Muni Health Logo
MUNI HEALTH

Privacy Policy - Muni Appeals

Effective Date: October 3, 2025

Last Updated: October 3, 2025

Overview

Muni Appeals ("we," "our," or "us") is committed to protecting the privacy and security of your personal information and protected health information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered insurance appeal generation service.

By using our service, you acknowledge that you have read and understood this Privacy Policy.

Information We Collect

Protected Health Information (PHI)

We temporarily process PHI to provide our insurance appeal generation services, including:

  • Patient names and identifiers
  • Medical diagnoses and treatment information
  • Insurance policy and claim numbers
  • Healthcare provider information
  • Denial letters and related medical documentation

Important: We do not store PHI in our systems. PHI is processed temporarily to extract clinical context and then immediately discarded.

Personal Information

We also collect non-medical personal information, including:

  • Contact information (name, email, phone number)
  • Professional information (medical practice details, credentials)
  • Account information (username, password, billing details)
  • Usage data (how you interact with our service)

Technical Information

We automatically collect certain technical information:

  • IP addresses and device identifiers
  • Browser type and operating system
  • Usage patterns and service performance data
  • Log files and error reports

How We Use Your Information

Primary Purposes

We use your information to:

  • Generate AI-powered insurance appeal templates using de-identified data
  • Provide customer support and technical assistance
  • Process payments and manage your account
  • Improve our services and develop new features
  • Comply with legal and regulatory requirements

AI Processing

We use artificial intelligence to analyze denial patterns and generate appeal arguments. To protect your PHI:

  • We extract only non-identifying elements (procedure codes, denial types, insurer categories) for AI analysis
  • Patient names, dates, and other identifying information are never sent to AI models
  • AI models generate template responses with placeholders for personalized completion
  • All AI processing uses de-identified data that cannot be traced back to specific individuals

Secondary Purposes

With your consent or as permitted by law, we may use information for:

  • Research and development (using de-identified data only)
  • Marketing communications about our services
  • Industry trend analysis and reporting

How We Protect Your Information

Technical Safeguards

  • Secure Processing: PHI is processed in secure server sessions and immediately discarded
  • No PHI Storage: No PHI is stored in any database or file system
  • Secure Transmission: All data transmission uses TLS 1.3 encryption
  • Access Controls: Multi-factor authentication and role-based access
  • Audit Logging: Comprehensive logging of all PHI processing activities (without storing PHI content)

Administrative Safeguards

  • HIPAA Compliance: We maintain HIPAA compliance programs and procedures
  • Staff Training: All personnel receive privacy and security training
  • Business Associate Agreements: Required with all third-party vendors
  • Incident Response: Formal procedures for security incident management

Physical Safeguards

  • Secure Infrastructure: Data hosted in SOC 2 certified facilities
  • Workstation Security: Secured development and administrative workstations
  • Facility Access: Controlled access to areas containing PHI

Information Sharing and Disclosure

Business Associates

We may share your PHI with business associates who help us provide our services:

  • Cloud Infrastructure Providers: Secure hosting for temporary PHI processing sessions only

Services that do NOT handle PHI:

  • Authentication Services: User login and account management only
  • Payment Processing: Billing information only, no health data
  • AI Services: Receive only de-identified, non-PHI data for analysis

Only business associates who handle PHI are required to sign HIPAA-compliant agreements and maintain appropriate safeguards.

Legal Requirements

We may disclose information when required by law:

  • Court orders, subpoenas, or other legal processes
  • Law enforcement investigations
  • Public health and safety emergencies
  • Regulatory compliance and oversight

Business Transactions

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to equivalent privacy protections.

Your Rights and Choices

HIPAA Rights

If you are a covered entity or individual whose PHI we process, you have the right to:

  • Access: Request information about PHI processing activities (we do not store PHI records)
  • Amendment: Any amendments would be handled by your covered entity (we do not store PHI)
  • Restriction: Request limits on how we process your PHI during service delivery
  • Accounting: Receive a list of PHI processing activities we have performed
  • Confidential Communications: Request communications through alternative means
  • Complaint: File complaints about our privacy practices

Account Management

You can:

  • Update your account information and preferences
  • Request deletion of your account and associated data
  • Opt out of marketing communications
  • Download or transfer your data

Exercising Your Rights

To exercise any of these rights, contact us at:

Privacy Officer: Chief Privacy Officer
Email: legal@muni.health

We will respond to requests within 30 days and may require identity verification.

Data Retention

We retain your information for as long as necessary to:

  • Provide ongoing services
  • Comply with legal and regulatory requirements
  • Resolve disputes and enforce agreements

Specific Retention Periods:

  • PHI: Not stored - processed temporarily and immediately discarded
  • Scrubbed Training Data: Retained indefinitely for service improvement (contains no PHI)
  • Account Information: Until account deletion requested
  • Audit Logs: 6 years for compliance purposes
  • Marketing Data: Until opt-out requested

Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly.

International Data Transfers

Our services are operated from the United States. If you are located outside the U.S., your information will be transferred to and processed in the United States, where privacy laws may differ from those in your jurisdiction.

Third-Party Services

Our service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those external services. We encourage you to review the privacy policies of any third-party services you use.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will:

  • Post updates on our website with the effective date
  • Notify you of material changes via email or service notifications
  • Maintain previous versions for reference

Continued use of our services after updates constitutes acceptance of the revised policy.

State-Specific Rights

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected and how it's used
  • Right to delete personal information (subject to legal exceptions)
  • Right to opt-out of sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising CCPA rights

Other State Laws

Residents of other states may have additional rights under applicable state privacy laws. Contact us for information about your specific rights.

Contact Information

Privacy Officer

Name: Chief Privacy Officer
Title: Privacy Officer & Security Officer
Email: legal@muni.health

Business Address

Muni Health LLC
Legal Department
Contact: legal@muni.health

HIPAA Complaints

You may file complaints about our privacy practices with:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/

Definitions

  • PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form or medium by a covered entity or business associate.
  • Business Associate: A person or entity that performs certain functions or activities on behalf of a covered entity that involve access to PHI.
  • Covered Entity: Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
  • De-identified Information: Information that does not identify an individual and for which there is no reasonable basis to believe it can be used to identify an individual.