← Back to sign in
NXiOne · MRM

Privacy Policy

MRM — Medical Record Management — Multi-tenant, HIPAA-aligned medical-records management platform
Effective July 3, 2026 · Last updated July 3, 2026

Privacy PolicyTerms of ServiceData & Compliance (CCPA/CPRA)

1. Who we are

MRM — Medical Record Management ("MRM", "we", "us") is operated by NXiOne ([NXiONE LEGAL ENTITY, INC.]), [Registered business address]. This Privacy Policy explains how we handle information in connection with MRM, which is provided to covered entities, business associates, and their authorized workforce members.

2. Our role

MRM operates as a Business Associate to the covered entities and business associates that use it. Your organization is the covered entity/controller; MRM processes PHI only as permitted by the BAA and applicable law, and only to provide, support, and secure the service.

MRM is designed to support your compliance with the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164) and the HITECH Act. A Business Associate Agreement governs our handling of PHI and takes precedence over any conflicting term in these documents.

Where California patients are involved, PHI is also handled consistent with the Confidentiality of Medical Information Act (Civil Code §56 et seq.). MRM does not use or disclose PHI except as permitted by the BAA, required by law, or directed by your organization.

3. Information we process

Depending on how MRM is used, we process:

Sensitive information. MRM processes Protected Health Information (PHI) as defined by HIPAA. PHI is handled under a Business Associate Agreement (BAA) and the safeguards described in this policy and the Data & Compliance page.

4. How we use information

We do not sell personal information, and we do not use customer content to train generic AI models. Where AI features are used, the customer content you submit is processed only to produce the requested output for you.

5. When we share information

We share information only as needed to run MRM:

RecipientPurpose
Cloud hosting / infrastructure (HIPAA-eligible)Hosts the application and databases under a signed BAA
CustodianDocument exchange / records retrieval integration
Email / SMTP providerTransactional email (no PHI in message bodies)

We also disclose information when required by law or legal process, to protect rights and safety, or in connection with a merger or acquisition (subject to this Policy). Each service provider is bound by contract to protect the information and use it only to perform services for us.

6. Retention

PHI is retained for the term of your BAA and then returned or destroyed as the BAA requires. Backups follow a fixed rotation and are purged on their normal cycle. Audit logs are retained for the period required by HIPAA and your policies. Backups are kept for a limited rotation and then overwritten; a deletion request is honored in the live systems promptly and propagates out of backups on the normal cycle.

7. Security

No method of transmission or storage is perfectly secure; we work to protect your information but cannot guarantee absolute security.

8. Your rights

Where you interact with MRM as an employee of a customer, the customer (as controller) is your first point of contact for access, correction, or deletion requests; we assist the customer in fulfilling them. Individuals with rights under laws such as the CCPA/CPRA should see the Data & Compliance page for how to exercise them.

9. International users

MRM is operated from the United States and intended for U.S.-based covered entities, business associates, and their authorized workforce members. If you access it from outside the U.S., you understand the information is processed in the U.S.

10. Changes & contact

We may update this Policy; we will change the "Last updated" date and, for material changes, provide additional notice. Questions or requests: privacy@nxione.com, or write to NXiOne at [Registered business address].