Privacy Policy

Last updated:

2/27/2026

1. Introduction

Welcome to Medviz Systems (“Medviz,” “we,” “us,” or “our”). We are a healthcare technology company offering AI-powered medical billing, revenue cycle management (RCM), chronic care management (CCM), principal care management (PCM), remote patient monitoring (RPM), credentialing, medical coding, accounts receivable services, and virtual front desk support to healthcare practices across the United States.

We are deeply committed to protecting the privacy and security of all individuals whose information we handle — including healthcare providers, practice administrators, and patients whose data we process on behalf of our client practices. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your information.

By using our website (www.medviz.ai), our CCM platform, or any of our services, you agree to the practices described in this Privacy Policy.


2. Who This Policy Applies To

This Privacy Policy applies to:

  • Healthcare providers, practice managers, and staff who use Medviz services or visit our website.

  • Patients whose Protected Health Information (PHI) is processed by Medviz on behalf of enrolled healthcare practices.

  • Website visitors who interact with www.medviz.ai.

If you are a patient, your healthcare provider (our client) is the primary covered entity responsible for your health information. Medviz acts as a Business Associate under HIPAA when processing patient data on behalf of healthcare practices.


3. Information We Collect

a. Information from Healthcare Providers and Practice Staff

When you engage with Medviz as a client or prospective client, we may collect:

  • Full name, practice name, and professional role/title

  • Email address and phone number

  • Mailing and billing address

  • Services needed and specialty information

  • EMR/EHR system in use

  • National Provider Identifier (NPI) and other credentialing information

  • Payment and billing information for service fees

 

b. Patient Information (PHI) Processed on Behalf of Practices

When providing CCM, PCM, RPM, medical billing, coding, or RCM services, we may access and process patient information on behalf of our client practices, including:

  • Patient name, date of birth, and contact information (including phone numbers)

  • Insurance information and payer IDs

  • Medical records, diagnosis codes, and treatment information

  • Medication lists and care plans (for CCM/PCM services)

  • Vital signs and biometric readings (for RPM services)

  • Claims data and billing information

All patient PHI is handled strictly in accordance with HIPAA requirements and only as directed by the patient’s healthcare provider.

 

c. SMS Communication Data

For CCM and care management services, we send SMS text messages to patients on behalf of enrolled practices. In connection with SMS communications, we collect and process:

  • Patient mobile phone numbers (provided by the enrolling practice with patient consent)

  • SMS consent records, including the date, method, and scope of consent

  • Message delivery status and opt-out records

We do not share patient phone numbers or SMS consent data with third parties for marketing purposes.

 

d. Website Visitor Information

When you visit www.medviz.ai, we automatically collect:

  • IP address and approximate geographic location

  • Browser type, version, and operating system

  • Device type and screen resolution

  • Pages visited, links clicked, and time spent on pages

  • Referring website or search query

  • Date and time of your visit

 

e. Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to enhance your experience, analyze website traffic, and support security. You can manage cookie preferences through your browser settings. Disabling cookies may limit certain website functionality.


4. SMS Communications and Patient Consent

Medviz Systems sends SMS text messages to patients on behalf of enrolled healthcare practices for the following purposes:

  • Medication reminders

  • Appointment notifications and scheduling

  • Care plan updates and check-ins

  • Chronic care management (CCM) coordination

  • Remote patient monitoring (RPM) alerts

  • General care coordination communications

 

Consent

Patients provide consent to receive SMS messages through one or more of the following methods:

  • Written consent captured on patient intake forms at the time of registration with the healthcare practice, which includes disclosure that the patient may receive SMS communications regarding their care and any programs they are enrolled in.

  • Verbal consent obtained by the healthcare provider or care coordinator at the time of enrollment in a care management program (CCM, PCM, RPM). Verbal consent is documented and time-stamped in the practice’s EHR or care management platform.

 

Message Details

  • Message frequency: Varies based on the patient’s care plan and program enrollment.

