Privacy Policy

1. Introduction

This Privacy Policy (“Privacy Policy”) of Medarch, Inc. (“Medarch,” “Us,” or “We”) sets forth the terms applicable to you (“You” or “Your”) and describes how we collect, use, process, and disclose your personal information in conjunction with your access to and use of the Medarch Platform, including eCareComply, https://www.ecarecomply.ai, https://www.medarch.com (the “Website”), and any application(s), including updates, available on the Website (the “Application”), and the terms of service that apply to any services accessible through any such Application (collectively, the “Services”). It also covers information we collect in our capacity as a Business Associate to your healthcare practice, which is a Covered Entity under the Health Insurance Portability and Accountability Act (“HIPAA”). Your trust is important to us and we’re committed to protecting the privacy and security of your information.

2. Information We Collect

There are three general categories of information we collect when you use eCareComply.

2.1 Information You Give to Us. We ask for and collect the following information about you when you use the Services. This information is necessary for the adequate performance of the contract between you and us and to allow us to comply with our legal obligations.

Account Information: When you sign up for an eCareComply account, we require certain information such as your first name, last name, work email, practice or organization name, NPI (where applicable), and role.

Practice & Reporting Profile: To prepare quality submissions, you provide practice-level information including TIN(s), CCN(s) where applicable, taxonomy/specialty, performance year, reporting framework selections (MIPS / MVP / APP / eCQM / HEDIS / MA Stars / CAHPS / UDS / PCMH / state Medicaid), and patient panel scope (e.g., Medicare beneficiary counts).

Clinical Data and PHI: To populate measure denominators, numerators, and exclusions, we receive Protected Health Information from your EHR or clearinghouse — transmitted through SMART on FHIR, HL7 v2 feeds, secure file transfer, or direct extract upload. We process this information solely as your HIPAA Business Associate under a signed Business Associate Agreement (“BAA”).

Payment Information: Subscription billing is processed by our PCI-DSS compliant payment processor. We do not store full card numbers on our servers.

Communications: When you communicate with eCareComply (email, in-app messages, support tickets) or use the Platform to communicate with other authorized users at your organization, we collect and retain those communications.

2.2 Information We Automatically Collect. When you use the Platform we automatically collect personal information about the Services you use and how you use them, including Geo-location Information (precise or approximate location via IP address), Usage Information (pages viewed, measures selected, submissions generated, dashboards accessed), and Log Data and Device Information (IP address, browser, OS, access dates and times, device identifiers, crash data, and cookie identifiers).

Cookies and Similar Technologies: We use cookies, web beacons, pixels, browser analysis tools, server logs, and similar identifiers when you use the marketing site, Platform, or engage with our online ads or email communications. Categories include strictly-necessary, functional, analytics, and (with your consent) advertising cookies.

2.3 Information We Collect from Third Parties. We may receive information about you from EHR vendors and clearinghouses you authorize, from CMS and registry feedback portals when you direct us to retrieve performance results on your behalf, and from publicly available sources for verification purposes.

2.4 Children’s Data. Our marketing website and applications are not directed to children under 13 and we do not knowingly collect personal information directly from children under 13. Where PHI relating to pediatric patients is processed on behalf of a Covered Entity, it is handled under the BAA.

3. How We Use Information We Collect

We may use, store, and process information to (1) provide, understand, improve, and develop the eCareComply Services; (2) create and maintain a trusted and safer environment; and (3) provide, personalize, measure, and improve our advertising and marketing.

3.1 Provide the Services. We use information to authenticate users, ingest and normalize clinical data, populate measure templates, generate QRDA III / QPP JSON / registry CSV submission files, model projected scores and payment adjustments, archive evidence for the standard CMS audit window, and produce dashboards and reports.

3.2 Create and Maintain a Trusted and Safer Environment. We may use personal information to detect and prevent fraud, spam, abuse, and security incidents; conduct security investigations and risk assessments; verify or authenticate information; comply with our legal obligations; resolve disputes; and enforce our Terms of Service and other policies.

3.3 AI / Machine Learning. We do not use customer PHI to train general-purpose AI models. De-identified, aggregated, or synthetic data may be used to improve measure-spec parsing, validation heuristics, and other model components — consistent with HIPAA de-identification standards. Customers may opt out of any use of their non-PHI data for model improvement by emailing sales@medarch.com.

3.4 SMS Terms (U.S.). By opting in to a Text Message Service, you authorize Medarch to send text messages (including marketing content) to the cell phone number associated with your opt-in. Message and data rates may apply. Text STOP to opt out or HELP for help. Consent is not a condition of purchase.

