Privacy Policy

Last updated: 2026-05-21

What we collect

To draft your appeal letter, escalation letters (second-level, external review), peer-to-peer prep, and supporting tools, we collect and process:

• Your email address
• The denial letter file you upload
• Your insurance company, plan name, and requested drug
• Clinical context relevant to the appeal — diagnoses, lab values, prior therapies, and other facts you supply about your medical history
• Your treating physician’s name (and optionally, email)
• Technical data such as IP address and browser metadata, used for security and audit compliance

How we use it

We use the information you provide only to:

• Draft your appeal letter at any level (first-level, second-level, external review), and on request, generate a peer-to-peer call brief or letter summary
• Send you that letter and related communications
• Maintain HIPAA audit logs of PHI access
• Operate, maintain, and secure the Service
• Comply with legal obligations

We do NOT sell or rent your information, and we do NOT train public AI models on your PHI. AI processing happens through the named sub-processors below, each selected for their HIPAA-aligned posture. Business Associate Agreements are signed and in place with every sub-processor that handles PHI (AWS 2026-05-08, Google Workspace 2026-05-12, Paubox 2026-05-16).

HIPAA and PHI handling

PHI in our database is encrypted at rest with SQLCipher (AES-256). Every access to PHI is logged in an immutable audit log (per HIPAA §164.312). DenialHelp, LLC has designated Michael John Ryan as Privacy Officer and Security Officer per §164.530(a)(1) and §164.308(a)(2). A current Security Risk Analysis is on file (most recently signed 2026-05-08, per §164.308(a)(1)(ii)(A)). Where PHI flows to third-party sub-processors, Business Associate Agreements are signed and in place as of 2026-05-21; the sub-processor list below tracks current status with signed dates.

Sub-processors

We use the following third-party sub-processors. Each is selected for HIPAA-aligned posture; vendors that handle PHI sit behind a Business Associate Agreement (BAA) before any PHI flows to them. BAA status as of the date above:

• Google Workspace — corporate email ([email protected] and aliases) and Google Drive used for internal operations. May receive PHI when patients or clinicians email PHI to denialhelp.com addresses. Covered by Google's HIPAA Business Associate Addendum, accepted by [email protected] on 2026-05-12 on Workspace Business Standard. Only services on Google's HIPAA-Covered Services list (Gmail, Drive, Docs, Meet, Calendar, Chat) are used for PHI; non-Covered services and third-party add-ons are restricted by admin policy.
• Amazon Web Services — public TLS gateway (Lightsail, Sydney), document OCR (Textract), and S3 (encrypted offsite backups). Covered by our signed AWS Business Associate Addendum from 2026-05-08. PHI flows over private channels (Tailscale tailnet from Lightsail to our home server) and is encrypted at rest with SQLCipher (AES-256) on top of LUKS-encrypted disk.
• Anthropic — letter generation and post-generation AI quality passes (fact-check, adversarial review, summary, peer-to-peer prep, insurer-policy retrieval). PHI is de-identified before any direct-API call via our HIPAA Safe Harbor redaction pipeline (Microsoft Presidio NER + 16-class regex pass + outbound gate). The Anthropic direct API only ever receives de-identified text — the de-identification mapping table is in-process only and never persisted. The original PHI never leaves our LUKS+SQLCipher-encrypted volume. Direct Anthropic BAA requested 2026-05-01 and queued.
• Stripe — payment processing. Receives only PHI-free metadata (customer email, opaque appeal/customer IDs, tier name). Drug, insurer, and clinical fields stay in our local encrypted database. We rely on the HIPAA financial-institution / payment-conduit exception (45 CFR 164.501) so a Stripe BAA is not required.
• Transactional email — delivered by Paubox Email API. Covered by Paubox's own HIPAA Business Associate Agreement, signed 2026-05-16 (separate from the AWS BAA). Email-content metadata includes your address, subject, and basic appeal context (insurer, treatment). Earlier email vendors evaluated and discarded for HIPAA reasons: AWS SES (3 production-access denials, abandoned 2026-05-16), Resend (no BAA available, migrated away 2026-05-08), Postmark (refused to sign BAA, migrated away 2026-05-09).
• Cloudflare — DNS only. Cloudflare's authoritative name servers resolve denialhelp.com to our AWS Lightsail gateway. PHI does NOT flow through Cloudflare's proxy or CDN; that path was decommissioned 2026-05-08 in favour of AWS (which has a signed BAA covering Lightsail, Textract, and S3).
• SRFax (HIPAA-compliant fax delivery) — used only when fax submission is enabled and the user opts in. Off by default; activated only after a signed BAA with SRFax is in place. SRFax is HIPAA-aligned by vendor design (its plans include BAA at no additional charge).
• Hunter.io / Apollo.io / Google Workspace SMTP — used only for our Pro-tier clinician-outreach workflows; these vendors do NOT receive any patient PHI.
• Headless Chrome / Playwright (operated by us) — used to fetch publicly available insurer coverage policies from insurer websites. No PHI is sent outbound; only the insurer name, plan type, and drug class are used as search inputs.

Outcome-report email links

Approximately 28 days after we send your appeal letter, we email you a follow-up message with three one-click links: "Approved", "Denied", and "Still waiting". These links contain a cryptographically signed token (HMAC-SHA256) bound to your appeal ID, the chosen outcome, and a 90-day expiry. Clicking a link shows a confirmation page; we record the outcome only after you confirm. Anyone with possession of the email link is able to record the outcome — we recommend you do not forward the email. The token cannot be used for any purpose other than recording an outcome on the specific appeal it was issued for.

Data retention

Anonymous denial-letter uploads (made before you create an appeal) are automatically deleted within 24 hours. Once you create an appeal, your appeal record and uploaded documents are retained for up to 7 years from the date you last use the Service, in accordance with typical HIPAA retention recommendations. Audit-log metadata (who accessed what, when — no PHI content) is retained for 6 years per HIPAA §164.312. You may permanently delete your appeal and all associated data at any time via the "Delete my data" link on your dashboard, or by emailing [email protected].

Your rights

You may at any time:

• Request access to the PHI we hold about you
• Request correction of inaccurate information
• Request deletion of your account and data
• Request an accounting of disclosures of your PHI

California residents have additional rights under the CCPA. EU/UK residents have rights under GDPR/UK GDPR. We honor these rights.

Security

We use encryption in transit (TLS 1.3), encryption at rest (AES-256), immutable audit logging, role-based access controls, and regular security reviews. No system is perfectly secure; in the event of a breach that impacts your PHI, we will notify you within the timeframe required by HIPAA.

Contact

For privacy inquiries, deletion requests, or to exercise your rights, email our Privacy Officer at [email protected]. The Privacy Officer is Michael John Ryan, designated under HIPAA §164.530(a)(1) and §164.308(a)(2). DenialHelp, LLC is a Delaware limited-liability company.