Mobile Application Privacy Policy

Effective as of June 25th, 2025

This Privacy Policy (the “Privacy Policy”) applies to the HCBS Provider mobile application (the “App”), owned and operated by HCBS Billing Solutions LLC (“HCBS,” “we,” “us,” or “our”). HCBS Billing Solutions LLC is a business associate under the Health Insurance Portability and Accountability Act (“HIPAA”). We have created this Privacy Policy to tell you what information the App collects, how we use that information, and who we will share that information with, if at all. This Privacy Policy does not address the privacy practices of any third parties that we do not own, control, or are affiliated with. Capitalized terms not defined in this Privacy Policy will have the meaning stated in our Terms of Use. By visiting and/or using our App, you are agreeing to the terms of this Privacy Policy and the accompanying Terms of Use. We encourage you to read the Privacy Policy, and to use the information it contains to help you make informed decisions.

1. Information We Collect or Receive. In the course of operating the App, we will collect and/or receive the following types of information. You authorize us to collect and/or receive such information.
   1. Provider Personal Information. We only receive or collect information that identifies you personally if you choose to provide such personally identifiable information to us via email or other means. When you sign up to become a user or contact us, you will be required to provide us with Personal Information about yourself (collectively, the “Personal Information”). Such Personal Information will include your name, email address, physical address, and phone number.
   2. Patient Personal Information. If you choose to use the HCBS App, you are responsible for complying with all HIPAA privacy laws relating to sensitive patient personal information and any patient medical information. The App will allow providers to collect and store patient information including but not limited to; name, date of birth, SSN, addresses, diseases and diagnosis, surgeries and treatment, medical notes, appointment dates and times, services rendered, payment information, and service notes. This information is only to be accessed by the treating provider and must be diligently protected from any unlawful disclosure under HIPAA. All personal consumer information obtained or maintained by our program shall be confidential and will only be disclosed in accordance with the patient’s authorization or as required by law.
   3. Third-party Log In. If you sign in through HCBS, you are authorizing us to collect, store, and use, in accordance with this Privacy Policy, any and all information that you agreed that HCBS would provide through HCBS’s Application Programming Interface (“API”). Such information may include, without limitation, your first and last name, HCBS username, HCBS profile picture, headline, unique identifier and access credentials, and email address, and provider patient information.
   4. Payment Information. If you choose to make a purchase or subscribe to a feature or service ours that requires a fee, you will be required to provide us with your Payment Information, including, without limitation, bank account numbers, credit card or debit card numbers, account details, ACH information, and similar data (collectively, “Payment Information”). Such Payment Information may be collected and processed by a third-party payment vendor(s) under the terms and conditions of their privacy policies and Terms of Use, and we do not obtain access to any Payment Information in connection with such purchases or subscriptions.
   5. Geolocational Information. Certain features and functionalities of the App are based on your location. In order to provide these features and functionalities while you are using your mobile device, we will automatically collect Geolocational Information from your mobile device or wireless carrier and/or certain third-party service providers (collectively, “Geolocational Information”). Collection of such Geolocational Information occurs only when the App is running on your device. You may decline to allow us to collect such Geolocational Information, in which case we will not be able to provide certain features or functionalities to you.
   6. Third-Party Analytics. We and the third-party technology providers, ad exchanges, ad networks, advertisers, agencies, ad exchanges, and ad servers with which we work use third-party analytics services (e.g., Google Analytics) to evaluate your use of the App, compile reports on activity, collect demographic data, analyze performance metrics, and collect and evaluate other information relating to the App and mobile and Internet usage. These third parties use cookies and other technologies to help analyze and provide us the data. You consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Policy. For more information on these third parties, including how to opt out from certain data collection, please visit http://www.rootkitdefense.com. Please be advised that if you opt out of any such service, you may not be able to use the full functionality of the App.
   7. Other Information. In addition to the Provider Personal Information, Patient Personal Information, Patient Health Information, Payment Information, and Geolocational Information, we may automatically collect or receive additional information regarding you and your use of the App; your interactions with us and our advertising; and information regarding your computer and mobile devices used to access the App (collectively, the “Other Information”). Such Other Information may include:
      • From You. Additional information about yourself that you voluntarily provide to us, such as your gender and your product and service preferences.
      • From Your Activity. We may collect or receive information regarding:
        • IP address, which may consist of a static or dynamic IP address and will sometimes point to a specific identifiable computer or mobile device;
        • Browser type and language;
        • Referring and exit pages and URLs;
        • Date and time; and
        • Details regarding your activity on the App, such as search queries and other performance and usage data.
      • About Your Mobile Device. We may collect or receive information regarding:
        • Type of mobile device;
        • Advertising Identifier (“IDFA” or “AdID”);
        • Operating system and version (e.g., iOS, Android, or Windows);
        • Carrier; and
        • Network type (Wi-Fi, 3G, 4G, 5G. LTE).
      • From Cookies. We may use both session cookies, which expire once you close the App, and persistent cookies, which stay on your mobile device until you delete them and other technologies to help us collect data and to enhance your experience with the App. Cookies are small text files an app can use to recognize a repeat visitor to the app. We may use cookies for various purposes, including to:
        • Type of mobile device;
        • Personalize your experience;
        • Analyze which portions of the App are visited and used most frequently; and
        • Measure and optimize advertising and promotional effectiveness.

If you do not want us to deploy cookies in the App, you can opt out by setting your mobile device to reject cookies. You can still use the App if you choose to disable cookies, although your ability to use some of the features may be affected.

2. Information Collected by or Through Third-Party Advertising Companies. We may share Other Information about your activity on the App with third parties for ad distribution and ad optimization (defined as the tailoring, targeting (i.e., behavioral, contextual, retargeting, analyzing, managing, reporting, and optimizing of ads)). These third parties may use cookies, pixel tags (also called web beacons or clear gifs), and/or other technologies to collect Other Information for such purposes. Pixel tags enable us and these third-party advertising companies to recognize a browser’s cookie when a browser visits the site on which the pixel tag is located in order to learn which advertisement brings a user to a given site. In addition, we may receive Other Information from advertisers and/or their service providers such as advertising identifiers, IP addresses, and post-conversion data. PHI will not be shared for advertising or analytics purposes.
3. How Information is Used and Shared.
   • You authorize us to use the Personal Information, Payment Information, Geolocational Information, and the Other Information (collectively, the “Information”) to:
     • Provide and improve our App;
     • Provide our services;
     • Administer our promotional programs;
     • Solicit your feedback; and
     • Inform you about our products and services.
   • In order to provide our services and administer our promotional programs, we may share the Information with our third-party promotional and marketing partners, including, without limitation, businesses participating in our various programs.
   • We may engage third-party companies and individuals to perform functions on our behalf. Examples may include providing technical assistance, customer service, marketing assistance, and administration of promotional programs. These other companies will have access to the Information only as necessary to perform their functions and to the extent permitted by law.
   • In an ongoing effort to better understand our users, the App, and our products and services, we may analyze certain Information in anonymized and aggregate form to operate, maintain, manage, and improve the App and/or such products and services. This aggregate information does not identify you personally. We may share and/or license this aggregate data to our affiliates, agents, business, and promotional partners, and other third parties. We may also disclose aggregated user statistics to describe the App and these products and services to current and prospective business partners and investors and to other third parties for other lawful purposes.
   • We may share some or all of your Information with any of our parent companies, subsidiaries, joint ventures, or other companies under common control with us.
   • As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, the Information may be part of the transferred assets.
   • To the extent permitted by law, we may also disclose the Information:
     • When required by law, court order, or other government or law enforcement authority or regulatory agency; or
     • Whenever we believe that disclosing such Information is necessary or advisable, for example, to protect the rights, property, or safety of us or others, including you.

4. Accessing and Modifying Information and Communication Preferences. If you have provided us any Provider Personal Information, you may access, remove, review, and/or make changes to the same by contacting us as set forth below. In addition, you will be responsible for managing Patient Personal Information. We will use commercially reasonable efforts to store and protect your information and your patient’s information within our App. You should be aware, however, that it is not always possible to completely remove or modify information in our subscription databases. Please notify us regarding your request to remove personal or patient information.

We may also deliver notifications to your mobile device (e.g., push notifications). You can disable these notifications by deleting the relevant service or by changing the settings on your mobile device.

