MDS Genie Privacy Policy
HIPAA Compliant
Healthcare Grade Security
Effective Date: July 1, 2025
Last Updated: July 1, 2025
Version: 1.0
🏥 Healthcare Data Protection Commitment
MDS Genie is committed to the highest standards of healthcare data protection. As a healthcare technology service that may process Protected Health Information (PHI), we comply with HIPAA, state privacy laws, and industry best practices to safeguard your data.
1. Data Collection and Use
1.1 Personal Information We Collect
| Data Type |
Purpose |
Retention Period |
| Account Information |
User registration, authentication, service delivery |
Until account deletion + 7 years |
| Payment Information |
Billing, transaction processing, compliance |
7 years from last transaction |
| Usage Analytics |
Basic service usage counts only (no assessment details) |
2 years from collection |
| Clinical Notes (PHI) |
MDS code generation, immediate processing only |
Never stored - processed and discarded immediately |
| System Logs |
Security monitoring, troubleshooting |
90 days |
1.2 Protected Health Information (PHI)
Zero PHI Storage Policy: Clinical notes and patient information you input for MDS analysis are processed through our AI service but are never stored on our systems. The data is processed immediately and discarded, ensuring zero PHI retention and minimal compliance burden.
1.3 Legal Basis for Processing
- Contract Performance: Processing necessary for service delivery
- Legitimate Interest: Security monitoring, service improvement
- Legal Compliance: Healthcare regulations, financial record-keeping
- Consent: Marketing communications (where applicable)
2. HIPAA Compliance
2.1 Business Associate Relationship
MDS Genie acts as a Business Associate under HIPAA when processing PHI on behalf of covered entities (healthcare providers). Key points:
- We require a signed Business Associate Agreement (BAA) before processing PHI
- We implement all required technical, administrative, and physical safeguards
- We maintain comprehensive audit logs of all PHI access
- We report any security incidents within 60 days as required by HIPAA
2.2 HIPAA Safeguards Implementation
Technical Safeguards:
- Access control with unique user identification and role-based permissions
- Audit controls that create detailed logs of all PHI access
- Integrity controls ensuring PHI is not improperly altered or destroyed
- Person or entity authentication before accessing PHI
- Transmission security with end-to-end encryption
Administrative Safeguards:
- Assigned security responsibility with a designated Privacy Officer
- Workforce training on HIPAA requirements and data handling procedures
- Information access management with documented access procedures
- Security awareness and training programs
- Incident response procedures for security breaches
Physical Safeguards:
- Facility access controls limiting physical access to systems
- Workstation use restrictions and controls
- Device and media controls for equipment containing PHI
3. Security Measures
3.1 Data Protection
- Encryption: AES-256 encryption at rest, TLS 1.3 in transit
- Access Controls: Multi-factor authentication, role-based access
- Network Security: Web Application Firewall, DDoS protection
- Monitoring: 24/7 security monitoring and incident response
- Backups: Encrypted, geographically distributed backups
3.2 Data Processing Security
- All PHI is processed in secure, HIPAA-compliant environments
- Data is automatically purged from processing systems within 24 hours
- No PHI is stored in long-term databases or backup systems
- Regular security assessments and penetration testing
4. Data Sharing and Third-Party Processors
4.1 Third-Party Service Providers
We work with carefully vetted service providers who sign Business Associate Agreements:
- Microsoft Azure/OpenAI: AI processing services (HIPAA-compliant configuration)
- Stripe: Payment processing (PCI DSS compliant)
- Cloud Infrastructure Providers: HIPAA-compliant hosting services
4.2 International Data Transfers
If data is transferred internationally, we ensure adequate protection through:
- Data Processing Agreements with appropriate safeguards
- Standard Contractual Clauses (SCCs) where applicable
- Encryption and access controls during transfer
4.3 We Do NOT Share Data For:
- Marketing or advertising purposes
- Sale to data brokers or third parties
- Non-essential business purposes
- Social media or analytics platforms
5. Your Privacy Rights
5.1 HIPAA Rights
- Access: Request copies of your PHI
- Amendment: Request corrections to inaccurate PHI
- Accounting: Request list of PHI disclosures
- Restriction: Request limits on PHI use/disclosure
- Confidential Communications: Request alternative communication methods
5.2 State Privacy Law Rights (CCPA, CDPA, etc.)
- Right to Know: Information about data collection and use
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate data
- Right to Portability: Receive data in portable format
- Right to Opt-Out: Opt out of sale/sharing (we don't sell data)
- Right to Non-Discrimination: No retaliation for exercising rights
5.3 How to Exercise Your Rights
To exercise any privacy rights:
- Email: privacy@mdsgenie.ai
- Response time: Within 30 days of verified request
- Identity verification may be required for security
- No charge for reasonable requests
6. Data Breach Procedures
6.1 Our Response
In the event of a data breach involving PHI:
- We will conduct immediate investigation and containment
- Notify affected covered entities within 60 days (HIPAA requirement)
- Notify individuals if required by law
- Report to Department of Health and Human Services if required
- Provide detailed breach assessment and remediation steps
6.2 Prevention
- Regular security training for all personnel
- Continuous monitoring and threat detection
- Regular security assessments and updates
- Incident response planning and testing
7. Regulatory Compliance
7.1 Healthcare Regulations
- HIPAA: Health Insurance Portability and Accountability Act
- HITECH: Health Information Technology for Economic and Clinical Health Act
- State Health Privacy Laws: As applicable by jurisdiction
7.2 General Privacy Regulations
- CCPA/CPRA: California Consumer Privacy Act
- CDPA: Virginia Consumer Data Protection Act
- CPA: Colorado Privacy Act
- GDPR: General Data Protection Regulation (where applicable)
8. Data Retention and Deletion
8.1 Retention Schedules
- PHI/Clinical Notes: Never stored - processed and immediately discarded
- Account Data: Retained until account deletion + 7 years
- Financial Records: 7 years from last transaction
- Security Logs: 90 days
- Usage Analytics: Basic usage counts only - 2 years
8.2 Secure Deletion
All data deletion follows NIST guidelines for secure data destruction, including:
- Cryptographic erasure where applicable
- Multi-pass overwriting for magnetic media
- Physical destruction for decommissioned hardware
- Certificate of destruction for all physical media
9. Children's Privacy
MDS Genie is not intended for use by individuals under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will delete it immediately.
10. Policy Changes
We may update this Privacy Policy to reflect changes in our practices or for legal compliance. We will:
- Provide 30 days notice of material changes
- Post updated policy with new effective date
- Notify users via email for significant changes
- Maintain version history for reference
If you believe your privacy rights have been violated, you may file a complaint with:
- HHS Office for Civil Rights: www.hhs.gov/ocr/privacy/
- Illinois Attorney General: www.illinoisattorneygeneral.gov
- Federal Trade Commission: www.ftc.gov
🔒 Your Privacy Matters
This policy demonstrates our commitment to protecting your privacy and maintaining the highest standards of data security in healthcare technology. We continuously review and improve our practices to ensure compliance with evolving regulations.
← Back to MDS Genie |
Contact Us |
About