Terms of Service

Welcome to Medex Finance Inc. (“Medex,” “we,” or “us”). These Terms of Service (“Terms”) govern your access to and use of Medex’s website, platform, and services (collectively, the “Services”). By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by these Terms. If you do not agree with these Terms, you must not use the Services. These Terms form a legally binding agreement between Medex and you (the “User”). The User is defined as the healthcare provider or its authorized representative registering for or using the Services. If you are using the Services on behalf of an organization (such as a medical practice or hospital), you represent and warrant that you have the authority to bind that organization to these Terms, and you agree to these Terms on behalf of that organization. Please also review our Privacy Policy (below), which describes how we collect, use, and protect information, including Protected Health Information. By using our Services, you consent to the practices described in the Privacy Policy.

Medex operates solely within the United States, and the Services are intended for use by U.S.-based healthcare providers. By using the Services, you affirm that:

Healthcare Provider Use Only: You are a licensed healthcare provider or an authorized employee/agent of a healthcare provider (collectively, “Provider”), and you are utilizing the Services for business purposes related to healthcare claim financing. You will not use the Services as a patient or for personal, household, or consumer purposes.

U.S. Operations: You (and your organization) are based in the United States. Our Services are not intended for use outside the U.S., and we do not offer them to non-U.S. users.

Legal Capacity: You are at least 18 years of age and otherwise legally competent to enter into contracts. If you are entering into these Terms on behalf of an entity, that entity is duly organized and in good standing under the laws of its jurisdiction.

Intended Purpose: You will use the Services only for their intended purpose: obtaining financing on the insured portion of medical claims. You will not submit any personal healthcare claims on your own behalf or attempt to obtain financing for claims that are not eligible or not insurance-backed.

To access the secure portions of our platform, you (the Provider or its representative) must create an account. When creating an account, you agree to provide accurate, current, and complete information as requested. You are responsible for maintaining the confidentiality of your account login credentials and for all activities that occur under your account.

Account Confidentiality: You must keep your username, password, and any other authentication factor (such as two-factor authentication codes) secure. Do not share your login credentials with anyone who is not authorized to act on behalf of your organization. Medex will never ask you for your password. If you suspect that your account has been compromised, you must notify Medex immediately.

Authorized Access Only: Only authorized personnel of the Provider may access the account and use the Services. You are responsible for ensuring that any person using your account is authorized to view and transmit Protected Health Information (PHI) on behalf of your organization and is bound by confidentiality obligations.

Proper Account Use: You agree to use your account solely for legitimate business purposes in connection with Medex’s Services. You must not use the account to attempt to gain unauthorized access to any other system or data, interfere with the Service’s normal operation, or engage in any activity that violates these Terms or applicable law.

Account Termination: You can request to deactivate or close your account at any time by contacting Medex. Medex reserves the right to suspend or terminate your account (with or without notice) if we suspect any unauthorized use, security breach, or violation of these Terms. In the event of termination, certain provisions of these Terms will continue to apply (for example, obligations concerning data confidentiality, indemnification, and limitation of liability) for any activity prior to termination.

As a condition of using the Services, you agree to the following obligations:

Compliance with Law & BAA: You will comply with all applicable laws and regulations, including healthcare privacy laws such as HIPAA. Before uploading or sharing any PHI with Medex, you must have a valid Business Associate Agreement (BAA) in place with Medex. Medex requires that a BAA be executed between your organization (the covered entity) and Medex (the business associate) before any exchange of PHI. By using the Services, you represent that such BAA has been duly executed. You further agree not to disclose any patient information to Medex except as permitted by HIPAA and the BAA.

Provide Accurate Information: You will submit truthful and accurate claim information when requesting financing. This includes details of insurance claims (e.g., dates of service, procedure codes, insurer information, claim amounts) necessary for Medex to evaluate and process your financing request. Do not submit false, fraudulent, or misleading information. You are responsible for updating any information that becomes outdated or incorrect.

Minimum Necessary Data: You agree to share only the minimum necessary PHI with Medex for the purposes of obtaining financing on claims. Do not upload or share personal information that is not required for claim evaluation. For example, do not include unnecessary patient identifiers such as full name, Social Security number, or contact information if Medex does not need them for its services. Medex’s systems and processes are designed to handle claim-related data without retaining extraneous personal identifiers.

Use Restrictions: You will not use the Services in any way that is unlawful, infringes on anyone’s rights, or could harm or disrupt the Services or Medex’s systems. This means you will not:

Attempt to access data or accounts that you are not authorized to access.

Transmit any viruses, malware, or harmful code via the platform.

Engage in any activity that could disable, overburden, or impair the Services (such as initiating a denial-of-service attack or other interference with the proper functioning of the platform).

Reverse engineer, decompile, or attempt to extract the source code or underlying algorithms of any software or system provided by Medex, except to the extent such actions are expressly permitted by law.

Resell, rent, or allow third parties to use the Services, or otherwise use the Services for the benefit of anyone other than your own healthcare organization without Medex’s prior written consent.

Confidentiality: You acknowledge that through the Services you may have access to sensitive information, including PHI and Medex’s proprietary information. You agree to keep such information confidential and use it only for purposes of utilizing Medex’s Services. Likewise, you will ensure that your employees or agents who access the Services are also bound to maintain the confidentiality of any PHI or sensitive data obtained through the platform.

Cooperation with Medex: You will cooperate with any reasonable security or compliance reviews that Medex may conduct. For example, you agree to provide confirmation of your compliance with these Terms and applicable laws if requested, and to promptly address any identified issues (such as removing unnecessary data or updating weak passwords) to maintain the security and integrity of the data exchange.

Medex Content: All content and materials available on the Services, including (but not limited to) text, graphics, logos, icons, software, and design elements (collectively, the “Medex Content”), are the property of Medex or its licensors and are protected by intellectual property laws. Medex reserves all rights in and to the Medex Content. You are granted a limited, revocable license to access and use the Services and Medex Content for your internal business purposes in connection with the Services. You may not copy, reproduce, modify, create derivative works of, publicly display, republish, upload, post, transmit, or distribute any Medex Content without Medex’s prior written consent, except as allowed under these Terms. Any rights not expressly granted in these Terms are reserved by Medex. Trademarks: “Medex Finance Inc.,” “Medex,” and all associated logos and names are trademarks of Medex Finance Inc. You may not use Medex’s name or trademarks in any advertisement, publicity, or other commercial manner without our prior written consent. User Data Ownership: Any data you upload or provide to Medex through the Services, including claim information and PHI, remains your property (or the property of the individuals to whom the PHI pertains). Medex does not claim ownership rights in such data. However, by submitting or uploading data to the Services, you grant Medex a limited license and right to use, process, and transmit that data as necessary to provide the Services, fulfill our obligations under these Terms and any applicable BAA, and to comply with applicable law. This license to use your data for service provision is non-exclusive, worldwide, royalty-free, and sublicensable solely to the extent necessary for Medex’s service providers (business associates) to assist in operating the Services (and any such providers are subject to the same privacy and security commitments outlined in these Terms and in our Privacy Policy). Feedback: If you provide Medex with any suggestions, ideas, enhancement requests, or other feedback about the Services (“Feedback”), you acknowledge that such Feedback is given voluntarily and without any obligation of confidentiality. You agree that Medex is free to use, disclose, and incorporate any Feedback into our products and services, without any obligation to you. You are not entitled to any compensation or attribution for any Feedback you provide.

Because Medex’s Services involve the handling of sensitive health-related data, we take privacy and security very seriously. We handle all PHI in accordance with our Privacy Policy and our obligations as a Business Associate under HIPAA. Key points include:

Privacy Policy: Our collection and use of information, including PHI, is described in our Privacy Policy (see below). By agreeing to these Terms, you also agree to the terms of the Privacy Policy. We do not collect or use any personally identifiable information (PII) beyond what is needed for processing insured claims. Specifically, Medex does not collect patient PII beyond the PHI necessary for claim evaluation and financing.

HIPAA & FERPA Compliance: Medex complies with the Health Insurance Portability and Accountability Act (HIPAA) and, to the extent applicable, the Family Educational Rights and Privacy Act (FERPA). Any PHI you provide will be used and protected in accordance with HIPAA’s requirements for Business Associates. If any information we handle is considered an education record under FERPA (for instance, if we work with a provider that is part of an educational institution), we will protect that information in compliance with FERPA as well. We implement administrative, physical, and technical safeguards required by these laws to protect sensitive information.

Business Associate Agreements: As noted above, a BAA between your organization and Medex is required before PHI is exchanged. The BAA outlines each party’s responsibilities for protecting PHI. In the event of any conflict between these Terms and the BAA with respect to PHI handling, the terms of the BAA will govern for those privacy and security obligations.