5. How We Protect Your Information. We take commercially reasonable steps to protect the Information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Our App comes equipped with login credentials that you will need to create, as well as Multifactor Authentication. Please utilize the best practices when it comes to storing your credential information and when authenticating your sign-in. Please understand, however, that no security system is impenetrable. We cannot guarantee the security of our databases or the databases of the third parties with which we may share such Information, nor can we guarantee that the Information you supply will not be intercepted while being transmitted over the Internet. We also utilize the services of third-party vendors like Venturit Inc. to perform cybersecurity monitoring and data protection. For more information regarding their best practices please go on our website at: http://www.rootkitdefense.com.
6. Important Notices to Non-U.S. Residents. The App and its servers are operated in the United States. If you are located outside of the United States, please be aware that your Information, including your Personal Information, your Patient Personal Information, and your Patient Health Information may be transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to use the App, you hereby irrevocably and unconditionally consent to such transfer, processing, and use in the United States and elsewhere.
7. App Stores; External Websites. Your app store (e.g., iTunes or Google Play) may collect certain information in connection with your use of the App, such as Personal Information, Payment Information, Geolocational Information, and other usage-based data. We have no control over the collection of such information by a third-party app store, and any such collection or use will be subject to that third party’s applicable privacy policies.

The App may contain links to third-party websites. We have no control over the privacy practices or the content of these websites. As such, we are not responsible for the content or the privacy policies of those third-party websites. You should check the applicable third-Party Privacy Policy and Terms of Use when visiting any other websites.

8. The App is not directed to children under the age of 13. We adhere to the Children’s Online Privacy Protection Act (COPPA) and will not knowingly collect Personal Information from any child under the age of 13. We ask that minors (under the age of 13) not use the App. If a child under the age of 13 has provided us with Personal Information, a parent or guardian of that child may contact us and request that such information be deleted from our records. Users will be asked to input their date of birth to identify their age.
9. Changes to This Privacy Policy. This Privacy Policy is effective as of the date stated at the top of this Privacy Policy. We may change this Privacy Policy from time to time. Any such changes will be posted on the App. By accessing the App after we make any such changes to this Privacy Policy, you are deemed to have accepted such changes. Please be aware that, to the extent permitted by applicable law, our use of the Information is governed by the Privacy Policy in effect at the time we collect the Information. Please refer back to this Privacy Policy on a regular basis.
10. How to Contact Us. If you have questions about this Privacy Policy, please email us at webmaster@hcbsbilling.com with “Privacy Policy” in the subject line or mail us at the following address: 1467 Hark-A-Way Road, Chester Springs, PA 19425.

8. Protection of Protected Health Information (PHI)

• Definition of PHI: For the purposes of this Agreement, “Protected Health Information” (PHI) shall have the same meaning as defined under applicable federal and Pennsylvania State law, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, as well as any other relevant state statutes 3701.17 Confidentiality of protected health information; release of information in summary, statistical, or aggregate form., 192.556 Definitions for ORS 192.553 to 192.581..
• Use and Disclosure: The Subscriber agrees to use and disclose PHI only as permitted by this Agreement, applicable law, and solely for the purposes of providing services under this Agreement. The Subscriber shall not use or further disclose PHI in a manner that would violate the requirements of HIPAA or any other applicable state law § 1211. Use of protected health information., 17935. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format.
• Safeguards: The Subscriber shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. These safeguards must comply with the requirements set forth in 164.504 Uses and disclosures: Organizational requirements. and other applicable regulations § 164.504 Uses and disclosures: Organizational requirements., 410 ILCS 305/9.3 Business associates.
• Cybersecurity and Compliance framework: This app is protected and monitored by Rootkit Defense Cybersecurity. Rootkit Defense ensures compliance and protection with security frameworks such as NIST CSF 2.0, ISO/IEC 27001, ISO/IEC 27002, HIPAA and GDPR.

Rootkit Defense provides full encryption of PHI and PII and ensures that PHI and PII are not used from any non-security related purpose. For more information regarding the specific practices used by Rootkit Defense please find the Rootkit Defense: Cybersecurity & Privacy Policy Compliance on their website at: (https://www.rootkitdefense.com/privacy-policy-guidelines)

• Reporting: The Subscriber shall promptly report to the App Provider any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 164.504 Uses and disclosures: Organizational requirements..
• Subcontractors: The Subscriber shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Subscriber agree to the same restrictions and conditions that apply to the Subscriber with respect to such information 164.504 Uses and disclosures: Organizational requirements., 410 ILCS 305/9.3 Business associates.
• Access and Amendment: The Subscriber shall make available PHI as necessary to satisfy the App Provider’s obligations under 164.504 Uses and disclosures: Organizational requirements. and 164.526, including providing access to PHI and incorporating any amendments to PHI § 164.504 Uses and disclosures: Organizational requirements..
• Indemnification: The Subscriber agrees to indemnify and hold harmless the App Provider and its affiliates, officers, directors, employees, and agents from and against any claims, liabilities, damages, costs, and expenses, including reasonable attorneys’ fees, arising out of or in connection with any unauthorized use or disclosure of PHI or any failure in security measures affecting PHI by the Subscriber or any person or entity under the Subscriber’s control.

12. This clause ensures that PHI is handled in compliance with relevant laws and regulations, and that appropriate measures are in place to protect the information from unauthorized use or disclosure.

END OF POLICY

 

HIPAA NOTICE OF PRIVACY PRACTICES

This notice describes how patient medical information may be used and disclosed and how they can get access to this information. Please review it carefully.

Our Responsibilities:

We understand that information about you and your patient’s health information is very personal. We strive to protect our patients’ privacy. We are required by law to maintain the privacy of you and our patients’ protected health information (“PHI”). We are also required to provide notice of our legal duties and privacy practices with respect to PHI and to abide by the terms of the Notice of Privacy Practices currently in effect. We will promptly notify you and your Patient’s if a breach occurs that may have compromised the privacy or security of your PHI. We must follow the duties and privacy practices described in this notice and provide you with a copy. We will not use or share your PHI other than as described here unless you tell us in writing that we can. If you tell us we can, you may change your mind at any time by notifying us in writing.

Who this notice applies to:

The terms of this Notice applies to HCBS Billing Solutions LLC, HSBC Provider Inc., and to the licensed professionals, employees, independent contractors, volunteers, and trainees seeing, treating, or otherwise interacting with patients, and the patients or clients themselves of HCBS Provider. We are committed to excellence in providing state-of-the-art care services through the practice of patient and client care, education, and research.

Your Rights:

• Get an electronic or paper copy of your medical records. Generally, you can access and inspect paper or electronic copies of certain PHI that we maintain about you by contacting [CONTACT INFORMATION]
• Request confidential communication. You can request that we communicate with you through alternative means or at alternative locations, and we will accommodate reasonable requests.
• Ask us to limit the information we share. You can request restrictions on certain of our uses and disclosures of your PHI for treatment, payment, or health care operations. We are not required to agree but will attempt to accommodate reasonable requests when appropriate.
• Get a list of those with whom we’ve shared your information. In accordance with applicable law, you can ask for an accounting of certain disclosures made by us of your PHI. This request must be in writing and signed by you or your representative. This does not include disclosures made for purposes of treatment, payment, or health care operations or for certain other limited exceptions. An accounting will include disclosures made in the six years prior to the date of a request.
• Get a copy of this privacy notice.
• Amendments to PHI. You can request amendments or changes to certain PHI about you that you think may be incorrect or incomplete. You can also make a request to choose someone to act for you. All requests must be made in writing, signed by you or your representative, and state the reasons for the request. If we decide to make an amendment, we may also notify others who have copies of the information about the change.
• File a complaint if you believe your privacy rights have been violated.

Our Uses and Disclosures:

We may use and share your PHI. There are certain uses and disclosures of your or a patient’s protected health information that do not require authorization and some that do. The below are examples of our use and disclosures that do and do not require authorization:

• Treat you. For Providers to treat you, plan treatment or render services they will have access to your PHI.
• Run our organization. We use information to maintain a directory listing your PII or PHI to manage schedules and care plans.
• Bill for your services.  For example, we may disclose information regarding your medical procedures and treatment to your insurance company to arrange payment for the services provided to you.
• Communicating with You. We will use your PHI to communicate with you about a number of important topics, including information about appointments, your care, treatment options and other health-related services, payment for your care, and opportunities to participate in research.
• We may use and disclose your PHI as permitted by applicable law for research. This is subject to your authorization.
• Complying with the laws as required, including aiding investigations or emergencies such as preventing an imminent threat to a person or the public.
• If necessary and required, working with a medical examiner or funeral director.
• Addressing workers’ compensation, law enforcement, and other government requests.
• Responding to lawsuits and legal actions.

Changes to the Terms of this Notice

We reserve the right to change the terms of this Notice and to make a new Notice effective for all PHI we maintain. We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request in our mobile app.

Contact Information

For more information about our privacy practices, to exercise your rights, or to file a complaint, please contact our Privacy Officer at [CONTACT INFORMATION].