Free Consultation
Legal Information

Privacy Policy

This Privacy Policy explains how Competant Global Solutions collects, uses, protects, and manages information submitted through our website and communication channels.

Last Updated: June 2026

1. Introduction

Competant Global Solution Pvt. Ltd. (“Company,” “we,” “us,” or “our”) provides outsourced Revenue Cycle Management (RCM), medical billing, medical coding, claims processing, accounts receivable follow-up, credentialing, and related back-office services to healthcare providers, physician groups, hospitals, clinics, and healthcare organizations (“Clients”) located primarily in the United States and other jurisdictions.

This Privacy Policy explains how we collect, use, disclose, store, and safeguard information that comes into our possession in the course of providing these services — including Protected Health Information (“PHI”) belonging to our Clients' patients, personal information of our Clients' staff, and personal information of visitors to our website and users of our service portals.

This Policy applies to: (a) Client and Patient Data processed on behalf of Clients under a signed Service Agreement and Business Associate Agreement (“BAA”); (b) Website Visitor Data collected through our corporate website and inquiry forms; and (c) Employee and Vendor Data relating to our own workforce and subcontractors.

Where this Policy conflicts with the terms of a signed BAA or Master Service Agreement between the Company and a Client, the terms of that BAA or Agreement shall govern with respect to PHI handled under that engagement.

2. Regulatory Framework We Operate Under

Because our Clients are predominantly U.S. healthcare providers, health plans, and clearinghouses (“covered entities”) and we act as a Business Associate / offshore subcontractor processing health information on their behalf, we structure our privacy and security practices around the following frameworks:

• HIPAA — the Health Insurance Portability and Accountability Act of 1996, including the Privacy Rule, Security Rule, and Breach Notification Rule, and the HITECH Act amendments;

• Business Associate Agreements (BAAs) executed individually with each Client governing the permitted uses and disclosures of PHI;

• The Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Information Technology Act, 2000 rules governing our processing activities as a data processor / data fiduciary in India;

• State-specific U.S. privacy and breach notification laws applicable to the Client's patients, where relevant; and

• Payer and clearinghouse data-handling requirements (e.g., CMS, NCQA) incorporated into our claims-submission workflows.

Nothing in this Policy is intended to, and nothing should be construed to, reduce or limit the protections afforded under HIPAA, the DPDP Act, or any executed BAA.

3. Information We Collect

3.1 Protected Health Information (PHI) Processed on Behalf of Clients

In the course of performing billing, coding, claims submission, payment posting, denial management, and accounts receivable follow-up, we may access, receive, process, transmit, or store the following categories of PHI on behalf of our Clients:
• Patient demographic information (name, date of birth, address, phone number, email, Social Security Number where required for claims)
• Insurance and health plan information (policy numbers, group numbers, payer identifiers, eligibility data)
• Diagnosis and procedure codes (ICD, CPT, HCPCS) and clinical documentation reasonably necessary to support a claim
• Treatment dates, provider identifiers (NPI), and place-of-service information
• Claims data, remittance advice, Explanation of Benefits (EOB), and payment/adjustment history
• Prior authorization, referral, and medical necessity documentation
We access and use only the minimum necessary PHI required to perform the specific billing, coding, or RCM function assigned to us, consistent with the HIPAA Minimum Necessary Standard.


3.2 Client Organization and Staff Information

• Practice/organization details (Tax ID, NPI, billing addresses, contracted payer lists)
• Authorized staff contact details, login credentials, and role-based access permissions for our billing portal


3.3 Website and Business Contact Information

• Name, business email, phone number, and company details submitted through contact forms, demo requests, or RFPs
• Technical data such as IP address, browser type, device identifiers, and cookies collected through our website (see Section 9)
• Resume and employment information submitted by job applicants

4. How We Use Information

We use PHI and other information strictly for the purposes for which it was provided, including to:

1. Prepare, submit, and follow up on insurance claims with payers, clearinghouses, and government health programs (Medicare, Medicaid, etc.);
2. Perform medical coding, charge entry, eligibility verification, prior authorization, and credentialing services;
3. Post payments, reconcile remittances, manage denials, and pursue appeals on the Client's behalf;
4. Generate reports, dashboards, and analytics for the Client regarding claim status, denial trends, and collections performance;
5. Communicate with payers, clearinghouses, and — where authorized by the Client — with patients regarding billing inquiries;
6. Maintain audit trails, conduct quality assurance and internal compliance audits;
7. Comply with applicable law, respond to lawful requests by public authorities, and fulfil contractual obligations to the Client; and
8. Operate, secure, and improve our website, billing software, and internal systems.
We do not use PHI for marketing, sell PHI to third parties, or use PHI for any purpose outside the scope of the Services and the applicable BAA.

