Aira Health is committed to protecting the privacy and security of patient health information.
Aira Health is committed to protecting the privacy and security of patient health information. This Privacy Notice describes how we collect, use, protect, and share Protected Health Information (PHI) as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). PHI is disclosed to Aira Health by Covered Entities on behalf of their patients.
Aira Health is a Business Associate that provides healthcare technology services intended to simplify billing practices for Covered Entities and to streamline the patient authorization process. Our goal is to ensure that patient authorizations are in place so that insurers and health care providers can provide access to procedures to their patients. Aira Health partners with healthcare providers, health plans, and other covered entities (collectively, "Healthcare Partners") in order to do so.
We process PHI on behalf of and at the direction of our Healthcare Partners to help them deliver and improve healthcare services.
We are a Business Associate for the purposes of HIPAA compliance. We are not a healthcare provider and therefore do not provide medical treatment or advice. In Business Associate Agreements with Covered Entities, we ensure that we strictly limit the amount of PHI that is to be processed.
As a Business Associate, we may receive, process, or maintain the following types of PHI on behalf of our Healthcare Partners:
Important: We only handle PHI when authorized by a Healthcare Partner who has a relationship with the patient. We do not collect PHI directly from patients.
We use and share PHI only as directed by our Healthcare Partners and as permitted under our Business Associate Agreements (BAAs). This includes the following:
| Purpose | Examples |
|---|---|
| Patient & Benefit Verification | Confirmation of patient authorization and scope of available coverage. |
| Medical Necessity Checks | Cross-referencing clinical notes with insurer/payer guidelines. |
| Documentation Preparation | Compiling the necessary clinical documentation. |
| Lifecycle: Submission & Tracking | Managing healthcare request lifecycle. |
| Legal Obligations and Compliance | To use or disclose PHI as required by federal, state, provincial, or local law(s), including defending against legal claims and disclosure to health care authorities or to comply with court orders. |
| Business Operations | To conduct internal audits, for quality assurance purposes, service delivery, and storage for recording-keeping purposes. |
Aira Health uses some Artificial Intelligence to perform a number of enterprise tasks to effect service delivery. However, we strictly limit the amount of PHI that is used within AI models and do not disclose PHI to our AI vendors to train their enterprise model. While data retrieval and packet preparation are automated, a human specialist reviews every step before final submission to ensure accuracy and clinical appropriateness. Aira Health has signed a binding BAA with our AI service provider.
We may, on occasion, strip PHI of its identifiers to create data sets containing de-identified information. This is information that cannot reasonably identify individual patients, and would be used for research, analytics, and other purposes. De-identified information would therefore not be subject to this Privacy Policy.
Except as described above, we will not use or disclose PHI without written express authorization from the patient. If a patient provides authorization, they may revoke it at any time by contacting the Healthcare Partner who provided the authorization, who would then communicate to Aira Health that the consent to process PHI has been withdrawn.
We may share PHI with third-party service providers (subcontractors or third-party vendors) who assist us in delivering services to our Healthcare Partners. All subcontractors are required to protect PHI in accordance with HIPAA requirements, including executing a Business Associate Agreement as required.
While we handle PHI as a Business Associate, patient privacy rights are exercised through the Healthcare Partner who has a direct relationship with the patient. These rights include:
| Right | Description |
|---|---|
| Access to PHI / Copy of Notice | Patients have the right to review and obtain a copy of their health information, including PHI and Electronic Health Records (EHR). All such requests must be made in writing. |
| Amendment | Patients have the right to request corrections to their health information if it is factually incorrect or incomplete. This does not apply to any information that is not factual in nature (e.g. opinions). |
| Account of Disclosures | Patients have the right to receive a list of certain disclosures of PHI. Aira Health therefore keeps records of such disclosures for transparency. |
| Restriction | Patients have the right to request limits on how their PHI is used or shared. |
| Requesting Confidential Communications | Patients have the right to request that the Healthcare Partner communicate with them in a specific way or at a specific location. This is to facilitate and preserve patient confidentiality. |
To Exercise Health Privacy Rights: Patients must contact their Healthcare Partner directly. Aira Health shall cooperate with the Healthcare Partner to facilitate the exercise of the patient's rights.
If a patient has a representative acting on their behalf, sufficient proof of such authorization is required before Aira Health can approve requests to exercise the above-noted privacy rights.
We take the security of PHI seriously and implement comprehensive safeguards to protect it:
Aira Health is based in the United States and may store or process your health information in other regions. We ensure that appropriate safeguards are in place to protect your information regardless of where it is processed, in accordance with HIPAA requirements and applicable international data protection laws.
In the event of a breach where PHI is involved, we will notify the affected Healthcare Partner(s) without unreasonable delay so they can provide the affected patient(s) with appropriate notification and any required protective services, mitigation, and remediation.
We reserve the right to revise this Privacy Notice at any time. When we make material changes, we will update the "Last Updated" date at the top of this notice and post the revised notice on our website at https://www.airahealth.io/privacy-policy. The revised notice will apply to all PHI we maintain.
If you have questions about this Privacy Notice or our privacy practices, please contact:
Aira Health
Email: malak@get-aira.com
Phone: +1 917 327 8229
With Your Healthcare Partner:
If you believe your privacy rights have been violated, you should first contact your Healthcare Partner directly, as they are primarily responsible for protecting your PHI.
With Us:
You may also file a complaint with us by contacting our HIPAA Security Officer using the information above. Please provide as much detail as possible with respect to your complaint so that we may provide you with a meaningful response.
With the U.S. Government:
You have the right to file a complaint with the U.S. Department of Health and Human Services:
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
Website: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
No Retaliation: You will not be retaliated against for filing a complaint.
We provide services to numerous healthcare providers, health plans, and healthcare clearinghouses. For a list of our Healthcare Partners or questions about how a specific Healthcare Partner uses your information, please contact that Healthcare Partner directly.
This Privacy Notice describes our practices as a Business Associate. Your Healthcare Partner is required to provide you with their own Notice of HIPAA Privacy Practices that describes how they use and share your health information. Please refer to your Healthcare Partner's notice for information about their privacy practices.
In addition to HIPAA, we comply with other applicable and binding privacy and security laws. Where laws provide greater privacy protections, we follow those stricter requirements.