3.5 Your Choices. You can limit the communications eCareComply sends you. To opt out of marketing emails, click “unsubscribe” at the bottom of any marketing email or update your notification settings. To revoke permission for promotional texts, reply STOP. Even if you opt out of marketing, we may still send important transactional communications about submissions, deadlines, and your account.

4. Sharing & Disclosure

Sharing With Your Consent. Where you have provided consent, we share your information as described at the time of consent.

We will disclose your information when: you have given us consent; we need to provide a Service you requested (for example, transmitting your submission to CMS, a registry, or a health plan); we are complying with laws or lawful requests; we believe it is necessary to protect our rights and the security of our Platform; or in connection with a merger, financing, acquisition, or bankruptcy transaction.

When sharing information protected by HIPAA, we share your information with our HIPAA Covered Entity clients who provide care to the relevant patients; with third parties you direct us to (such as CMS, qualified registries, and health plans receiving your submission); and with third-party vendors and service providers (cloud hosting, EHR connectors) with whom we contract as Business Associates under HIPAA. We may also share aggregated and de-identified information for regulatory compliance, benchmark research, and other business purposes.

5. Other Important Information

5.1 Analyzing Your Communications. We may review, scan, or analyze your communications on the Platform for fraud prevention, risk assessment, regulatory compliance, investigation, product development, research, analytics, and customer support purposes.

5.2 Linking Third Party Accounts. You may link your eCareComply account with a third-party service (such as your EHR, registry portal, or single sign-on provider) and must comply with the terms of those services.

5.3 Third Party Partners & Integrations. The Platform may contain links to third-party websites or services (including CMS, qualified registries, and health plan portals) that have their own rules about collection, use, and disclosure of information. We encourage you to review their privacy policies.

6. Your Rights

You may exercise any of the rights described in this section by sending an email to sales@medarch.com. We may ask you to verify your identity before taking further action. Where information is held on behalf of your healthcare organization as a Covered Entity, certain requests must be routed through that Covered Entity.

6.1 Managing Your Information. You may access and update some of your information through your account settings.

6.2 Rectification. You have the right to ask us to correct inaccurate or incomplete personal information about you.

6.3 Data Access and Portability. In some jurisdictions you may request copies of your personal information in a structured, commonly used, machine-readable format.

Data Retention and Erasure. We retain personal information and submission evidence for the duration of your subscription and the standard six-year CMS / payer audit window thereafter, except where a shorter period is required by law. Subject to those retention obligations, you can request deletion in jurisdictions that grant you the right.

6.4 Withdrawing Consent. Where we process your personal information based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.5 Objection to Processing and 6.6 Lodging Complaints. In some jurisdictions you may object to certain processing and lodge complaints with our Data Protection Officer or a supervisory authority.

7. Operating Transfers

To facilitate our operations, Medarch may transfer, store, and process your information within our family of companies, partners, and service providers. Production data is hosted in U.S. AWS regions. Laws of the country where information is processed may differ from the laws of your residence.

California & Vermont Residents. Medarch will not share information it collects about you with its affiliates or third parties (both financial and non-financial), except as required or permitted by your state’s law.

California Privacy Rights. California law permits California residents to request once a year, free of charge, a list of third parties to whom we have disclosed personal information for direct marketing purposes. Certain information collected through the Platform is HIPAA-protected health information or covered by the California Confidentiality of Medical Information Act, and our practices with respect to that information are exempt from the CCPA.

8. Security

We continuously implement and update administrative, technical, and physical security measures designed to protect your information against unauthorized access, loss, destruction, or alteration. Safeguards include AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, mandatory multi-factor authentication, network segmentation, intrusion detection, daily backups, and continuous logging. We perform annual third-party penetration testing and maintain an active SOC 2 Type II program. If you believe your account credentials have been compromised, please contact us immediately. These safeguards are intended to meet our obligations under the HIPAA Security Standards.

9. Changes to This Privacy Policy

Medarch reserves the right to modify this Privacy Policy at any time. If we make changes, we will post the revised Privacy Policy and update the “Last Updated” date. Your continued access to or use of the Platform after the revised Privacy Policy becomes effective will be subject to the revised Privacy Policy.

10. Contact Us

If you have any questions or complaints about this Privacy Policy or Medarch’s information handling practices, you may email us at sales@medarch.com or our Data Protection Officer at info@medarch.net. eCareComply is a product of Medarch, Inc., 3860 Holcomb Bridge Road, Peachtree Corners, GA 30092.