1. Who we are
MRM — Medical Record Management ("MRM", "we", "us") is operated by NXiOne ([NXiONE LEGAL ENTITY, INC.]), [Registered business address]. This Privacy Policy explains how we handle information in connection with MRM, which is provided to covered entities, business associates, and their authorized workforce members.
2. Our role
MRM operates as a Business Associate to the covered entities and business associates that use it. Your organization is the covered entity/controller; MRM processes PHI only as permitted by the BAA and applicable law, and only to provide, support, and secure the service.
MRM is designed to support your compliance with the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164) and the HITECH Act. A Business Associate Agreement governs our handling of PHI and takes precedence over any conflicting term in these documents.
Where California patients are involved, PHI is also handled consistent with the Confidentiality of Medical Information Act (Civil Code §56 et seq.). MRM does not use or disclose PHI except as permitted by the BAA, required by law, or directed by your organization.
3. Information we process
Depending on how MRM is used, we process:
- Account & authentication data (name, work email, role, tenant, MFA enrollment)
- Protected Health Information (PHI) your organization uploads or exchanges — including patient identifiers, medical records, and related documents
- Records-exchange metadata (requests, custodians, statuses, timestamps)
- Usage, device, and diagnostic logs
Sensitive information. MRM processes Protected Health Information (PHI) as defined by HIPAA. PHI is handled under a Business Associate Agreement (BAA) and the safeguards described in this policy and the Data & Compliance page.
4. How we use information
- To provide, operate, secure, and support MRM;
- To authenticate users and prevent unauthorized access;
- To perform the specific processing our customer directs (e.g., managing matters/records, generating documents, and billing);
- To diagnose problems, monitor reliability, and improve the service;
- To comply with law and enforce our agreements.
We do not sell personal information, and we do not use customer content to train generic AI models. Where AI features are used, the customer content you submit is processed only to produce the requested output for you.
5. When we share information
We share information only as needed to run MRM:
| Recipient | Purpose |
|---|---|
| Cloud hosting / infrastructure (HIPAA-eligible) | Hosts the application and databases under a signed BAA |
| Custodian | Document exchange / records retrieval integration |
| Email / SMTP provider | Transactional email (no PHI in message bodies) |
We also disclose information when required by law or legal process, to protect rights and safety, or in connection with a merger or acquisition (subject to this Policy). Each service provider is bound by contract to protect the information and use it only to perform services for us.
6. Retention
PHI is retained for the term of your BAA and then returned or destroyed as the BAA requires. Backups follow a fixed rotation and are purged on their normal cycle. Audit logs are retained for the period required by HIPAA and your policies. Backups are kept for a limited rotation and then overwritten; a deletion request is honored in the live systems promptly and propagates out of backups on the normal cycle.
7. Security
- Encryption in transit (HTTPS/TLS) and access controls scoped by role and tenant;
- Multi-factor (TOTP) authentication for user sign-in and rate-limiting / lockout on repeated failures;
- Least-privilege access, audit logging of sensitive actions, and gated, logged downloads of records;
- Vendor due diligence and contractual data-protection terms with our service providers.
No method of transmission or storage is perfectly secure; we work to protect your information but cannot guarantee absolute security.
8. Your rights
Where you interact with MRM as an employee of a customer, the customer (as controller) is your first point of contact for access, correction, or deletion requests; we assist the customer in fulfilling them. Individuals with rights under laws such as the CCPA/CPRA should see the Data & Compliance page for how to exercise them.
9. International users
MRM is operated from the United States and intended for U.S.-based covered entities, business associates, and their authorized workforce members. If you access it from outside the U.S., you understand the information is processed in the U.S.
10. Changes & contact
We may update this Policy; we will change the "Last updated" date and, for material changes, provide additional notice. Questions or requests: privacy@nxione.com, or write to NXiOne at [Registered business address].