๐Ÿ“ž (248) 457-5456  ยท  info@mbspm.com
HIPAA CompliantAAPC CertifiedMichigan-Based
MBSPM logoMBSPMMedical Billing Solutions ยท Practice Management
Get a Free Audit โ†’
Home  /  Privacy Policy

Privacy Policy

Last updated: April 2026. This policy explains how Medical Billing Solutions ("MBSPM," "we," "us") collects, uses, protects, and shares information about visitors to our website and the practices we serve as a Business Associate under HIPAA.

1. Who we are

Medical Billing Solutions (MBSPM) is a Michigan-based provider of medical billing and revenue cycle management services. We act as a HIPAA Business Associate to the covered entities (medical practices) we serve and execute a Business Associate Agreement (BAA) with each client before any Protected Health Information (PHI) is exchanged.

2. Information we collect

2.1 From website visitors

  • Information you submit through our contact and audit-request forms (name, practice name, email, phone, specialty, EHR system, message content).
  • Standard log information your browser sends automatically (IP address, user-agent, pages viewed, timestamps).
  • Cookies and similar technologies for basic analytics and site functionality. We do not use cookies to track you across third-party sites.

2.2 From client practices

  • Practice operational data necessary to perform billing services (provider information, fee schedules, payer contracts, EHR/PM system access).
  • Protected Health Information (PHI) about patients, as defined by HIPAA, including demographics, encounter details, diagnosis and procedure codes, insurance information, and payment data โ€” only to the extent necessary to perform the services in our agreement.

3. How we use information

  • To respond to inquiries and provide the services requested.
  • To perform billing, coding, claims, A/R, denial management, credentialing, and reporting on behalf of client practices.
  • To comply with legal, regulatory, accreditation, and audit requirements (including HIPAA, OIG, CMS).
  • To improve our website, services, and security posture.
  • For aggregated, de-identified analysis of billing trends โ€” never in a form that identifies individual patients or providers without consent.

4. HIPAA & Protected Health Information

When we act as a Business Associate, our use and disclosure of PHI is governed by HIPAA (45 CFR Parts 160 and 164) and the Business Associate Agreement we sign with each covered-entity client. Our obligations include but are not limited to:

  • Using and disclosing PHI only as permitted by the BAA and applicable law.
  • Implementing administrative, physical, and technical safeguards to protect PHI confidentiality, integrity, and availability.
  • Encrypting PHI in transit (TLS 1.3 or equivalent) and at rest (AES-256 or equivalent).
  • Restricting access to PHI to workforce members who have a need to know, under role-based access controls and individual credentials.
  • Maintaining audit logs of PHI access and modification.
  • Reporting any security incident or breach of unsecured PHI without unreasonable delay, in accordance with the BAA and 45 CFR ยง164.410.
  • Returning or destroying PHI upon termination of the BAA, where feasible.
  • Ensuring any subcontractor we engage who creates, receives, maintains, or transmits PHI is subject to a written agreement that imposes substantially the same obligations.

5. How we share information

We share information only as needed to perform our services or as required by law. Specifically:

  • With your authorization: with payers, clearinghouses, and other entities you direct us to engage with on your behalf (e.g., Office Ally, Availity, Change Healthcare, Waystar, payer portals).
  • Service providers: with vetted, BAA-bound subcontractors who help us deliver services. All such subcontractors are subject to confidentiality and security obligations no less protective than ours.
  • Legal requirements: when required by law, subpoena, or court order, including disclosures required by the Department of Health and Human Services for HIPAA compliance investigations.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, with appropriate safeguards and notices.

We do not sell your information. We do not sell, rent, or trade PHI under any circumstances.

6. Data security

MBSPM maintains a written information security program reasonable and appropriate for our size and the sensitivity of the data we handle. Measures include:

  • End-to-end encryption (TLS 1.3 in transit, AES-256 at rest).
  • Role-based access controls and least-privilege provisioning.
  • Multi-factor authentication for all workforce members.
  • Continuous logging, monitoring, and intrusion detection.
  • Annual third-party security review and penetration testing.
  • Mandatory HIPAA and security awareness training for all workforce members at onboarding and annually thereafter.
  • All workforce members and subcontractors who create, receive, maintain, or transmit PHI are bound by signed Business Associate Agreements and equivalent privacy and security obligations under HIPAA.

No system is perfectly secure. If we identify a security incident affecting your information, we will follow the breach notification obligations in our BAA and applicable law.

7. Data retention

We retain information as long as necessary to provide the services, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements. PHI retention and destruction follows the requirements of the applicable BAA and is generally retained for at least seven years from the date of creation or last activity, consistent with healthcare recordkeeping standards.

8. Your rights

If you are a patient of one of our client practices, your privacy rights regarding your PHI are governed by your provider's Notice of Privacy Practices and HIPAA โ€” including the right to request access, amendment, or an accounting of disclosures. Please direct such requests to your provider, who will coordinate with us as needed.

If you are a website visitor and would like us to access, correct, or delete the information you submitted via our forms, contact us at info@mbspm.com.

9. Cookies & analytics

We use a minimal set of cookies to operate the website and understand basic traffic patterns. We do not use advertising cookies and do not allow third parties to use our website for cross-site behavioral advertising.

10. Children's privacy

Our website is not directed to children under 13 and we do not knowingly collect personal information from children under 13. Patient PHI received from client practices may relate to minors and is handled in accordance with HIPAA.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be posted on this page; significant changes affecting our handling of PHI will be addressed through the applicable BAA.

12. Contact us

Questions, concerns, or requests related to this privacy policy or our HIPAA practices:

This policy is provided for informational purposes and does not constitute legal advice. For specific HIPAA or privacy-law questions, consult qualified counsel.