Privacy Policy
This Privacy Policy explains how Dion Health Management Company LLC(“we,” “us”) collects, uses, discloses, and safeguards information in connection with the MedFlow RCMplatform (the “Service”). It applies to information we process as a service provider to healthcare practices and, where applicable, as a Business Associate under HIPAA.
1. Scope & Roles
Healthcare practices that use the Service are the data controllers and HIPAA Covered Entities (or their Business Associates) for the Protected Health Information (“PHI”) they process through the Service. We act on their behalf and under their instructions, governed by a Business Associate Agreement. This Policy does not modify the privacy notices that practices provide to their own patients.
2. Information We Process
- Account & contact data — names, work email addresses, and role of practice staff who use the Service.
- Protected Health Information — patient demographics, insurance and eligibility data, procedures and clinical context used to build claims, claim and remittance data, and account balances, processed at the direction of the practice.
- Integration credentials — credentials you provide to connect third-party systems, used solely to exchange data on your behalf.
- Usage & log data — application logs, audit records, and security telemetry used to operate and secure the Service.
3. How We Use Information
- To provide, maintain, and support the Service.
- To prepare, submit, and reconcile insurance claims and remittances at your direction.
- To secure the Service, detect and prevent fraud or abuse, and maintain audit trails.
- To comply with legal obligations.
We do not sell PHI. We do not use PHI for advertising. We use PHI only as permitted by the applicable BAA and HIPAA.
4. Disclosure of Information
We disclose information only as follows:
- Subprocessors — vetted service providers (for example, cloud hosting, database, and clearinghouse providers) that process data on our behalf under written agreements, including BAAs where PHI is involved. A current list is available on request.
- At your direction — to third-party systems you connect, such as practice management, imaging, and clearinghouse platforms.
- Legal & safety — when required by law or to protect rights and safety.
- Business transfers — in connection with a merger or acquisition, subject to this Policy and applicable law.
5. Security
We maintain administrative, technical, and physical safeguards designed to protect information, including role-based access control, tenant isolation enforced at the database layer, encryption in transit, and audit logging. Our current security posture and roadmap are described on our Security page. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.
6. Data Retention
We retain information for as long as needed to provide the Service and as required by the applicable BAA, your instructions, and law. Upon termination, we make data available for export for thirty (30) days, after which we delete or de-identify it within ninety (90) days of your termination date, consistent with the BAA.
7. Your Choices & Patient Rights
Because practices control the PHI processed through the Service, patient requests to access, amend, or restrict PHI should be directed to the practice. We support practices in fulfilling such requests as required by HIPAA and the BAA.
8. International Data
The Service is operated in the United States and intended for U.S. healthcare practices.
9. Changes
We may update this Policy. Material changes will be communicated, and the effective date above will be revised.
10. Contact
Privacy questions may be directed to privacy@dionhealth.com.
← Back to home