No Third-Party Disclosures: Medex will not disclose your data or any PHI you provide to any third party, except as necessary to provide the Services or as required by law. We do not sell or share your data with advertisers or unrelated parties. Any third-party contractors or service providers that assist us (for example, secure cloud hosting or email delivery services) are also bound by confidentiality and, where applicable, have signed BAAs to ensure PHI remains protected.

Security Measures: Medex follows industry-standard security practices to protect the data on our platform. All data is transmitted over secure, encrypted channels, and stored using encryption at rest. Access to systems is restricted and monitored. (More details on our security practices are outlined in the Privacy Policy below.) However, no system can be guaranteed 100% secure. In the unlikely event of a security incident or data breach involving PHI, Medex will comply with HIPAA’s breach notification rules and promptly inform your organization (and any affected individuals or authorities as required by law). You are also responsible for notifying Medex immediately if you become aware of any breach or unauthorized access to PHI related to our Services.

Use at Your Own Risk: Medex strives to provide a reliable and secure service, but your use of the Services is at your own risk. The Services (including the website, platform, and all content and functionality provided) are provided on an “AS IS” and “AS AVAILABLE” basis, without any warranty of any kind, either express or implied (including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, and non-infringement). To the fullest extent permitted by law, Medex disclaims all warranties, express or implied, including but not limited to:

Accuracy and Reliability: We do not guarantee that the information or content provided through the Services (such as claim evaluations, financing decisions, or any other outputs) is accurate, complete, or up-to-date. While we make efforts to verify data and maintain accuracy, errors or delays in information can occur.

Fitness for Particular Purpose: We make no warranty that the Services will meet your specific requirements or expectations, or that financing will be available for every claim. Decisions on financing requests are subject to Medex’s internal review and underwriting criteria. Nothing on our website or platform constitutes a promise of funding; each request is evaluated individually on its merits.

Uninterrupted or Error-Free Service: We do not warrant that the Services will be uninterrupted, timely, secure, or error-free, or that defects will be corrected. While we strive for high availability, maintenance, updates, or unforeseen technical issues may occasionally result in service interruptions. We will attempt to give advance notice of any scheduled downtime, but we are not liable for any unavailability of the Services.

Non-Infringement: We do not warrant that our Services or any content provided will be free from claims of infringement of third-party rights (such as intellectual property rights). Although we have no reason to believe there are any such issues, we make no guarantees in this regard.

Any advice, guidance, or information (for example, financial estimates or claim status updates) obtained from Medex or through the Services, whether oral or written, is for informational purposes only. It does not constitute any warranty or guarantee by Medex. Medex is not providing legal, financial, or medical advice through the Services, and you should consult appropriate professionals for advice specific to your situation.

To the maximum extent permitted by law, under no circumstances will Medex or its affiliates, officers, directors, employees, or agents be liable to you or any third party for any indirect, incidental, consequential, special, exemplary, or punitive damages arising out of or related to your use of (or inability to use) the Services, or from any errors or omissions in the Services. This limitation applies whether the claim is based on warranty, contract, tort (including negligence), strict liability, or any other legal theory, and even if Medex has been advised of the possibility of such damages. This includes, but is not limited to, damages for lost profits or revenues, business interruption, loss of goodwill, loss of data, or unauthorized access to or alteration of your data. In addition, to the fullest extent allowed by law, Medex’s total cumulative liability to you for any claims arising out of or relating to the Services or these Terms shall not exceed the amount (if any) that you paid to Medex for use of the Services in the twelve (12) months immediately prior to the event giving rise to such liability, or $100, whichever is greater. If applicable law does not allow the exclusion or limitation of certain damages, some of the above exclusions or limitations may not apply to you – however, in such cases, Medex’s liability will be limited to the fullest extent permitted by law. You acknowledge that Medex has agreed to provide the Services and set the applicable fees (if any) in reliance on the warranty disclaimers and liability limitations above. These terms reflect an agreed-upon allocation of risk between you and Medex and form an essential basis of the bargain between the parties.

You agree to indemnify, defend, and hold harmless Medex Finance Inc., its affiliates, and each of their respective officers, directors, employees, and agents (collectively, the “Indemnified Parties”) from and against any and all claims, liabilities, damages, losses, and expenses (including reasonable attorneys’ fees) that arise out of or relate to:

Violation of Terms or Law: Your violation of these Terms or any applicable law or regulation (including, without limitation, any healthcare privacy law).

Misuse of Services: Your misuse of the Services or any data obtained through the Services.

Improper Data Sharing: Your provision of information (including PHI) to Medex in violation of any third party’s rights or any law – for example, if you did not have the legal right or necessary consent to share certain patient data with Medex.

Breach of Obligations: Any breach of your representations, warranties, or obligations under these Terms (including but not limited to your obligations to execute a BAA and comply with HIPAA when providing PHI).

Negligence or Misconduct: Any gross negligence or willful misconduct by you or your personnel in connection with use of the Services.

Medex reserves the right, at your expense, to assume the exclusive defense and control of any matter subject to indemnification by you (in which case, you agree to cooperate with Medex in defending such matter). You agree not to settle any such matter without the prior written consent of Medex. This indemnification obligation will survive any termination of your account or your use of the Services, and it will remain in effect after the termination or expiration of these Terms.

These Terms, and any dispute arising out of or related to these Terms or the Services, will be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law principles. (The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply.) You agree that any legal action or proceeding arising under or relating to the Services or these Terms shall be brought exclusively in the federal or state courts located in the State of Delaware. You expressly consent to the personal jurisdiction and venue of such courts, and you waive any objections to jurisdiction or venue in those courts, including any claim that a Delaware forum is inconvenient.

You acknowledge that Medex is providing a financial service (claim financing) and is not rendering medical services or health insurance. Nothing in these Terms or on our website is intended to create a doctor–patient relationship, or to serve as a guarantee that any particular claim will be paid by an insurer. Medex’s role is strictly as a financing partner to healthcare providers based on insurance claims. Medex is an independent contractor. No joint venture, partnership, employment, or agency relationship is created between you (or your organization) and Medex as a result of these Terms or your use of the Services. Neither party has the authority to bind the other to any third party, and neither party will represent to any third party that it has such authority. It is your responsibility as a Provider to ensure that participating in Medex’s financing program is permissible under your agreements with insurance payers and under applicable laws or regulations governing your practice. Medex disclaims any liability or responsibility for your compliance with such third-party requirements. You should review your contracts with insurers or other third parties if you have any doubts about using a claim financing service.

Medex may update or modify these Terms from time to time. If we make material changes, we will provide notice to users (for example, by sending an email to the contact address associated with your account or by posting a prominent notice on our website). The revised Terms will be indicated by an updated “Last Updated” date at the top. Your continued use of the Services after any updated Terms become effective constitutes your acceptance of the revised Terms. If you do not agree to the changes, you must stop using the Services and, if applicable, contact us to deactivate your account.

Entire Agreement: These Terms (including any documents incorporated by reference, such as our Privacy Policy and any BAA executed between you and Medex) constitute the entire agreement between you and Medex regarding the Services and supersede all prior or contemporaneous agreements, understandings, or communications (whether written or oral) relating to the subject matter hereof. In the event of a conflict between these Terms and a BAA solely regarding the handling of PHI, the terms of the BAA will control with respect to PHI matters. Severability: If any provision of these Terms is held to be invalid or unenforceable by a court of competent jurisdiction, that provision will be enforced to the maximum extent permissible, and the remaining provisions of these Terms will remain in full force and effect. No Waiver: Medex’s failure to enforce any right or provision of these Terms will not be deemed a waiver of that right or provision. A waiver is only effective if in writing and signed by an authorized representative of Medex. Assignment: You may not assign or transfer any of your rights or obligations under these Terms without the prior written consent of Medex. Any attempted assignment without such consent will be null and void. Medex may assign or transfer its rights and obligations under these Terms to an affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, and you hereby consent to such assignment. These Terms shall be binding upon and inure to the benefit of the parties and their respective permitted successors and assigns. No Third-Party Beneficiaries: These Terms are intended for the sole benefit of you and Medex. Except as expressly provided herein (for example, the Indemnified Parties under the Indemnification section are third-party beneficiaries of that provision), nothing in these Terms is intended to confer any rights or remedies on any third party. If you have any questions about these Terms or need to provide any notices under these Terms, please contact Medex Finance Inc. at [email protected] or through the contact form on our website.

