Privacy Policy

Information We Collect

Vera RCM collects information necessary to provide our revenue cycle management and healthcare billing services. The types of information we collect include personal information such as your name, email address, phone number, and organization details. For healthcare providers using our services, we also collect Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act. This includes patient demographics, insurance information, clinical codes, and billing data needed to process claims and manage revenue cycles.

We collect this information through direct submission via our forms and client portals, through agreements and service contracts, and through automated processes as part of our claims management and billing services. We do not collect information from cookies or tracking technologies that identify individuals — we use only essential cookies to maintain secure sessions and improve our website functionality.

How We Use Information

We use the information we collect for specific healthcare and business purposes. Your information enables us to provide revenue cycle management services, process and submit insurance claims, manage denials and appeals, optimize billing workflows, and generate reports and analytics for your practice. We use your contact information to communicate about your services, respond to inquiries, and provide customer support.

Healthcare data is used exclusively for the purposes outlined in our service agreements with your practice. We do not use healthcare information for marketing, advertising, or sale to third parties. All use of your information complies with HIPAA regulations and our Business Associate Agreements.

HIPAA & Protected Health Information

Vera RCM is a HIPAA-compliant Business Associate. We comply with all requirements of the Health Insurance Portability and Accountability Act and maintain a Business Associate Agreement (BAA) with covered entities that use our services. This means we have implemented comprehensive policies, procedures, and technical safeguards to protect Protected Health Information.

Our HIPAA compliance includes administrative, physical, and technical security measures. We conduct regular security audits and risk assessments, maintain an incident response protocol, provide employee training on privacy and security, and limit access to PHI to authorized personnel with documented need-to-know. Patient medical records and clinical information are stored in secure, encrypted systems with access controls and audit logging.

We do not disclose PHI except as required by law, as permitted by the BAA with your covered entity, or to subcontractors who are also bound by HIPAA requirements. Individuals have the right to request restrictions on uses and disclosures of their PHI, and healthcare providers can request access to or amendment of patient records in our systems.

Data Security

Data security is fundamental to our operations. We employ industry-standard encryption for data in transit and at rest, using TLS 1.2 or higher for all communications and AES-256 encryption for stored data. Our infrastructure is hosted on secure, dedicated servers with intrusion detection and prevention systems, firewalls, and continuous monitoring.

Access to sensitive information is restricted through role-based access controls, multi-factor authentication, and unique user credentials. We maintain comprehensive audit logs of all access and modifications to healthcare data. Our systems undergo regular security assessments, penetration testing, and vulnerability scanning to identify and remediate risks. We maintain business continuity and disaster recovery plans to ensure service availability and data integrity.

All employees and contractors with access to healthcare data receive security awareness training and are required to sign confidentiality agreements. We maintain strict background check requirements for personnel with PHI access.

All data is stored and processed within the United States.

Third-Party Services

We work with carefully vetted third-party service providers to support our operations, including cloud infrastructure providers, payment processors, and specialized healthcare technology vendors. All third-party providers who have access to healthcare data are required to sign Business Associate Agreements and maintain HIPAA compliance.

We do not sell, rent, or share your healthcare information with third parties for marketing, advertising, or unrelated business purposes. Third-party access is limited to what is necessary to perform specific functions on your behalf and only under strict contractual safeguards.

Our website loads fonts from Google Fonts, which may collect usage data per Google's privacy policy.

Data Retention

We retain healthcare and business information only as long as necessary to provide services, comply with legal requirements, or fulfill the purposes for which it was collected. For patient healthcare information, retention periods comply with state and federal law, typically requiring retention for a minimum period after the last encounter or service.

We maintain archived billing and claims records to support compliance, audit requirements, and historical analysis. When information is no longer needed, we securely destroy it through methods that prevent recovery, such as encryption key destruction or physical destruction of storage media. Specific retention schedules are detailed in our service agreements and data handling policies.

Your Rights

Under HIPAA and applicable privacy laws, individuals have rights regarding their healthcare information. These include the right to access their PHI, request correction of inaccurate information, request restrictions on uses and disclosures, request confidential communication, request an accounting of disclosures, and receive notice of privacy practices.

Healthcare providers and covered entities may submit requests on behalf of patients. We respond to all valid requests within the timeframes specified by law. To submit a request regarding your healthcare information, please contact us at the address provided below.

Children's Privacy

Our services are designed for healthcare providers and business professionals, not for children under 13 years old. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information and terminate the child's account if applicable.

State-Specific Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, request deletion, and opt out of certain data sharing. Vera RCM processes healthcare data primarily as a HIPAA-covered business associate, which may be exempt from certain CCPA requirements. To exercise any privacy rights, contact us at info@verarcm.com.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will provide notice of material changes by updating the effective date and, when appropriate, by sending you a notice or email. Your continued use of our services following the posting of changes constitutes your acceptance of those changes.

Use of our services is also governed by our Terms of Service.

Contact Us

If you have questions about this Privacy Policy, concerns about our privacy practices, or wish to exercise your rights regarding your information, please contact us: