Privacy Policy

How we collect, use, protect, and share information across Medviz Systems' services and websites — for healthcare clients, patients, and visitors.

1. Introduction

Welcome to Medviz Systems ("Medviz," "we," "us," or "our"). We are a healthcare technology company offering AI-powered medical billing, revenue cycle management (RCM), chronic care management (CCM), principal care management (PCM), remote patient monitoring (RPM), credentialing, medical coding, accounts receivable, and virtual front desk support to healthcare practices across the United States.

We are committed to protecting the privacy and security of all individuals whose information we handle — healthcare providers, practice administrators, and patients whose data we process on behalf of client practices. This Privacy Policy explains what we collect, how we use it, how we protect it, and your rights.

By using our website (medviz.ai), our platforms, or any of our services, you agree to the practices described here.

2. Who This Policy Applies To

This Privacy Policy applies to:

• Healthcare providers, practice managers, and staff who use Medviz services or visit our website
• Patients whose Protected Health Information (PHI) is processed by Medviz on behalf of enrolled healthcare practices
• Website visitors who interact with medviz.ai or samaat.ai

If you are a patient, your healthcare provider (our client) is the primary covered entity responsible for your health information. Medviz acts as a Business Associate under HIPAA when processing patient data on behalf of healthcare practices.

3. Information We Collect

a. Information from Healthcare Providers and Practice Staff

When you engage with Medviz as a client or prospective client, we may collect: full name, practice name, professional role, email, phone, mailing/billing address, services needed, specialty, EMR/EHR system in use, NPI and credentialing information, and payment information for service fees.

b. Patient Information (PHI) Processed on Behalf of Practices

When providing CCM, PCM, RPM, billing, coding, or RCM services, we may access and process PHI on behalf of client practices: patient name and contact, insurance and payer IDs, medical records, diagnoses, treatment information, medication lists, care plans, vital signs (RPM), and claims data. All PHI is handled strictly per HIPAA and only as directed by the patient's healthcare provider.

c. SMS Communications

For CCM and care management, we send SMS messages to patients on behalf of enrolled practices. We collect mobile phone numbers (provided by the practice with patient consent), SMS consent records, message delivery status, and opt-out records. We do not share patient phone numbers or SMS consent data with third parties for marketing.

d. Website Visitor Information

When you visit our websites we automatically collect IP address and approximate location, browser and OS type, device, pages visited, links clicked, time on page, referring website, and date/time.

e. Cookies and Tracking

We use cookies, web beacons, and similar technologies to enhance experience, analyze traffic, and support security. See our Cookies Policy for details and how to manage preferences.

4. SMS Communications and Patient Consent

Medviz sends SMS to patients on behalf of enrolled practices for medication reminders, appointment notifications, care-plan updates, CCM coordination, RPM alerts, and care coordination.

Consent: Patients provide consent through written intake forms or verbal consent obtained by the provider or care coordinator at enrollment.

Frequency & charges: Frequency varies by care plan. Message and data rates may apply. Reply STOP to opt out, HELP for help. SMS is never used for marketing.

5. How We Use Your Information

We use information to:

• Deliver medical billing, coding, RCM, CCM, PCM, RPM, credentialing, and virtual front desk services
• Send service-related and care coordination communications
• Process and submit insurance claims
• Onboard new clients and respond to inquiries
• Improve our AI-powered tools (with appropriate authorization where PHI is involved)
• Comply with applicable laws (HIPAA, TCPA, state privacy laws)
• Detect and prevent fraud or abuse

6. How We Share Your Information

We do not sell your information, nor share it with third parties for marketing or advertising. We share information only with: HIPAA-compliant business associates and subprocessors who help operate our services; healthcare payers and clearinghouses for claim processing; client practices on whose behalf data was collected; legal authorities when required (subpoena, court order); and in business transfers (mergers, acquisitions) under confidentiality.

7. HIPAA Compliance and Business Associate Agreements

Medviz operates as a HIPAA Business Associate when processing PHI on behalf of healthcare providers. We enter into a Business Associate Agreement with every healthcare practice client before accessing any PHI; implement administrative, physical, and technical safeguards required by the HIPAA Security Rule; limit PHI use and disclosure to purposes specified in the BAA; and notify the affected covered entity within 60 days of discovering any breach of unsecured PHI.