Medex Finance Inc. (“Medex,” “we,” or “us”) is committed to protecting the privacy and security of information entrusted to us. This Privacy Policy explains what information we collect through our website and Services, how we use and protect that information, and the rights and choices you have. This policy applies to information collected from healthcare providers (and their authorized representatives) who use our Services. Medex operates in the United States and complies with U.S. privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), where applicable. Scope: Medex provides upfront financing to healthcare providers based on the insured portion of medical claims. In doing so, Medex may receive and process Protected Health Information (PHI). We do not offer services to patients or the general public, and we do not collect personal information directly from patients for any consumer or marketing purposes. Any PHI we handle is provided by healthcare providers for the sole purpose of evaluating and financing insurance claims. We do not collect any personally identifiable information (PII) about individuals except for PHI that is necessary to perform our Services (and such PHI is handled in compliance with HIPAA). Medex does not retain patient identifiers longer than needed, and whenever possible, we work with de-identified data or limited data sets. By using Medex’s Services or interacting with our website, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use our Services.

We limit our collection of information to what is necessary to provide our financing Services effectively and in compliance with the law. The types of information we may collect include:

Provider Account Information: When a healthcare provider organization creates an account on our platform, we collect business contact information such as the name, title, and work email address of the authorized representative, as well as the name and address of the practice or facility. This information is used for account setup, authentication, and communication. (Note: We treat this as business contact information, not personal consumer data. We do not collect sensitive personal identifiers like personal addresses or social security numbers of provider representatives.)

Claim Details (PHI): In order to evaluate and finance insurance claims, we collect certain details about medical claims from the provider. This may include information such as:

Claim identifiers: Internal claim numbers or billing identifiers (which may be linked to a patient record within the provider’s system).

Payer information: The insurance company or payer responsible for the claim.

Insurance coverage details: The insured portion of the claim (the amount expected to be paid by insurance), dates of service, procedure codes (e.g., CPT or ICD codes), and descriptions of services rendered.

Patient information (limited): Medex does not require full patient personal details to provide financing. However, some claim information we receive may inherently include or be linked to patient data (which is PHI). For example, a claim record may include an internal patient ID, patient age or DOB, or general demographic information necessary for claim processing. We do not ask for or collect patient names, addresses, Social Security numbers, credit card numbers, or other unnecessary personal details for our financing process. Providers should share only the minimum necessary PHI with Medex for claim evaluation, and whenever possible, use de-identified data or codes in place of direct identifiers.

Financial Transaction Information: If we approve and finance a claim, we will generate and maintain records of the financing transaction. This includes the amount advanced, the terms of advance and repayment, payment tracking information, and correspondence or notes related to the transaction. This information is considered business/account information related to our services for you, and is used for contract performance and record-keeping.

Automatically Collected Data: When you use our website or platform, we may automatically collect certain technical information to help us secure and improve our Services. This can include:

Device and Log Information: IP address, browser type, operating system, referring URLs, pages viewed, and the dates/times of access.

Cookies and Session Data: We use cookies or similar technologies for session management (e.g., keeping you logged in) and to remember your preferences. These cookies are strictly functional and security-related; we do not use cookies for advertising or track your activity across other sites.

Audit Logs: For compliance purposes, we maintain logs of user actions on the platform (e.g., logins, data uploads, and view/access events, especially concerning PHI). These logs help us monitor for unauthorized access and demonstrate compliance with HIPAA security rules.

Importantly, we do not knowingly collect any information directly from patients or consumers, and our Services are not directed to personal use by individual patients. All data we handle is in a business context with healthcare provider organizations.

Medex uses the information we collect strictly to provide and improve our Services to healthcare providers. Specifically:

Providing Financing Services: We use claim details (PHI) to evaluate eligibility for financing, determine advance amounts, and process funding and repayment. This involves reviewing the insurance coverage and status of claims. PHI is used internally by Medex’s underwriting and operations team to make financing decisions and to manage the advance/repayment lifecycle. For example, we may analyze the likelihood of claim payment or denial based on the information provided, and we use claim data to follow up on repayments.

Service Operations and Communication: Provider account information and user credentials are used to authenticate users and maintain your account. We use your contact information (such as work email and phone number) to send you service-related communications. These communications include: account confirmations, notifications about the status of your financing requests (e.g., approvals or additional information needed), updates about the platform or Services, and customer support responses. We may also send alerts for security purposes, such as notifying you of new device logins or password changes.

Customer Support: If you contact us with questions or for assistance, we will use the information you provide (which may include PHI or account info) to help resolve your issue. We may ask for additional information as needed to troubleshoot problems and will only use such information for that support purpose.

Improvement of Services: We may analyze usage patterns or aggregated claim data (in de-identified form whenever feasible) to improve our algorithms, underwriting criteria, and platform functionality. For instance, understanding common characteristics of claims that successfully get paid by insurers can help us refine our financing criteria. Any such analysis is done without identifying individual patients, and primarily focuses on operational metrics (e.g., average time to claim payout, default rates by claim type, etc.).

Compliance and Legal Obligations: We use the information as needed to comply with applicable laws and regulations. This includes maintaining records required by financial regulators or auditors, generating reports needed for HIPAA compliance (such as access logs for PHI), and ensuring that we adhere to agreements like BAAs. If we are required by law to report certain information (for example, to respond to a subpoena or a government inquiry), we will only do so after verifying the request’s validity and to the extent necessary.

Security and Fraud Prevention: Information such as IP addresses, device information, and audit logs are used to protect our Services and your account. For example, we may detect unusual account access patterns and notify you or temporarily lock access until verified. We also use technical data to prevent fraudulent use of our platform or financing services.

We do not use the information we collect for any purpose unrelated to providing our Services. In particular, we do not use any PHI for marketing or advertising, and we do not sell your information to data brokers or advertisers.

Security is a top priority at Medex. We implement a range of administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of the information (especially PHI) entrusted to us:

Secure Infrastructure: All PHI and sensitive data are stored on secure servers located in the United States. Our systems are hosted in HIPAA-compliant data centers with robust physical security controls. These facilities implement measures such as 24/7 monitoring, biometric access controls, and redundant power and network systems to ensure high availability.

Encryption: We use strong encryption protocols to protect data both in transit and at rest. PHI transmitted between your systems and our platform is encrypted using industry-standard TLS (SSL) encryption. Any PHI stored in our databases or backups is encrypted at rest. This means that even if someone were to gain unauthorized access to the stored data, it would be unreadable without the proper decryption keys.

Access Controls: We restrict access to PHI and sensitive information to authorized personnel who have a legitimate need to know in order to perform their job duties. Each Medex staff member with such access undergoes HIPAA training and is bound by strict confidentiality obligations. Access to systems that contain PHI is controlled through individual user accounts with strong passwords and, where feasible, multi-factor authentication. We also employ role-based access control, ensuring that each user (whether Medex staff or provider user) can only access the minimum necessary data and functions.

Monitoring and Auditing: Medex employs continuous monitoring of its systems for security events. We maintain detailed audit logs that record access to PHI and critical actions taken on our platform. These logs are regularly reviewed for any unusual or unauthorized activities. We also periodically conduct security risk assessments and penetration testing (either internally or with third-party experts) to identify and address potential vulnerabilities in our infrastructure.

Business Associate Agreements with Vendors: If we utilize any third-party services or vendors that might come into contact with PHI (for example, a cloud hosting provider or an email service for sending encrypted messages), we ensure that appropriate Business Associate Agreements are in place. These agreements contractually require the vendor to protect PHI to the same standards we uphold and to use the information only for the purposes we specify. We carefully select vendors known for strong security practices, and we continuously monitor their compliance where appropriate.

Employee Training and Policies: All Medex employees and contractors who handle sensitive data receive training on privacy and security, including HIPAA requirements. We have internal policies governing how PHI is handled (for instance, prohibiting PHI from being downloaded to unsecured devices or transmitted via unencrypted channels). We also enforce policies like automatic screen locks, device encryption for company laptops, and secure email practices to prevent accidental disclosures.

Data Retention and Disposal: We retain PHI only for as long as is necessary to fulfill the purposes for which it was collected or as required by law or contract. In practice, this means we keep claim data for at least the duration of the financing arrangement and any subsequent period required for legal, regulatory, or audit purposes. When PHI is no longer needed, we dispose of it in a secure manner. Electronic PHI is securely deleted or wiped from storage media, and any physical documents (if ever printed) are shredded or incinerated, in compliance with HIPAA’s disposal standards.

Breach Response: In the event of a security breach that affects PHI, Medex has a breach response plan in place. This plan includes investigation of the incident, containment and remediation of the security issue, and compliance with HIPAA’s Breach Notification Rule. We will notify affected provider clients without unreasonable delay (and no later than required by law) after discovering a breach. We will also provide information about the breach as required (such as the type of information involved and steps individuals should take to protect themselves, if applicable), and we will report to the Department of Health and Human Services (and, if necessary, the media) as required by HIPAA based on the scope of the breach.

While we take extensive measures to protect your information, it is also important that you play a role in security. Please keep your account credentials secure and notify us immediately of any unauthorized use of your account or any other suspected security incident.

Medex does not sell, rent, or trade your information to third parties for marketing or any other commercial purpose. We only share information in the limited ways described below, all of which are related to providing and supporting our Services, or as required by law:

Within Your Organization: Information and data you submit may be shared within your own organization’s authorized users. For example, if multiple staff members from your clinic have accounts to use Medex, the claim and financing information on our platform will be visible to all authorized users from your organization. This is controlled by your account settings and user management within the platform.

With Service Providers (Business Associates): We may share information with trusted third-party service providers who perform functions necessary for our operations, and only for those purposes. Examples include secure cloud hosting providers, data backup services, email/SMS gateways for sending authentication codes or notifications, and analytics tools to monitor system performance. Whenever PHI is involved, we only use service providers that are capable of complying with HIPAA, and we execute a Business Associate Agreement (BAA) with each such provider. These providers are not allowed to use your information for any purpose other than to provide services to Medex, and they are required to protect the confidentiality and security of the information.

Legal Compliance: We may disclose information (including PHI) to third parties if required to do so by law, or if we believe in good faith that such action is necessary to: (a) comply with a legal obligation (for example, a court order, subpoena, or search warrant); (b) protect and defend the rights, property, or safety of Medex, our clients, or others; or (c) investigate or assist in preventing any violation of law or these Terms, including suspected fraud. If we receive a request to disclose information (like a subpoena) that includes PHI, we will make efforts to let the affected Provider know (so that the Provider or patient can seek legal protection for the information) unless we are legally prohibited from doing so.

Corporate Transactions: If Medex is ever involved in a merger, acquisition, sale of assets, bankruptcy, or reorganization, your information (which would be considered an asset of the company) may be transferred to the successor entity or purchaser. If such a transfer occurs, we will ensure that the new entity is bound to the same commitments for privacy and security of your data as outlined in this Privacy Policy. We will also provide notice to you before any personal information or PHI becomes subject to a different privacy policy or practices. You would have the opportunity to discontinue using the Services or request deletion of your data if you do not agree with the new handling of your information.

With Your Consent: Aside from the scenarios above, if we ever need to share your information for any other purpose, we will do so only with your explicit consent. For example, if a scenario arose where sharing data with a third party could benefit your organization (perhaps a new integrated service you choose to opt-in to), we would not proceed without obtaining your permission and, if needed, an appropriate BAA in place.

In summary, outside of your organization and necessary service providers, no PHI or sensitive information is shared with any third party. Internally, access to your information is restricted as described in the security section. All disclosures of PHI are tracked and, upon request, we can provide an accounting of disclosures as required by HIPAA.

We believe in transparency and in providing users with control over their information. As a healthcare provider using Medex’s Services, you (and, indirectly, the patients whose PHI we process on your behalf) have certain rights regarding the information we hold:

Access and Correction (Providers): You have the ability to access and review the information associated with your account at any time by logging into the platform. This includes your account profile details and any claim data you have submitted. If any of your account information (such as your contact email or business address) is inaccurate or outdated, you can update it through the account settings or by contacting us for assistance. For any other information that you cannot correct yourself, you may send us a request to correct or update the data, and we will work with you to make the necessary changes promptly.

Access and Rights for Individuals (Patients): Because Medex is acting as a Business Associate to healthcare providers, any patient whose PHI is processed by Medex maintains their rights under HIPAA (and potentially FERPA, if applicable) through their healthcare provider. This means:

If a patient seeks access to, or requests an amendment of, their health records related to a claim financed through Medex, they should direct that request to the healthcare provider (the covered entity). Medex will assist the provider as needed in fulfilling such a request, as required by our BAA and HIPAA regulations.

If a patient requests an accounting of disclosures of their PHI that includes disclosures made to or by Medex, we will provide the necessary information to the provider to fulfill that accounting request. (For example, if we disclosed PHI due to a legal requirement, that would be documented and shared with the provider for the accounting.)

For education records subject to FERPA (e.g., a student’s treatment records at a university health clinic that are considered education records), a student (or their parent, depending on the situation) who wishes to access or correct those records should contact the educational institution. If Medex holds any such information, we will coordinate with the institution to ensure FERPA rights are respected in responding to the request.

Data Portability: You may request that we provide you with a copy of certain information in your account in a readily usable format. For example, you could request an export of the claims data or transaction history associated with your account. We will provide this data in a secure manner (often through the platform or via a secure file transfer) and in a standard format (such as CSV or PDF reports) as applicable. Note that PHI will only be transmitted in a secure, HIPAA-compliant method.

