Privacy Policy
Your privacy matters. This policy explains how Prometheus RCM collects, uses, and protects your information.
Effective Date: April 23, 2026
Overview
Prometheus RCM ("we," "us," or "our") provides revenue cycle management services to healthcare practices. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website at prometheusrcm.com or engage our services.
We operate in two capacities: as a direct service to website visitors (prospective and current clients) and as a Business Associate under HIPAA for our healthcare clients. This policy covers both contexts.
Information We Collect
Information You Provide Directly
When you fill out forms on our website, request a demo, or contact us, we may collect your name, email address, phone number, practice name, specialty, current billing setup, and any details you share about your revenue cycle challenges.
Information Collected Automatically
When you visit our website, we may automatically collect device type, browser type, IP address, pages visited, time spent on pages, and referring URLs. This information helps us improve our website and understand how visitors interact with our content.
Information from Client Engagements
When you engage our revenue cycle management services, we process information necessary to perform medical coding, claims submission, denial management, and related billing functions on your behalf. This may include protected health information (PHI) as described in the section below.
How We Use Your Information
We use the information we collect to respond to your inquiries and schedule consultations or demos; provide, maintain, and improve our revenue cycle management services; send you relevant communications about our services (with your consent); analyze website usage to improve user experience; comply with legal obligations; and protect our rights and prevent fraud.
We do not sell your personal information to third parties. We do not use your information for automated decision-making that produces legal effects.
Protected Health Information (PHI)
HIPAA Business Associate
When providing revenue cycle management services, Prometheus RCM acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We handle PHI strictly in accordance with our Business Associate Agreements (BAAs) with each covered entity client.
How We Handle PHI
PHI is used exclusively to perform the billing, coding, claims submission, denial management, and related revenue cycle functions specified in our BAAs. Access to PHI is restricted to authorized personnel on a need-to-know basis through role-based access controls. All PHI is encrypted at rest using AES-256-GCM authenticated encryption and in transit using TLS 1.2 or higher. Our platform maintains comprehensive audit logs recording every access to and action taken on PHI. We maintain multi-tenant data isolation ensuring complete separation of client data.
AI Processing of Clinical Data
Our SmartCoding.ai platform uses artificial intelligence to assist with medical coding by analyzing clinical documentation. AI-generated coding suggestions are always reviewed and confirmed by qualified human coders before submission. Clinical data processed by our AI systems is subject to the same HIPAA protections and BAA terms as all other PHI in our care.
Data Security
We implement technical, administrative, and physical safeguards designed to protect your information.
Encryption
AES-256-GCM at rest, TLS 1.2+ in transit for all sensitive data and credentials.
Access Controls
Role-based access with an 8-level permission hierarchy. Users access only what their role requires.
Audit Logging
Every action logged with user identity, timestamp, and before/after values. Full chain of custody.
Infrastructure
Multi-tenant isolation with global query filters ensuring complete data separation between clients.
While no method of electronic transmission or storage is 100% secure, we continuously evaluate and improve our security practices to protect your information.
Third-Party Disclosures
We may share information with the following categories of third parties, only as necessary to provide our services:
Clearinghouse partners — to submit claims and receive remittance data on behalf of our clients. Practice management system providers — to integrate with your existing PMS through authorized API connections. Cloud infrastructure providers — who host our platform under strict data processing agreements. AI service providers — who power our coding assistance capabilities under agreements that prohibit use of data for model training.
We may also disclose information when required by law, court order, or governmental authority, or when necessary to protect our rights or the safety of our users.
Cookies & Analytics
Our website uses cookies and similar technologies to ensure the website functions properly, analyze traffic and usage patterns, and remember your preferences. You can control cookie settings through your browser. Disabling cookies may affect certain website functionality. We do not use cookies to track PHI.
Your Rights
Website Visitors
You may request access to the personal information we hold about you, request correction or deletion of your personal information, opt out of marketing communications at any time, and request a copy of your data in a portable format.
HIPAA Rights (Patients)
If you are a patient whose PHI we process on behalf of a covered entity, your HIPAA rights — including the right to access, amend, and receive an accounting of disclosures — are exercised through your healthcare provider. We will cooperate with our covered entity clients to fulfill these requests in accordance with HIPAA requirements.
State-Specific Rights
Residents of certain states may have additional privacy rights under applicable state laws. Please contact us to exercise any rights available to you under your state's privacy laws.
Data Retention
We retain website inquiry data for as long as necessary to respond to and follow up on your inquiry, or until you request deletion. Client engagement data and PHI are retained in accordance with our BAAs, applicable legal and regulatory requirements, and healthcare industry record retention standards. When data is no longer needed, it is securely deleted or de-identified.
Children's Privacy
Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children through our website. PHI related to minors processed through our RCM services is handled under the terms of our BAAs with covered entity clients.
Policy Changes
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. We encourage you to review this policy periodically.
Contact Us
If you have questions about this Privacy Policy, your personal information, or our HIPAA practices, please contact us: