practice Information: Practice name, specialty, tax ID, NPI numbers
- Account Information: Username, password, security questions
- Billing Information: Bank account details for payment processing
- Clinical Documentation: Medical notes, patient encounters (de-identified when using AI platform)
1.2 Information Collected Automatically
When you visit our website, we automatically collect:
- Usage Data: Pages viewed, time spent, click patterns
- Device Information: Browser type, operating system, IP address
- Cookies: See our Cookie Policy for details
- Log Data: Access times, error logs, performance data
1.3 Information from Third Parties
- Insurance payer information for claim processing
- Credit reporting agencies (for account setup)
- Electronic Health Record (EHR) systems (with your authorization)
2. How We Use Your Information
2.1 Service Delivery
We use your information to:
- Process medical claims and billing
- Provide AI coding assistance
- Manage accounts receivable
- Generate reports and analytics
- Communicate about account status
2.2 Business Operations
- Improve our services and platform
- Develop new features
- Conduct research and analytics (using de-identified data)
- Detect and prevent fraud
- Ensure security and compliance
2.3 Legal and Compliance
- Comply with legal obligations
- Respond to legal processes
- Enforce our Terms of Service
- Protect rights, property, and safety
3. How We Share Your Information
3.1 Service Providers
We share information with third parties who help us provide services:
- Clearinghouses: For claim submission
- Payment Processors: For financial transactions
- Cloud Hosting: For data storage (Cloudflare, AWS)
- Analytics: For usage analysis (if implemented)
All service providers are bound by confidentiality agreements and Business Associate Agreements when handling PHI.
3.2 Insurance Payers
We submit claims and communicate with insurance companies as part of billing services.
3.3 Legal Requirements
We may disclose information when required by:
- Court orders or subpoenas
- Government audits or investigations
- Law enforcement requests
- Legal compliance obligations
3.4 Business Transfers
In connection with a merger, acquisition, or sale of assets, information may be transferred. We will notify you before your information becomes subject to different privacy terms.
3.5 With Your Consent
We may share information for purposes not listed here with your explicit consent.
4. AI Coding Platform Privacy
Important: The AI coding platform is designed with privacy-first principles.
4.1 Client-Side Processing
When technically feasible, the AI platform processes data in your browser. This means:
- Clinical text does not leave your device during initial processing
- De-identification happens on your computer
- You maintain control over data before transmission
4.2 API Requests
When using AI features that require server processing:
- Only de-identified clinical text is transmitted
- No PHI (names, dates, MRNs, etc.) should be included
- Requests are encrypted in transit (HTTPS)
- We do not store request data beyond processing
4.3 Your Responsibilities
You must:
- Remove all PHI before using the platform
- Not upload patient-identifiable information
- Review our de-identification guidelines
- Ensure compliance with HIPAA requirements
5. Data Security
5.1 Technical Safeguards
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Controls: Role-based authentication, multi-factor where available
- Firewalls: Network segmentation and monitoring
- Intrusion Detection: Automated threat monitoring
5.2 Administrative Safeguards
- Security training for all employees
- Background checks on personnel with data access
- Confidentiality agreements
- Regular security audits
- Incident response procedures
5.3 Physical Safeguards
- Secure data centers with restricted access
- Environmental controls
- Backup and disaster recovery systems
6. Data Retention
6.1 Billing Records
We retain billing and claims data for:
- Minimum 7 years (HIPAA requirement)
- Longer if required by state law
- As needed for ongoing audits or disputes
6.2 Platform Usage Data
- Log data: 90 days
- De-identified analytics: Indefinitely
- Account information: Duration of relationship + 3 years
6.3 Deletion Requests
You may request deletion of your information, subject to:
- Legal retention requirements
- Ongoing investigations or audits
- Outstanding financial obligations
7. Your Rights and Choices
7.1 Access and Correction
You have the right to:
- Access your information
- Request corrections
- Obtain copies of data
- Request data portability
7.2 Marketing Communications
- Opt out of marketing emails (unsubscribe link provided)
- Continue to receive service-related communications
7.3 Cookies
You can control cookies through browser settings. See our Cookie Policy for details.
7.4 Do Not Track
We currently do not respond to Do Not Track signals, as industry standards are still developing.
8. Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect information from children. If we learn we have collected information from a child, we will delete it promptly.
9. International Data Transfers
Our services are based in the United States. If you access our services from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data protection laws than your jurisdiction.
10. Changes to Privacy Policy
We may update this Privacy Policy to reflect:
- Changes in our practices
- Legal or regulatory requirements
- New features or services
Material changes will be communicated via email or prominent notice on our website. Continued use after changes constitutes acceptance.
11. State-Specific Rights
11.1 California Residents (CCPA)
California residents have additional rights:
- Right to know what personal information is collected
- Right to know if information is sold or shared
- Right to opt-out of sale (we do not sell information)
- Right to deletion
- Right to non-discrimination
11.2 Other States
Residents of other states with privacy laws (Virginia, Colorado, etc.) may have similar rights. Contact us to exercise these rights.
12. Breach Notification
In the event of a data breach affecting your information:
- We will notify you within 60 days (or as required by law)
- Notification will include nature of breach and steps taken
- We will comply with HIPAA breach notification requirements for PHI
- We will notify regulators as required
13. Contact Information
For privacy questions or to exercise your rights:
Privacy Officer
GMB Billing Firm
1921 NW N River Dr, #B107
Miami, FL 33125
Phone: (305) 482-1491
Email: support@gmbcoding.com
14. Complaints
If you believe your privacy rights have been violated:
- Contact our Privacy Officer (details above)
- File a complaint with the HHS Office for Civil Rights (for HIPAA issues)
- Contact your state attorney general's office
We will not retaliate against anyone who files a good-faith complaint.
Related Policies:
Terms of Service |
HIPAA Compliance |
Cookie Policy