Notice of Privacy Practices

This Notice of Privacy Practices ("Notice") describes how PioneerQ LLC, operating as BillRazor ("we," "us," or "our"), may use and disclose your protected health information ("PHI") and your rights regarding that information. We are required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations to maintain the privacy of your PHI and to provide you with this Notice.

1. How We Use and Disclose Your Protected Health Information

BillRazor may use or disclose your PHI for the following purposes:

1.1 Billing Analysis and Error Detection

We use billing codes (CPT/HCPCS), amounts, dates of service, and provider information from your medical bills to identify potential billing errors such as inflated charges, duplicate charges, procedures that should be billed together, pharmacy markups, and balance billing violations. This analysis is performed using automated systems and compares your charges against publicly available benchmarks including federal pricing data, national billing rules, and drug pricing databases.

1.2 Dispute Communication

When authorized by you, we communicate with healthcare providers on your behalf to dispute identified billing errors. Communications may include dispute letters, correspondence with billing departments, and other written communications. We share only the minimum necessary information required to identify your account and support the dispute.

1.3 De-Identified Analytics

We create de-identified datasets from billing information in compliance with the HIPAA Safe Harbor method (45 CFR §164.514(b)). De-identified data has all 18 HIPAA identifiers removed and cannot be used to identify you. This data may be used for research, analytics, benchmarking, and product improvement.

1.4 As Required by Law

We may disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or regulatory investigation.

1.5 Breach Notification

In the event of a breach of unsecured PHI, we will notify you as required by the HIPAA Breach Notification Rule (45 CFR §§164.400-414).

2. Your Rights

Under HIPAA, you have the following rights regarding your PHI:

2.1 Right to Access

You have the right to inspect and obtain a copy of your PHI maintained by BillRazor. To request access, contact us at [email protected]. We will respond within 30 days of your request.

2.2 Right to Amendment

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny the request if the information was not created by us, is not part of the records we maintain, or is accurate and complete. To request an amendment, contact us in writing at [email protected].

2.3 Right to Restriction

You have the right to request that we restrict certain uses and disclosures of your PHI. We are not required to agree to your request, but if we do, we will honor the restriction except as required by law or in an emergency.

2.4 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI. This accounting will include disclosures made in the six years prior to the request (or since March 1, 2026, whichever is shorter), except for disclosures made for treatment, payment, health care operations, or pursuant to your authorization.

2.5 Right to Receive Confidential Communications

You have the right to request that we communicate with you about your PHI in a specific way or at a specific location. For example, you may request that we contact you only by email. We will accommodate reasonable requests.

2.6 Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice at any time by contacting us at [email protected].

3. Our Duties

BillRazor is required to:

• Maintain the privacy and security of your PHI as required by HIPAA
• Provide you with this Notice of our legal duties and privacy practices regarding your PHI
• Notify you promptly in the event of a breach of your unsecured PHI, as required by the HIPAA Breach Notification Rule
• Follow the terms of this Notice currently in effect
• Use the minimum necessary standard when using or disclosing PHI — we access only the minimum amount of PHI needed to accomplish the intended purpose
• Ensure that all third-party service providers who may access PHI on our behalf have entered into Business Associate Agreements (BAAs) as required by HIPAA

4. Minimum Necessary Standard

BillRazor applies the HIPAA minimum necessary standard to all uses and disclosures of PHI. This means:

• When communicating with healthcare providers, we share only account identifiers, billing codes, and amounts — not clinical information
• When processing bills with our automated systems, we send billing codes and amounts but redact patient names, dates of birth, and other direct identifiers
• Access to PHI within our systems is restricted to automated processes and authorized personnel on a need-to-know basis, with all access logged in an immutable audit trail

5. Filing a Complaint

If you believe your privacy rights have been violated, you may file a complaint with BillRazor or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). You will not be retaliated against for filing a complaint.

6. Changes to This Notice

We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have about you as well as any information we receive in the future. We will post the revised Notice on our website and notify you of material changes via email.

7. Contact Information

For questions about this Notice or our privacy practices, contact our Privacy Officer: