AuthFight← Back to home

Legal · Health Information

HIPAA Notice of
Privacy Practices

Effective date: June 18, 2026Last updated: June 18, 2026
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This notice is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations at 45 CFR Parts 160 and 164.
Plain-English Summary: When you use AuthFight, you share health information with us — like your diagnosis and denial details. This page explains exactly what we do with that information, who we can share it with, and the legal rights you have over it at all times.
01

Who We Are

AuthFight, Inc. ("AuthFight") operates as a Business Associate under HIPAA. This means we receive, create, and transmit Protected Health Information (PHI) on behalf of patients and, where applicable, in connection with Covered Entities such as your physician or health plan.

As a Business Associate, we are directly required to comply with HIPAA's Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (45 CFR Part 164, Subpart C), and we are subject to the same enforcement and penalty provisions that apply to Covered Entities.

We enter into Business Associate Agreements (BAAs) with physician reviewers and other vendors who access PHI in connection with our service, ensuring your information is protected throughout the appeal process.

02

What Is Protected Health Information

Protected Health Information (PHI) is any information we hold about you that relates to your past, present, or future physical or mental health condition, the healthcare services you receive, or payment for those services — and that could reasonably be used to identify you.

PHI includes information in any form: written, electronic (ePHI), or verbal. The following identifiers, when combined with health information, make data PHI under HIPAA:

Name
Address
Dates (DOB, admission)
Phone numbers
Email address
Social Security Number
Medical record numbers
Health plan numbers
Account numbers
Certificate / license numbers
Device identifiers
Web URLs
IP addresses
Biometric identifiers
Full-face photos
Geographic data
Fax numbers
Any unique identifier

In the context of AuthFight, the PHI we typically hold includes your name, diagnosis, prescribed medication or procedure, prescribing physician's name, insurer name and member ID, and the contents of your denial letter and appeal documents.

03

How We Use Your PHI

We use your PHI only for purposes directly related to building and submitting your insurance appeal. Specifically:

Appeal preparation

We use your diagnosis, denial code, denial letter contents, and medical history you provide to decode your denial, calculate your Fight Score, and generate a personalized appeal letter that accurately reflects your clinical situation.

Deadline tracking and reminders

We use your denial date, insurer name, and plan type to calculate your legal appeal deadlines and send you reminders before those windows close.

Physician coordination

We use your PHI to share your appeal draft with a licensed physician reviewer, who reviews the letter for clinical accuracy and medical appropriateness before it is submitted to your insurer.

Platform operations

We use de-identified, aggregated data — from which all PHI identifiers have been removed — to understand appeal outcomes, improve our Fight Score accuracy, and develop new features. De-identified data is not PHI and is not subject to HIPAA restrictions.

We do not use your PHI for marketing. We will never use or sell your health information to advertise products or services to you or to third parties, including pharmaceutical companies, data brokers, or insurers outside your active appeal.
04

How We Disclose Your PHI

We disclose your PHI only in the following circumstances. Every disclosure is limited to the minimum information necessary to accomplish its specific purpose.

Recipient
Purpose & What Is Shared
Physician reviewers
Licensed physicians in the relevant specialty receive your denial details, diagnosis, and appeal draft to review for clinical accuracy and co-sign before submission. All reviewers operate under BAAs.
Your health insurer
Your signed appeal letter, supporting clinical documentation, and insurance identifiers (member ID, group number, denial reference) are submitted to your insurer on your behalf, at your direction, to process your appeal.
External reviewers
If you elect to pursue external independent review after an internal appeal denial, we share your appeal record with the independent review organization (IRO) assigned by your state or the federal government.
Service providers
Vendors providing cloud hosting, encrypted document delivery, and platform infrastructure may process ePHI as part of our operations. All operate under BAAs and are contractually bound to HIPAA standards.
Legal requirements
We may disclose PHI when required by law, court order, or subpoena, or to prevent or lessen a serious and imminent threat to health or safety, as permitted under 45 CFR §164.512.
HHS / Regulators
We may disclose PHI to the U.S. Department of Health and Human Services (HHS) for compliance investigations or enforcement proceedings as required under 45 CFR §164.502(a)(2)(ii).

We do not disclose your PHI to employers, life insurers, financial institutions, data brokers, pharmaceutical companies, or any marketing entity.

05

When We Need Your Authorization

The uses and disclosures described above are permitted under HIPAA without your specific written authorization because they are necessary to perform the service you requested. For any use or disclosure not described in this notice, we will ask for your written authorization before proceeding.

Uses that always require your written authorization include:

  • Most uses of PHI for marketing purposes
  • Sale of PHI to any third party
  • Disclosures of psychotherapy notes
  • Any use not otherwise permitted by the HIPAA Privacy Rule

Revoking your authorization

You may revoke a written authorization at any time by notifying us in writing at privacy@authfight.com. Revocation takes effect upon our receipt of your written notice. It does not apply to actions we have already taken based on your prior authorization. Please note that revoking authorization for us to process your PHI will prevent us from continuing to work on your appeal.

06

Your HIPAA Rights

HIPAA gives you specific rights over your Protected Health Information. You may exercise any of these rights by emailing privacy@authfight.com with the subject line "HIPAA Rights Request". We will respond within 30 days, as required by law.

Right to Access

You may request a copy of your PHI that we hold in a designated record set. We will provide access within 30 days. We may provide records electronically upon request at no charge.

Right to Amend

If you believe PHI in our records is inaccurate or incomplete, you may request an amendment. We may deny the request in certain limited circumstances and will explain why in writing.

Right to an Accounting

You may request a list of disclosures of your PHI we have made in the past six years, other than disclosures made for treatment, payment, or healthcare operations.

Right to Request Restrictions

You may request that we limit certain uses or disclosures of your PHI. We are not required to agree to all restriction requests, but will honor those we accept in writing.

Right to Confidential Communications

You may request that we communicate with you about your PHI through a specific method or at a specific address — for example, only by email rather than phone. We will accommodate reasonable requests.

Right to a Paper Copy

You may request a printed copy of this Notice at any time, even if you previously agreed to receive it electronically. Email us and we will mail one to you at no charge.

Right to Revoke Authorization

You may withdraw your authorization for us to use or share your PHI at any time in writing. This will stop all future processing of your health information and your active appeal.

Right to Breach Notification

If a breach of your unsecured PHI occurs, we will notify you without unreasonable delay and within 60 days of discovery, as required by HIPAA's Breach Notification Rule (45 CFR Part 164, Subpart D).

07

Our Legal Duties

Under HIPAA, AuthFight is legally required to:

  • Maintain the privacy and security of your Protected Health Information.
  • Provide you with this Notice of Privacy Practices describing our legal duties and privacy practices with respect to your PHI.
  • Notify you following a breach of your unsecured PHI.
  • Abide by the terms of this Notice currently in effect.
  • Not use or disclose your PHI except as described in this Notice or as otherwise permitted by applicable law.
  • Train all members of our workforce on our HIPAA privacy and security policies.
  • Designate a Privacy Officer responsible for developing and implementing our HIPAA compliance program.
We are required to follow the terms of this Notice. We may change this Notice, but we will make the revised version available to you before any changes take effect.
08

Minimum Necessary Standard

When using or disclosing your PHI, or when requesting PHI from another source on your behalf, AuthFight makes reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

In practice, this means:

  • We only request the clinical records and documentation directly relevant to your specific denial and appeal.
  • We only share with physician reviewers the information they need to evaluate your appeal — not your complete medical history.
  • We only transmit to your insurer the documents required for your appeal submission.
  • Internal access to your PHI is restricted to AuthFight personnel whose job function requires it, and all access is logged.
09

How to File a Complaint

If you believe your HIPAA privacy rights have been violated, or that we have not complied with this Notice, you have the right to file a complaint. You may file with us directly or with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) — or both.

File a complaint with AuthFight

Emailprivacy@authfight.com
Subject line"HIPAA Complaint"
Response timeWe will acknowledge your complaint within 5 business days and investigate within 30 days.

File a complaint with HHS Office for Civil Rights

Onlinehhs.gov/hipaa/filing-a-complaint
Phone1-800-368-1019 (toll-free) · 1-800-537-7697 (TDD)
MailU.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
DeadlineComplaints must be filed within 180 days of when you knew or should have known of the violation.
No retaliation. AuthFight will not retaliate against you in any way for filing a complaint — with us or with HHS OCR. This is a protected right under 45 CFR §164.530(g).
10

Changes to This Notice

We reserve the right to change the terms of this Notice at any time, provided that the revised Notice applies only to PHI we create or receive after the effective date of the change.

When we make a material change to this Notice, we will:

  • Post the updated Notice on our website at authfight.com/hipaa with a new effective date.
  • Send email notification to all registered users at the address on their account.
  • Make a paper copy available upon request at no charge.

The most current version of this Notice is always available at authfight.com/hipaa. Previous versions are available upon request by emailing privacy@authfight.com.

11

Contact Our Privacy Officer

For questions about this Notice, to exercise your HIPAA rights, or to report a privacy concern, contact our designated Privacy Officer:

AuthFight Privacy Officer

Emailprivacy@authfight.com
Subject line"HIPAA Privacy Officer"
MailAuthFight, Inc. · Privacy Officer · [Your Address]
Response timeWithin 30 days as required by law

Legal disclaimer:This HIPAA Notice of Privacy Practices reflects AuthFight's current data practices as a Business Associate under HIPAA. It does not constitute legal advice. This notice should be reviewed by a qualified healthcare privacy attorney before being published in a final production environment. HIPAA compliance requirements may vary based on your specific business relationships and the nature of PHI you handle.