Privacy Policy

This Privacy Policy explains how Dion Health Management Company LLC(“we,” “us”) collects, uses, discloses, and safeguards information in connection with the MedFlow RCMplatform (the “Service”). It applies to information we process as a service provider to healthcare practices and, where applicable, as a Business Associate under HIPAA.

1. Scope & Roles

Healthcare practices that use the Service are the data controllers and HIPAA Covered Entities (or their Business Associates) for the Protected Health Information (“PHI”) they process through the Service. We act on their behalf and under their instructions, governed by a Business Associate Agreement. This Policy does not modify the privacy notices that practices provide to their own patients.

2. Information We Process

3. How We Use Information

We do not sell PHI. We do not use PHI for advertising. We use PHI only as permitted by the applicable BAA and HIPAA.

4. Disclosure of Information

We disclose information only as follows:

5. Security

We maintain administrative, technical, and physical safeguards designed to protect information, including role-based access control, tenant isolation enforced at the database layer, encryption in transit, and audit logging. Our current security posture and roadmap are described on our Security page. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.

6. Data Retention

We retain information for as long as needed to provide the Service and as required by the applicable BAA, your instructions, and law. Upon termination, we make data available for export for thirty (30) days, after which we delete or de-identify it within ninety (90) days of your termination date, consistent with the BAA.

7. Your Choices & Patient Rights

Because practices control the PHI processed through the Service, patient requests to access, amend, or restrict PHI should be directed to the practice. We support practices in fulfilling such requests as required by HIPAA and the BAA.

8. International Data

The Service is operated in the United States and intended for U.S. healthcare practices.

9. Changes

We may update this Policy. Material changes will be communicated, and the effective date above will be revised.

10. Contact

Privacy questions may be directed to privacy@dionhealth.com.

← Back to home