Privacy Policy

MDRXResolve LLC ("MDRXResolve," "we," "us," or "our") is a New York limited liability company that operates a private, technology-assisted mediation platform for healthcare business and employment disputes, accessible at www.mdrxresolve.com (the "Platform").

MDRXResolve acts as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations. We are not a Covered Entity and are not a law firm. Please see our HIPAA Compliance page for a full description of our HIPAA obligations.

We collect information you provide directly, information generated through your use of the Platform, and, in certain cases, Protected Health Information ("PHI") submitted in connection with a dispute.

Account Information

• Name, email address, job title, and organization name provided at registration
• Credentials (password stored as a cryptographic hash; we never store plaintext passwords)
• Multi-factor authentication tokens
• Microsoft SSO identity tokens where applicable

Dispute and Case Information

• Dispute narratives, supporting documents, exhibits, and correspondence submitted through the Platform
• Party contact information for other participants in a dispute
• Mediator-assigned case notes and communications
• Fee and payment data associated with a mediation engagement
• PHI included within dispute materials (see Section 6 below)

Usage and Technical Data

• Server log data: IP address, browser type, operating system, pages visited, timestamps
• Session and authentication event records
• Audit trail data generated by platform activity
• Aggregated website usage and traffic data via Google Analytics (GA4), as described in Sections 3 and 5

We use the information we collect to:

• Provide, operate, and improve the Platform and its features
• Measure aggregated website traffic, navigation patterns, and feature usage through Google Analytics to improve the user experience (not for targeted advertising)
• Facilitate mediation proceedings, case management, scheduling, and communications between parties
• Authenticate users and maintain account security
• Send transactional communications (dispute status updates, invitations, confirmations, and required legal notices)
• Generate audit logs and maintain records required by applicable law
• Detect, investigate, and prevent fraudulent, unauthorized, or unlawful activity
• Comply with our legal and regulatory obligations, including HIPAA
• Enforce our Terms of Service and other agreements

We do not use your information for advertising, profiling, or any purpose unrelated to providing our mediation services.

We do not sell your personal information. We do not share your information with third parties for their marketing or advertising purposes. We may share information only in the following limited circumstances:

• Service Providers. We engage subcontractors necessary to operate the Platform — including cloud hosting (Microsoft Azure), managed PostgreSQL database hosting, transactional email delivery (Resend), and website analytics (Google LLC, Google Analytics / GA4) — under contracts or applicable terms requiring them to protect your data and prohibiting use for their own advertising purposes as described in our agreements. Google Analytics processes certain technical and usage information as described in Section 5; see Google's Privacy Policy. Where PHI is involved, we require Business Associate Agreements.
• Mediators and Case Participants. Information relevant to a dispute is shared with the mediator assigned to that case and with the other parties to the dispute, limited to what is necessary for the mediation.
• Legal Process. We may disclose information when required by law, subpoena, court order, or lawful government request, or to protect the rights, property, or safety of MDRXResolve, our users, or others.
• Business Transfers. In the event of a merger, acquisition, reorganization, or sale of substantially all of our assets, user information may be transferred as part of that transaction, subject to equivalent privacy protections. We will provide notice of any such transfer.

The Platform uses strictly necessary cookies required to authenticate users and maintain secure sessions. These cookies are essential to Platform functionality and cannot be disabled while using logged-in features.

Analytics (Google Analytics 4)

We use Google Analytics 4 to collect aggregated information about how visitors use our site — for example, pages viewed, approximate location derived from IP address (which Google may shorten), browser and device type, and referring URLs. This helps us improve content and usability. Google Analytics sets cookies (such as _ga) and similar storage on your device; you can learn more in Google's cookie information and how Google uses data from sites that use its services. You can install the Google Analytics Opt-out Browser Add-on or use browser settings to block or delete cookies.

We do not use advertising cookies, social media pixels, or third-party ad networks. We do not use Google Analytics to advertise to you on other websites.

Certain dispute materials submitted through the Platform may contain PHI as defined under HIPAA (45 C.F.R. § 160.103). MDRXResolve processes PHI exclusively as a Business Associate on behalf of Covered Entity clients, and only pursuant to a fully executed Business Associate Agreement ("BAA").

PHI is used solely to provide the mediation services described in the applicable BAA and is not used for any other purpose. Our full HIPAA compliance program — including safeguards, breach notification procedures, and subcontractor obligations — is described in our HIPAA Compliance page.

We maintain a comprehensive information security program designed to protect your information against unauthorized access, disclosure, alteration, or destruction. Our safeguards include:

• AES-256-GCM encryption for all data at rest, including per-record encryption keys
• TLS 1.2 or higher for all data in transit
• Azure Key Vault for cryptographic key management with envelope encryption (Platform Master Key → Organization Key Encryption Key → per-record Data Encryption Key)
• Role-based access controls limiting data access to authorized personnel
• Multi-factor authentication (TOTP) for user accounts
• Comprehensive audit logging of all access and modification events
• Regular security risk assessments

No security measure is entirely infallible. We encourage users to maintain strong, unique passwords and to report any suspected unauthorized access immediately to onboarding@mdrxresolve.com.

We retain account information and dispute records for three (3) years following the closure of a dispute or termination of a user account, whichever occurs later. After that period, records are securely deleted or de-identified, unless a longer retention period is required by applicable law, court order, or regulatory obligation.

PHI is retained in accordance with the applicable Business Associate Agreement. Where the BAA is silent, we apply the same three-year default, consistent with HIPAA's minimum-necessary principle.

Depending on your location and the nature of the information at issue, you may have the following rights with respect to your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Request correction of inaccurate or incomplete information.
• Deletion. Request deletion of your personal information, subject to our legal retention obligations and the requirements of any applicable BAA.
• Restriction. Request that we restrict processing of your information in certain circumstances.
• Portability. Request a machine-readable copy of information you provided to us.

To exercise any of these rights, contact us at onboarding@mdrxresolve.com. We will respond within 45 days. Note that rights related to PHI must generally be directed to the applicable Covered Entity rather than to MDRXResolve.

MDRXResolve maintains a reasonable data security program consistent with the requirements of the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), N.Y. Gen. Bus. Law § 899-bb. Our program includes administrative safeguards (workforce training, access management, vendor oversight), technical safeguards (encryption, MFA, intrusion detection), and physical safeguards (cloud infrastructure with restricted physical access).

In the event of a breach of private information of New York residents, we will provide notification as required by N.Y. Gen. Bus. Law § 899-aa.

The Platform is intended solely for business and professional use by adults. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will promptly delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a prominent notice on the Platform at least 30 days before the updated Policy takes effect. Continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the changes.

The "Effective Date" at the top of this page indicates when this version of the Policy was last updated.

For privacy questions, rights requests, or to report a potential privacy concern, please contact: