1. Introduction

Alliance Medical Revenue Group, Inc. (“AMRG,” “we,” “us,” or “our”) is a U.S.-based medical billing and Revenue Cycle Management (RCM) company headquartered at 5900 Balcones Drive, Suite 100, Austin, Texas, USA. We provide outsourced billing, coding, credentialing, insurance eligibility verification, denial management, and related administrative services to healthcare providers across the United States.

We are committed to protecting the privacy and security of all information we receive in the course of operating our business. This Privacy Policy (“Policy”) explains what information we collect, how we use it, with whom we share it, and what rights you have with respect to your information.

By using our website (amrgbilling.com), submitting inquiries, or engaging our services, you agree to the practices described in this Policy.

HIPAA Notice: As a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), AMRG is legally required to maintain the privacy and security of Protected Health Information (PHI) we access on behalf of covered healthcare providers. Our use and disclosure of PHI is governed by executed Business Associate Agreements (BAAs) with each client.

2. Scope & Applicability

This Policy applies to:

• Visitors to our website at amrgbilling.com
• Healthcare providers, practice managers, and administrators who inquire about or engage AMRG’s services
• Current and prospective clients and their authorized representatives
• Any individual who contacts AMRG via phone, email, or web form

This Policy does not apply to:

• Patient-facing systems operated by our healthcare provider clients. Patients should consult their provider’s own Notice of Privacy Practices (NPP) for information about how their health information is handled.
• Third-party websites linked from our site, over which we have no control.
• AMRG employees or contractors, who are subject to separate internal data handling policies.

3. Information We Collect

1. Information You Provide Directly

When you contact us, request a consultation, or engage our services, we may collect:

• Full name, title, and professional role
• Practice or organization name
• Business address, phone number, and email address
• National Provider Identifier (NPI) and Tax Identification Number (TIN) — for credentialing and enrollment purposes
• Payer contracts, fee schedules, and practice management system credentials — provided solely for billing operations
• Payment and billing information for invoicing AMRG’s own service fees
• Communications, correspondence, and support requests

1. Protected Health Information (PHI) Accessed on Behalf of Clients

In the course of providing medical billing and RCM services, we access PHI on behalf of our healthcare provider clients. This includes:

• Patient demographics (name, date of birth, address, contact details)
• Insurance information, member IDs, group numbers, and payer data
• Clinical encounter data, diagnosis codes (ICD-10), and procedure codes (CPT/HCPCS)
• Explanation of Benefits (EOBs), remittance advice, and payment information
• Authorization numbers and referral documentation

This PHI is processed solely as directed by and on behalf of our provider clients, in accordance with applicable BAAs and HIPAA regulations. It is not used for any purpose outside the scope of the agreed-upon services.

1. Information Collected Automatically

When you visit our website, we and our analytics providers may automatically collect:

• IP address and general geographic location
• Browser type, version, and operating system
• Pages viewed, links clicked, and time spent on site
• Referring URLs and session data

4. How We Use Information

We use the information we collect to:

• Provide medical billing, coding, credentialing, and RCM services on behalf of our provider clients
• Submit and manage insurance claims with payers, Medicare, and Medicaid
• Verify patient insurance eligibility and process prior authorizations
• Manage denied claims, appeals, and accounts receivable recovery
• Post payments and generate patient statements as directed by providers
• Respond to inquiries and schedule consultations
• Manage client accounts and communications
• Invoice and collect payment for AMRG’s own services
• Improve our website and understand how it is used
• Comply with legal, regulatory, and contractual obligations
• Monitor system security and prevent unauthorized access or fraud

We do not sell, rent, or monetize any personal information or PHI to third parties for any purpose.

5. HIPAA & Protected Health Information (PHI)

AMRG operates as a HIPAA Business Associate as defined under 45 CFR § 160.103. Our access to PHI is strictly limited to what is necessary to fulfill our contracted services, consistent with HIPAA’s “minimum necessary” standard.

Business Associate Agreements (BAAs) We execute a formal BAA with every healthcare provider client before accessing any PHI. The BAA defines permitted uses and disclosures, security obligations, breach notification requirements, and our obligations upon contract termination.

Permitted Uses and Disclosures of PHI We use and disclose PHI only as permitted under HIPAA and the applicable BAA, including:

• Submitting billing claims to insurance payers, Medicare, and Medicaid
• Verifying patient insurance eligibility and coverage
• Submitting prior authorization requests
• Appealing denied claims and managing accounts receivable
• Posting payments and generating statements as directed by the provider
• As required by law or regulatory authority

Breach Notification In the event of a breach of unsecured PHI, AMRG will notify affected covered entities without unreasonable delay and within the timeframes required under HIPAA’s Breach Notification Rule (45 CFR Part 164, Subpart D).

Notice to Patients: AMRG is a billing services company, not a healthcare provider. If you are a patient with questions about your health information or wish to exercise your HIPAA rights, please contact your healthcare provider directly.

6. Sharing & Disclosure of Information

We do not share personal information or PHI except in the following limited circumstances:

Insurance Payers and Clearinghouses We share claim data with insurance carriers, Medicare, Medicaid, and electronic clearinghouses as necessary to submit and adjudicate claims on behalf of our clients.

Subcontractors and Service Providers We may engage trusted subcontractors, including our offshore billing team, who perform services on our behalf. All subcontractors who access PHI are bound by written agreements imposing equivalent privacy and security obligations, as required by HIPAA.

Technology and Software Vendors We access practice management systems and EMR platforms (such as Kareo, AdvancedMD, and Athena Health) as directed by clients. Use of these platforms is subject to the client’s existing vendor agreements.

Legal and Regulatory Requirements We may disclose information when required by law, court order, subpoena, or government agency, including the HHS Office for Civil Rights (OCR).

Business Transfers In the event of a merger, acquisition, or sale of AMRG’s business, information we hold may be transferred to the acquiring entity under the same privacy protections. Affected clients will be notified in advance.

We never sell personal information or PHI. We never disclose PHI for marketing or advertising purposes.

7. Data Security

AMRG implements administrative, physical, and technical safeguards to protect all information, in accordance with HIPAA’s Security Rule (45 CFR Part 164, Subpart C).

Administrative Safeguards

• Designated Privacy Officer and Security Officer
• Mandatory HIPAA training for all staff handling PHI
• Role-based access controls limiting data access to what is necessary for each job function
• Background checks for employees with access to PHI
• Regular HIPAA risk assessments and compliance audits
• Written incident response and breach notification procedures

Technical Safeguards

• TLS/SSL encryption for all data in transit
• Encryption of data at rest on all systems containing PHI
• Multi-factor authentication (MFA) on all systems accessing PHI or client accounts
• Automatic session timeouts on workstations and portals
• Audit logging and activity monitoring
• Firewall protection, intrusion detection, and endpoint security
• Regular vulnerability scanning and patch management

Physical Safeguards

• Controlled access to office facilities
• Secure workstation policies
• Secure disposal of physical media containing PHI

8. Data Retention

We retain information only as long as necessary to fulfill the purposes for which it was collected, meet our legal and contractual obligations, and resolve disputes.

Upon termination of a client agreement, we will return or securely destroy all PHI in accordance with the applicable BAA, unless legal retention is required.

9. Cookies & Tracking Technologies

Our website uses cookies and similar technologies to improve user experience and analyze site traffic.

Types of cookies we use:

• Strictly Necessary — Required for the website to function. Cannot be disabled.
• Analytics & Performance — Help us understand how visitors use our site (e.g., Google Analytics). Data is aggregated and anonymized.
• Functional — Remember your preferences to improve your experience.
• Marketing — Used to serve relevant content. We do not use cookies to target advertising at patients.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect website functionality. To opt out of Google Analytics, visit: https://tools.google.com/dlpage/gaoptout

10. Your Rights

Healthcare Providers and Business Contacts You have the right to:

• Access the personal information we hold about you or your practice
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information, subject to our legal and contractual retention obligations
• Opt out of marketing emails at any time
• Receive your information in a portable format where technically feasible

Patients (HIPAA Rights) Patients seeking to exercise HIPAA rights — including access, amendment, or an accounting of disclosures — must contact their healthcare provider directly. AMRG processes PHI only on behalf of provider clients and is not the appropriate point of contact for patient rights requests.

California Residents (CCPA/CPRA) California residents may have additional rights under the CCPA and CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. AMRG does not sell personal information. To submit a California privacy rights request, contact us at privacy@amrgbilling.com.

To exercise any of the rights above, contact us at privacy@amrgbilling.com. We will respond to verified requests within 30 days.

11. Third-Party Links & Integrations

Our website may contain links to third-party websites, including payer portals, software providers, and industry resources. These are provided for convenience only and do not constitute endorsement. We have no control over and are not responsible for the privacy practices of third-party sites. We encourage you to review their privacy policies before submitting any information.

12. Children’s Privacy

Our website and services are directed to healthcare providers and business professionals. We do not knowingly collect personal information directly from individuals under the age of 18 through our website or marketing channels. To the extent we access PHI related to minor patients as part of our billing services, such access is handled in compliance with HIPAA and all applicable federal and state laws governing minor health information.

13. Changes to This Privacy Policy

We may update this Policy periodically to reflect changes in our practices, services, or legal requirements. When material changes are made, we will:

• Post the updated Policy on this page with a revised “Last Updated” date
• Notify active clients via email or through our client portal
• Obtain renewed consent where required by law

Your continued use of our website or services after changes are posted constitutes acceptance of the updated Policy. Previous versions are available upon request.

14. Contact Us

For questions, concerns, or privacy rights requests, please contact:

Alliance Medical Revenue Group, Inc. Privacy & Compliance 5900 Balcones Drive, Suite 100 Austin, Texas 78731, USA

Email: info@amrgbilling.com, Phone: +1 (647) 613-4604 Hours: Monday–Friday, 9:00 AM – 5:00 PM CT

If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) at www.hhs.gov/ocr/complaints, without fear of retaliation.