HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Apex Flow Revenue Cycle Solutions LLC is a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As a medical billing and revenue cycle management firm, we receive, process, and transmit Protected Health Information (PHI) on behalf of covered healthcare providers (our clients).

1. Our Role Under HIPAA

Apex Flow Revenue Cycle Solutions LLC operates as a Business Associate as defined under 45 CFR 160.103. We do not directly treat patients. We process PHI solely to perform medical billing, claims submission, denial management, A/R recovery, and related revenue cycle services on behalf of our healthcare provider clients (Covered Entities).

All PHI received, processed, or transmitted by Apex Flow is governed by executed HIPAA Business Associate Agreements (BAAs) with each Covered Entity client.

2. How We Use & Disclose PHI

We use and disclose PHI only as permitted or required by our BAA and applicable HIPAA regulations, including:

• Treatment, Payment & Operations: Submitting insurance claims, following up on denials, posting payments, and recovering aged A/R on behalf of provider clients
• Clearinghouse Transmission: Routing claims through HIPAA-compliant electronic data interchange (EDI) clearinghouses such as Availity and Office Ally
• Legal Requirements: Disclosing PHI when required by law, court order, or government authority
• Business Operations: Internal management and administration as permitted under 45 CFR 164.506
• Subcontractors: Any subcontractors (including offshore billing staff) who access PHI are bound by independent BAAs with equivalent protections

3. Our Safeguards & Security Measures

4. Breach Notification

In the event of a breach of unsecured PHI, Apex Flow will notify the affected Covered Entity within five (5) business days of discovery, in accordance with 45 CFR 164.410. The Covered Entity is then responsible for notifying affected individuals and the Department of Health and Human Services (HHS) as required by the HIPAA Breach Notification Rule.

5. Minimum Necessary Standard

Apex Flow limits the use and disclosure of PHI to the minimum necessary to accomplish the intended billing and revenue cycle purpose, in compliance with 45 CFR 164.502(b). Staff access to PHI is role-based and restricted to what is required to perform their specific job functions.

6. Retention & Destruction of PHI

Upon termination of services, Apex Flow will return or destroy all PHI in its possession within the timeframe specified in the BAA. Any PHI that cannot feasibly be returned or destroyed will be protected in accordance with HIPAA for as long as it is retained, with use and disclosure limited to the purposes that make return or destruction infeasible.

7. Your Rights as a Patient

As a Business Associate, Apex Flow does not have a direct relationship with patients. Patient rights under HIPAA (access to records, amendment requests, accounting of disclosures) should be directed to the healthcare provider (Covered Entity) whose services generated the PHI.

If you are a patient with questions about how your information was used in connection with billing, please contact your healthcare provider directly.

8. Filing a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

We will not retaliate against you for filing a complaint.

9. Contact Our Privacy Officer