Account Deletion: If your organization ceases to use Medex’s Services or if you wish to have your account removed, you can request account deletion. Upon such request, we will deactivate your account and prevent any further login. We can also delete or return the data associated with your account, subject to the following: We may need to retain certain information for a period of time to comply with legal obligations, resolve disputes, or enforce agreements. For instance, transaction records might be kept for financial auditing, and PHI might be retained for the duration required by healthcare regulations or our BAA (e.g., documentation of disclosures for 6 years under HIPAA’s record retention requirements). Any PHI that is no longer needed and is not legally required to be retained will be securely purged from our systems. We will confirm with you once we have completed the deletion process.

Opt-Out of Communications: We may send service-related communications (such as important updates about the platform, changes in terms, or security notifications). You cannot opt out of these essential communications as they are integral to the Service. However, if we send any non-essential communications (for example, an optional newsletter or information about new features), you will be given a clear option to opt out or unsubscribe from those messages.

Complaints or Questions: If you have any concerns or questions about how we handle your information, or if you believe that your privacy rights (or those of a patient) have been violated, please contact us using the information provided in the Contact section below. We will investigate and address your concerns. Additionally, as a Business Associate, we will cooperate with our provider clients to address any privacy or security concerns that arise. If you are a patient and have concerns about your PHI in relation to Medex’s services, you can also contact your healthcare provider (who can work with us under the BAA to resolve the issue) or file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, for HIPAA-related concerns. For FERPA-related concerns, a complaint can be filed with the U.S. Department of Education. We encourage addressing issues directly with us or the provider first, as we are committed to resolving any problems in good faith.

Please note that for security reasons, when you make a request regarding your data, we may need to verify your identity and authority (especially if the request involves PHI or sensitive data) before fulfilling the request. This is to ensure that we do not disclose information to an unauthorized person.

HIPAA and FERPA Compliance

HIPAA Compliance: Medex operates as a Business Associate to covered entities (healthcare providers) and maintains policies and procedures to comply with the HIPAA Privacy Rule and Security Rule. All staff with access to PHI are trained on HIPAA requirements and our own privacy/security policies. We implement all required safeguards (administrative, physical, and technical) as described above, and we sign a BAA with each provider client (and with our own subcontractors as needed) to formalize our obligations. We also conduct periodic risk assessments and audits to ensure ongoing compliance. In the event of any breach of PHI, we follow HIPAA’s breach notification requirements as detailed in this Policy and our agreements.

FERPA Compliance: If any data we handle is subject to FERPA (for example, health records at an educational institution that qualify as “education records”), we will protect that information in compliance with FERPA. We recognize that students (or their parents, if applicable) have rights to access and seek amendment of their education records under FERPA. We will cooperate with any educational institution clients to uphold those rights. Typically, health records maintained by an educational institution (like a school nurse or campus health clinic) are governed by FERPA rather than HIPAA; in such cases, HIPAA would not apply to those records. Medex ensures compliance with whichever law is applicable to the data we receive. We treat such information with no less care than PHI, even if technically FERPA applies instead of HIPAA.

Notice of Privacy Practices: Because Medex is not a healthcare provider or health plan directly providing services to patients, we do not issue a HIPAA Notice of Privacy Practices (NPP) to patients. Instead, we operate under the provider’s own privacy notices and policies via our BAA. Providers utilizing Medex’s services may choose to inform patients (in their own NPP or other communications) that the provider may use external financing services for claims (which is considered part of “payment” operations under HIPAA). This is generally covered under the treatment, payment, and healthcare operations allowances in HIPAA, meaning patient authorization is not required for the provider to share PHI with Medex for these purposes. Nonetheless, Medex remains fully accountable under HIPAA for protecting the PHI it receives.

In summary, Medex is fully committed to maintaining the privacy and security of health and education-related information. We regularly review and update our compliance measures as laws or regulations evolve (for instance, if HIPAA or FERPA rules are updated, or if new state privacy laws become applicable to our operations).

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we update the Policy, we will change the “Last Updated” date at the top of this page. For any material changes, we will provide prominent notice to our clients (e.g., via email or through a notification on our website or platform) prior to the change becoming effective. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use the Services after updates to this Policy take effect, you will be deemed to have accepted the revised Policy. If you do not agree to any updated Privacy Policy, you should stop using the Services and may request that we delete or return your collected information (as described above in User Rights and Access).

Medex Finance Inc.

356 Saint Johns Pl Apt 1A, Brooklyn, NY 11238