5. Disclosure of Information

We disclose PHI only as permitted by HIPAA, the applicable BAA, and Client instructions, including disclosures to:
• Payers and Clearinghouses — to submit and process claims and receive remittance information;
• Subcontractors and Business Associates — limited to personnel and vendors who require access to perform delegated billing functions, and only under a signed downstream BAA;
• The Client — reports, dashboards, and account-level data shared with the Client's authorized personnel;
• Regulators and Government Authorities — where required by law, court order, or a valid regulatory request (e.g., HHS Office for Civil Rights, CMS audits);
• Successors in Business — in connection with a merger, acquisition, or sale of assets, subject to equivalent confidentiality obligations.
We do not disclose PHI for marketing or advertising purposes, and we do not sell, rent, or trade PHI or personal information to any third party.

6. Data Security Safeguards

We maintain administrative, physical, and technical safeguards designed to protect PHI and personal information against unauthorized access, use, disclosure, alteration, or destruction, consistent with the HIPAA Security Rule. These include:


6.1 Administrative Safeguards

• Designated Privacy Officer and Security Officer responsible for policy oversight
• Mandatory HIPAA and data-security training for all employees at onboarding and at least annually thereafter
• Role-based, minimum-necessary access controls and periodic access reviews
• Signed confidentiality and non-disclosure agreements with every employee and subcontractor handling PHI
• Documented incident response and breach notification procedures


6.2 Technical Safeguards

• Encryption of PHI at rest and in transit (industry-standard encryption protocols)
• Secure, audited VPN and multi-factor authentication for all remote and on-site access to billing systems
• Centralized audit logging of system access, file activity, and data exports
• Firewalls, endpoint protection, and intrusion detection/prevention systems
• Disabled USB/removable media ports and restricted printing on workstations handling PHI


6.3 Physical Safeguards

• Access-controlled, monitored facilities with visitor logs and CCTV surveillance
• Clean-desk policy and locked storage for any physical documents containing PHI
• Secure, certified destruction of physical and electronic PHI when no longer required
No method of transmission or storage is 100% secure. While we use commercially reasonable and industry-standard measures, we cannot guarantee absolute security.

7. Data Retention

We retain PHI and related records only for as long as necessary to provide the Services, comply with the applicable BAA, and satisfy legal, regulatory, or contractual record-retention obligations — generally a minimum of six (6) years from creation or last use, consistent with HIPAA documentation requirements, unless a longer period is required by the Client's instructions or applicable law. Upon termination of the Service Agreement, we will return or securely destroy PHI in accordance with Section 13 of our Terms and Conditions and the applicable BAA, except where retention is required by law.

8. Patient and Data Subject Rights

Patients whose PHI we process do not have a direct contractual relationship with us; rights requests (such as access to records, amendment, or accounting of disclosures) should be directed to the healthcare provider (our Client), who is the HIPAA Covered Entity. We assist our Clients in fulfilling such requests within the timeframes required by HIPAA (generally 30 days) and applicable law. Individuals whose personal data we process as a data fiduciary/processor under the DPDP Act, 2023 may exercise applicable rights of access, correction, and grievance redress by contacting our Grievance Officer at the details in Section 12.

9. Cookies and Website Tracking

Our public website may use cookies, web beacons, and similar technologies to operate the site, remember preferences, and analyze traffic using tools such as web analytics services. You may control cookies through your browser settings; disabling cookies may affect site functionality. Our website does not knowingly collect PHI through cookies or tracking technologies.

10. International Data Transfers

As an India-based service provider supporting U.S. and international healthcare Clients, PHI and personal information may be accessed, processed, and stored in India and other locations where we or our authorized subcontractors operate, under the safeguards described in Section 6 and the cross-border data transfer terms set out in the applicable BAA and Service Agreement.

11. Children's Information

Our services and website are intended for business and healthcare professional use and are not directed at individuals under the age of 18. Any PHI relating to minor patients is handled solely in accordance with the Client's instructions and applicable law (including parental/guardian consent requirements).

12. Breach Notification

In the event we discover or reasonably believe a breach of unsecured PHI has occurred, we will notify the affected Client without unreasonable delay, and in any case within the timeframe specified in the applicable BAA (commonly within 24–72 hours of discovery), so the Client can meet its own notification obligations under the HIPAA Breach Notification Rule. We will cooperate fully with the Client's investigation, mitigation, and any required regulatory or patient notifications.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, or our practices. Material changes will be posted on our website with a revised “Last Updated” date, and Clients will be notified separately where changes affect obligations under an existing BAA or Service Agreement.

7. Contact Us

For questions regarding this Privacy Policy, please contact us at:
Email: info@competantgs.com
Phone: +1 732-929-7270