HIPAA Notice.

1. Our role under HIPAA

MAS is a Business Associate, as defined in 45 C.F.R. § 160.103, of the Covered Entities (hospitals, health systems, physician groups, and other providers) we serve. We perform revenue cycle, accounts receivable, denial management, and attorney driven recovery services that involve the use and disclosure of Protected Health Information (PHI) on behalf of those Covered Entities. Our obligations are governed by the HIPAA Privacy Rule, the HIPAA Security Rule, the HITECH Act, the Breach Notification Rule, and the Business Associate Agreement (BAA) executed with each client.

2. How we use and disclose PHI

MAS uses and discloses PHI only as permitted by HIPAA and the applicable BAA, including:

• To perform the revenue cycle management, billing, follow-up, denial resolution, payer escalation, recovery, and litigation-support services we are engaged to provide.
• To communicate with payers, patients, employers, attorneys, courts, and counterparties as necessary to recover legitimately owed reimbursement.
• For data aggregation services on behalf of the Covered Entity where permitted by the BAA.
• As required by law, including responses to subpoenas, court orders, regulatory inquiries, or audits.
• For our internal operations as a Business Associate where expressly permitted by HIPAA § 164.504(e)(2)(i)(B).

We do not sell PHI. We do not use PHI for marketing without the authorizations HIPAA requires.

3. Safeguards

MAS maintains administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of PHI, including:

• Administrative: a designated HIPAA Privacy and Security Officer, workforce training, role-based access policies, sanctions for violations, incident response procedures, and routine risk analyses.
• Technical: NIST-aligned cybersecurity controls — access controls, audit logging, encryption of PHI in transit and at rest, multifactor authentication, vulnerability management, and segmentation of production environments.
• Physical: badge-controlled facility access, secure workstation policies, and managed handling of any physical media containing PHI.

4. Breach notification

If MAS discovers an actual or reasonably suspected breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and in accordance with our BAA and 45 C.F.R. Part 164 Subpart D. The Covered Entity remains responsible for any notifications to affected individuals, the U.S. Department of Health and Human Services, and the media as required by the Breach Notification Rule.

5. Subcontractors

Where MAS uses a subcontractor that creates, receives, maintains, or transmits PHI on our behalf, we obtain written assurances — in the form of a Business Associate Agreement — that the subcontractor will safeguard PHI in a manner consistent with our obligations.

6. Patient rights

Individual rights under HIPAA — including the right to access, amend, request an accounting of disclosures, request restrictions, and request confidential communications — are typically exercised through the Covered Entity (your provider). MAS will support the Covered Entity's response as required by HIPAA and the BAA. If you have questions about a particular communication you received from MAS regarding your account, please contact us using the details below.

7. Complaints

If you believe your privacy rights have been violated, you may file a complaint with the Covered Entity, with MAS at info@masrecovery.com, or with the U.S. Department of Health and Human Services, Office for Civil Rights. MAS will not retaliate against any individual for filing a good-faith complaint.

8. Changes to this notice

We may revise this notice from time to time. The effective date will be reflected at the top of the page.

9. How to contact us

This notice is provided for general information and does not constitute legal advice. The specific terms of MAS's engagement with each Covered Entity are governed by the executed Business Associate Agreement and applicable law.