CMAS is committed to protecting the privacy and security of all information we handle, including Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
1. Information We Collect
CMAS collects and processes the following types of information in connection with our healthcare administrative services:
- Protected Health Information (PHI): Patient health data received from our healthcare provider clients, including clinical notes, medical records, appointment information, and communication records.
- Business Contact Information: Names, phone numbers, email addresses, and organization details of healthcare providers and their staff.
- Technical Data: Device information, IP addresses, and usage logs necessary for service delivery and security monitoring.
2. How We Use Information
We use collected information solely for the purpose of delivering our contracted healthcare administrative services:
- Clinical Visit Documentation: Transcribing and processing clinical encounter notes for entry into Electronic Health Records (EHR).
- Clinical Coding & Charge Capture: Assigning medical codes (ICD-10, CPT) and facilitating billing submissions.
- Clinical Message Handling: Receiving, triaging, and routing clinical communications between clinics and physicians via SMS, email, and other messaging channels.
- Service Communication: Sending appointment reminders, follow-up notifications, and operational messages to clinics and providers via SMS and other channels.
3. SMS & Messaging Communications
CMAS uses messaging services (including Twilio) to facilitate:
- One-time verification codes (OTP) sent via SMS to verify user identity during login or two-factor authentication (2FA)
- Two-way SMS communication between clinics and their contracted physicians
- Automated appointment reminders and scheduling notifications
- Clinical message triaging and routing to appropriate medical personnel
Opt-In Consent for SMS
By providing your phone number and opting into our text messaging program, you consent to receive one-time transactional security codes and service-related messages on your mobile device. Standard message and data rates may apply.
Opt-in consent is collected at the point of phone number entry in our application's verification or sign-up flow. Before submitting, the user is informed that an OTP message will be sent. Consent timestamp and phone number are recorded in our system.
Opt-Out & Help
To stop receiving non-clinical SMS messages, reply STOP to the number from which you received the message.
For assistance, reply HELP to the number from which you received the message.
You may also contact us at [email protected].
Clinical communications necessary for care delivery are managed in accordance with our clients' healthcare provider policies and HIPAA regulations.
4. Data Sharing & Disclosure
CMAS does not sell, rent, or trade personal information. We may disclose information only to:
- Healthcare Provider Clients: The physicians and clinics who engage our services, for the purpose of patient care and practice administration.
- Business Associates: Vendors and subcontractors who assist in service delivery, under executed Business Associate Agreements (BAA) as required by HIPAA.
- Legal Requirements: When required by law, regulation, or legal process.
5. Data Security
CMAS maintains administrative, technical, and physical safeguards to protect PHI in compliance with HIPAA Security Rule (45 C.F.R. Part 164). This includes:
- Encryption of data in transit and at rest
- Access controls and authentication
- Audit logging and monitoring
- Employee training on HIPAA compliance
- Incident response and breach notification procedures
6. HIPAA Compliance
CMAS operates as a Business Associate under HIPAA. We maintain a comprehensive HIPAA compliance program and execute Business Associate Agreements with all clients and applicable sub-contractors. For breach notification, CMAS will notify affected covered entities without unreasonable delay and no later than 60 days as required by 45 C.F.R. § 164.410.
7. Data Retention & Deletion
We retain PHI and business information for the duration required by our client agreements and applicable legal requirements. Upon termination of services, data is securely deleted or returned in accordance with contractual obligations.
8. Your Rights
If you are a patient with questions or concerns about your health information, please contact your healthcare provider directly. If you are a client or business contact, you may contact CMAS regarding your data by using the information below.
9. Contact Us
For privacy-related inquiries, please contact:
Compass Medical Admin Services LLC
Email: [email protected]
See also: Terms of Use