  • Message and data rates may apply based on the patient’s mobile carrier plan.

  • To opt out of SMS messages at any time, reply STOP to any message.

  • For help or support, reply HELP or contact your care team.

We do not use SMS communications for marketing or promotional purposes. All messages are strictly care-related and sent on behalf of the patient’s healthcare provider.


5. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide medical billing, coding, RCM, CCM, PCM, RPM, credentialing, and virtual front desk services to healthcare practices.

  • To send care coordination SMS messages to patients on behalf of enrolled practices.

  • To process and submit insurance claims and manage accounts receivable on behalf of practices.

  • To respond to inquiries and provide customer support to practice staff and providers.

  • To onboard new clients and manage credentialing and payer enrollment.

  • To improve, develop, and optimize our AI-powered billing and care management tools.

  • To comply with applicable laws and regulations, including HIPAA, TCPA, and state privacy laws.

  • To detect and prevent fraud, unauthorized access, or misuse of our services.

  • To send service-related communications, including billing statements, system updates, and compliance notifications.


6. How We Share Your Information

We do not sell your information to third parties, nor do we share it with third parties for marketing or advertising purposes. We may share your information only in the following limited circumstances:

  • Business Associates and Subprocessors: We may share information with HIPAA-compliant technology vendors and subprocessors that help us deliver our services (e.g., cloud hosting providers, EHR integration partners, and SMS delivery platforms such as Twilio). All such parties are bound by applicable data protection agreements.

  • Healthcare Payers and Clearinghouses: Patient and claims data may be shared with insurance payers, Medicare, Medicaid, and clearinghouses as necessary to submit and process claims on behalf of our client practices.

  • Client Practices: Information may be shared with the healthcare practice on whose behalf it was collected.

  • Legal Requirements: We may disclose information when required to do so by law, regulation, subpoena, court order, or governmental request, or when necessary to protect the rights, safety, or property of Medviz, our clients, or the public.

  • Business Transfers: In the event of a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to the same privacy protections.


7. HIPAA Compliance and Business Associate Agreements

Medviz Systems operates as a HIPAA Business Associate when processing Protected Health Information (PHI) on behalf of healthcare providers. As such:

  • We enter into a Business Associate Agreement (BAA) with every healthcare practice client before accessing or processing any patient PHI.

  • We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule to protect electronic PHI (ePHI).

  • We limit PHI use and disclosure to the purposes specified in the applicable BAA.

  • We support the rights of patients to access, amend, and receive an accounting of disclosures of their PHI, as facilitated through their healthcare provider.

  • In the event of a breach of unsecured PHI, we will notify the affected covered entity (healthcare practice) in accordance with the HIPAA Breach Notification Rule, within 60 days of discovery.

Patients seeking to exercise HIPAA rights (access, amendment, accounting of disclosures) should contact their healthcare provider directly. Medviz will support the provider in fulfilling such requests.


8. Data Security

We implement industry-standard administrative, physical, and technical safeguards to protect your information, including:

  • AES-256 encryption for data at rest and TLS encryption for data in transit

  • Role-based access controls and multi-factor authentication for staff accessing systems

  • Routine security audits, penetration testing, and vulnerability assessments

  • HIPAA Security Rule-compliant workforce training and access management

  • Audit logs for all access to and modifications of PHI

  • Secure, redundant cloud infrastructure (SOC 2-compliant providers)

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We encourage clients and users to use strong passwords and report any suspected security concerns to privacy@medviz.ai immediately.


9. Data Retention

We retain information for as long as necessary to fulfill the purposes outlined in this Privacy Policy and our client agreements, or as required by law:

  • Medical billing records and claims data: Minimum 7 years per federal requirements (longer in some states).

  • PHI processed under CCM/PCM/RPM: Retained per the terms of the applicable BAA and state medical records laws.

  • SMS consent records: Retained for a minimum of 4 years to support TCPA compliance.

  • Website visitor data: Retained in analytics systems for up to 24 months.

  • Business records: Retained per applicable legal and regulatory requirements.

Upon termination of a client relationship, PHI is returned to the practice or securely destroyed in accordance with HIPAA requirements and the terms of the BAA.


10. Your Rights

Healthcare Provider Clients

As a client, you may:

  • Access and correct your account and contact information by contacting privacy@medviz.ai.

  • Request deletion of your non-PHI business data, subject to legal retention requirements.

  • Withdraw consent for marketing or service communications.

 

Patients

Patients whose data is processed by Medviz on behalf of a healthcare practice should direct privacy rights requests to their healthcare provider. Rights may include:

  • Right to access your medical records and PHI.

  • Right to request amendment of inaccurate PHI.

  • Right to an accounting of disclosures.

  • Right to request restrictions on certain uses and disclosures.

Patients in California may have additional rights under the California Consumer Privacy Act (CCPA) and California Confidentiality of Medical Information Act (CMIA). Contact us at privacy@medviz.ai for assistance.

 

SMS Opt-Out

To stop receiving SMS messages from Medviz on behalf of your healthcare practice, reply STOP to any message. You may also contact your care team or call +1 (727) 214-2749 to opt out. Opting out of SMS will not affect your ability to receive care from your provider.


11. Third-Party Links and Integrations

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites and encourage you to review their privacy policies before providing any information.

Our services integrate with third-party EMR/EHR platforms including Athena, eClinicalWorks, AdvancedMD, CareCloud, DrChrono, and others. Information shared with these platforms is governed by your agreement with those vendors and applicable HIPAA authorizations.


12. AI-Powered Medical Documentation (Samaat AI)

Medviz Systems offers Samaat AI, an AI-powered medical documentation service that records provider-patient encounters, generates automatic transcriptions, and produces structured SOAP (Subjective, Objective, Assessment, Plan) notes. This service reduces administrative burden on providers while improving documentation accuracy and clinical efficiency.

 

a. What Samaat AI Collects

When Samaat AI is active during a clinical encounter, the following data is collected and processed:

  • Audio recordings of provider-patient conversations during clinical encounters (with consent — see below)

  • Automated transcriptions of recorded conversations

  • AI-generated SOAP notes and structured clinical documentation derived from transcriptions

  • Provider identity and session metadata (date, time, encounter type)

  • Patient identifiers referenced within the encounter (name, date of birth, conditions discussed)

 

b. Patient and Provider Consent for Recording

Audio recording of provider-patient encounters requires explicit consent under applicable federal and state laws, including state wiretapping and two-party consent statutes. Medviz Systems requires client practices to:

  • Obtain informed patient consent before any encounter is recorded, via signed consent form, verbal acknowledgment documented in the EHR, or posted notice where permitted by applicable state law.

  • Inform patients that: (i) the encounter will be recorded; (ii) the recording will be transcribed and used to generate clinical documentation; (iii) the recording and resulting notes form part of their medical record; and (iv) the provider remains responsible for reviewing and approving all AI-generated clinical notes.

  • Obtain provider acknowledgment that all AI-generated documentation must be reviewed, edited as needed, and formally signed off by the licensed clinician before being finalized in the medical record.

 

In states requiring all-party or two-party consent for recording (such as California, Florida, Illinois, Pennsylvania, and others), practices must ensure patient consent is obtained before the encounter recording begins. Medviz provides guidance to practices on consent requirements, but the practice as the covered entity is ultimately responsible for obtaining and documenting consent.

 

c. How Samaat AI Data Is Used

Data collected through Samaat AI is used exclusively for the following purposes:

  • To generate accurate transcriptions of clinical encounters for medical documentation purposes.

  • To produce AI-assisted SOAP notes and structured clinical summaries for provider review and approval.

  • To return finalized documentation to the practice’s EHR or clinical workflow system.

  • To improve transcription accuracy and AI model performance, using only de-identified or appropriately authorized data. Identifiable patient audio or transcriptions are never used to train AI models without explicit written authorization from the covered entity and, where required, patient authorization.

 

d. Audio Recording Retention and Deletion

Audio recordings and raw transcriptions are handled with strict data minimization principles:

  • Audio recordings are retained only for the minimum period necessary to generate and quality-check clinical documentation — typically no longer than 30 days after the SOAP note is finalized and delivered to the practice.

  • Finalized SOAP notes and clinical documentation become part of the patient’s medical record and are retained by the practice per applicable medical records retention laws (generally 7–10 years depending on state).

  • Practices may request earlier deletion of audio recordings by contacting privacy@medviz.ai.

  • Upon termination of the Samaat AI service, all retained audio recordings are securely deleted within 30 days and all documentation is returned to the practice.

 

e. Human Oversight and Clinical Responsibility

Samaat AI is a documentation assistance tool, not a clinical decision-making system. Medviz maintains the following human oversight commitments:

  • All AI-generated SOAP notes are presented as drafts for provider review. No note is finalized or entered into the medical record without explicit review and approval by the licensed treating clinician.

  • Providers are responsible for correcting, amending, or rejecting any AI-generated content that is inaccurate, incomplete, or clinically inappropriate.

  • Medviz does not make any automated clinical decisions regarding diagnosis, treatment, prescribing, or patient care based on AI-generated content.

 

f. Additional Safeguards for Audio PHI

Given the sensitive nature of recorded provider-patient conversations, Medviz applies the following additional safeguards specific to Samaat AI:

  • All audio data is transmitted and stored using end-to-end encryption (TLS 1.2+ in transit, AES-256 at rest).

  • Access to audio recordings and transcriptions is strictly limited to authorized personnel involved in documentation processing and quality assurance.

  • Samaat AI processing infrastructure is fully covered under the HIPAA BAA between Medviz and the client practice.

  • Third-party AI or cloud processing vendors used in the Samaat AI pipeline are required to execute HIPAA-compliant BAAs and are prohibited from using PHI for any purpose beyond delivering the contracted documentation service.

  • Samaat AI does not share audio recordings, transcriptions, or SOAP notes with any third party for advertising, analytics, or commercial purposes.


13. AI-Powered Billing, Coding, and Revenue Cycle Management

Medviz uses artificial intelligence and machine learning to enhance medical billing accuracy, coding compliance, and revenue cycle performance. This includes automated CPT/ICD code suggestions, claim scrubbing, denial pattern analysis, and billing workflow optimization.

When AI tools process patient encounter data or claims information:

  • Processing occurs exclusively under the terms of the applicable HIPAA BAA.

  • AI-generated code suggestions and billing recommendations are reviewed by certified billing and coding professionals before claim submission.

  • No claims are submitted on a fully automated basis without human review for accuracy and compliance.

  • AI models are not trained on identifiable patient PHI without appropriate authorization from the covered entity.

  • Denial analysis and revenue cycle insights are derived from aggregated, de-identified data patterns where possible.


14. Children’s Privacy

Our website is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 through our website. If we become aware that we have inadvertently collected such information, we will delete it promptly. Note that Medviz may process pediatric patient data (including minors under 18) as part of medical billing and care management services on behalf of healthcare practices, which is governed by applicable HIPAA and state minor health privacy laws.


15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will post the updated policy on this page with a revised effective date and, where appropriate, notify affected clients directly. We encourage you to review this policy periodically. Continued use of our services after changes are posted constitutes acceptance of the updated policy.


16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Medviz Systems

Website:  www.medviz.ai

Email:  privacy@medviz.ai

Sales:  sales@medviz.ai

Phone:  +1 (727) 214-2749 (Mon–Fri, 8am–5pm ET)

For HIPAA-related requests, please include “HIPAA Privacy Request” in the subject line of your email.