8. Data Security

We implement industry-standard safeguards including AES-256 encryption at rest and TLS in transit; role-based access controls and multi-factor authentication; routine security audits, penetration testing, and vulnerability assessments; HIPAA Security Rule-compliant workforce training; audit logs for all PHI access; and secure, redundant cloud infrastructure.

9. Data Retention

We retain information for as long as necessary to fulfill the purposes outlined in this policy and our client agreements, or as required by law:

• Medical billing records — 7+ years per federal requirements
• PHI under CCM/PCM/RPM — per applicable BAA and state laws
• SMS consent records — 4+ years for TCPA compliance
• Website visitor data — up to 24 months

10. Your Rights

Healthcare provider clients may access and correct account information, request deletion of non-PHI business data, and withdraw consent for marketing communications by contacting privacy@medviz.ai.

Patients whose data is processed by Medviz on behalf of a healthcare practice should direct privacy rights requests (access, amendment, accounting of disclosures, restrictions) to their healthcare provider. California patients may have additional rights under CCPA and CMIA.

SMS opt-out: reply STOP to any message, contact your care team, or call +1 (727) 214-2749.

11. Third-Party Links and Integrations

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. Our services integrate with third-party EMR/EHR platforms; information shared with these platforms is governed by your agreement with those vendors and applicable HIPAA authorizations.

12. AI-Powered Medical Documentation (Samaat.ai)

Samaat.ai records provider-patient encounters, generates automated transcriptions, and produces structured SOAP notes for clinician review.

What We Collect

Audio recordings of encounters (with consent), transcriptions, AI-generated SOAP notes, provider identity, session metadata, and patient identifiers referenced within the encounter.

Patient and Provider Consent for Recording

Audio recording requires explicit consent under federal and state laws (including state wiretapping and two-party consent statutes). Client practices must obtain informed patient consent before any encounter is recorded; inform patients about the recording and its uses; and ensure provider acknowledgment that all AI-generated documentation must be reviewed and signed by the licensed clinician.

How Samaat.ai Data Is Used

Exclusively to generate transcriptions and AI-assisted SOAP notes for provider review and approval. Identifiable patient audio or transcriptions are never used to train AI models without explicit written authorization from the covered entity.

Audio Retention

Audio recordings are retained only for the minimum period necessary — typically no longer than 30 days after the SOAP note is finalized. Practices may request earlier deletion.

Human Oversight

Samaat.ai is a documentation assistance tool, not a clinical decision-making system. All AI-generated SOAP notes are presented as drafts for provider review. No note is finalized without explicit review and approval by the licensed treating clinician.

Additional Safeguards

All audio data is transmitted and stored using end-to-end encryption (TLS 1.2+ in transit, AES-256 at rest). Access is strictly limited to authorized personnel. Samaat.ai does not share recordings, transcriptions, or notes with any third party for advertising, analytics, or commercial purposes.

13. AI-Powered Billing and Revenue Cycle Management

Medviz Systems provides billing and revenue cycle management services. We do not perform medical coding. We submit claims based on the diagnosis codes (ICD-10), procedure codes (CPT/HCPCS), and clinical documentation provided by the healthcare practice. Medviz does not assign, modify, or add CPT or ICD codes to provider-submitted claims.

Our AI and machine-learning tools focus exclusively on:

• Scrubbing claims for applicable CMS and payer-specific edits prior to submission
• Maximizing first-pass payment rates and reducing avoidable rejections
• Identifying eligibility, formatting, and routing issues
• Surfacing potential discrepancies back to the practice for the practice's review and correction
• Tracking denial patterns and supporting appeals on payer-side adjudication issues

All AI-supported claim review occurs under the terms of the applicable HIPAA Business Associate Agreement. Claims are reviewed by experienced billing professionals before submission; no claims are submitted on a fully automated basis without human review. Coding accuracy and clinical documentation responsibility remain with the licensed healthcare provider and their authorized coders.

14. Children's Privacy

Our website is not directed to children under 13. We do not knowingly collect personal information from children under 13 through our website. Medviz may process pediatric patient data as part of medical billing and care management services on behalf of healthcare practices, governed by HIPAA and state minor health privacy laws.

15. Changes to This Privacy Policy

We may update this policy periodically to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will post the updated policy with a revised effective date. Continued use of our services after changes are posted constitutes acceptance.

16. Contact Us

Questions, concerns, or requests regarding this policy or our data practices: