Thank you — this is the Alpha version of CHA health, a consumer medical bill audit tool to help make sure consumers are not overpaying for their healthcare. Please share feedback. We want to make CHA health as useful as possible.
CHA health

CHA health — Privacy Policy

Last updated:

De-identification of Anonymous Bill Audit Data

Our commitment

When you use CHA health without an account (the anonymous bill audit flow), the medical bill you upload is processed and then de-identified under the HIPAA Safe Harbor standard at 45 CFR §164.514(b)(2). De-identification means we remove the 18 categories of personal identifiers listed in that regulation (your name, address, dates of birth and service, contact information, account numbers, and 14 others), apply low-population geographic exclusions, and collapse age into age bands. What remains — billing codes, charges, audit findings, and the bill's structural patterns — is no longer your protected health information.

CHA retains this de-identified data to improve our audit system. We make the following commitments about how we handle it:

  1. We will not attempt to reidentify the data. As required by California Civil Code §1798.140(m)(1)(A)–(B), we publicly and irrevocably commit to maintain and use this information solely in de-identified form, and we will not attempt to reidentify the information.
  2. We will not sell the de-identified data. We do not sell de-identified analytics data, and we have no current plans to do so.
  3. If we ever share the de-identified data with a third party, we will (a) update this policy in advance, (b) contractually require that recipient to commit to the same non-reidentification and use-restriction terms, and (c) where applicable under the Washington My Health My Data Act (RCW 19.373), obtain a separate, affirmative consent from Washington residents at the moment of the sharing relationship beginning.
  4. We take reasonable measures to prevent reidentification. This includes the geographic and date-truncation rules in §164.514(b)(2), age-band derivation with a 90+ collapse rule, and provider-name hashing into provider-type + region categories before retention.

If you believe we have failed to meet these commitments, you can contact us at privacy@mycha.health to raise the concern, and you can complain to the California Attorney General or your state regulator. Failures to meet our §1798.140(m) commitments may result in the data being treated as personal information under CCPA, which would entitle California consumers to the full set of CCPA rights with respect to it.

Why we keep it

The de-identified data helps us measure how often specific billing errors occur, how charges vary across regions and provider types, and how well our audit system catches errors. Better data means better audits for the next person who uploads a bill. We do not use this data for advertising, profiling, or any decision that affects an individual.

How long we keep it

We retain the de-identified bill data until either (a) we determine it is no longer needed for product improvement, or (b) you exercise your right to revoke the authorization you gave when you uploaded your bill, whichever comes first. Revocation is described in the section below.

Your Rights — Anonymous Visitors

Right to revoke your authorization

When you upload a bill without an account, you give CHA a HIPAA authorization under 45 CFR §164.508. You have the right to revoke this authorization at any time, in writing. To revoke:

Revocation will result in the deletion of your de-identified bill data within 30 days. Revocation does not affect actions CHA already took based on your authorization (for example, audit results we already produced and displayed to you, or aggregate metrics we already computed before revocation). This is the standard “actions already taken” carve-out at §164.508(c)(2)(i)(B).

After 24 hours from upload, your audit link expires and the case ID from your URL is the only handle for revocation. Save your audit-results URL if you want to retain the ability to revoke.

Right to know what we have

You can ask us what de-identified records associate with your case ID. Because the data is de-identified, we cannot verify your identity beyond the case ID, so we will respond only with information that does not require us to reidentify any data.

Washington My Health My Data Act — Notice to Washington Residents

The Washington My Health My Data Act (RCW chapter 19.373) gives Washington residents additional rights over “consumer health data.” For CHA:

  1. What consumer health data we collect from you. When you use the anonymous bill audit, we collect the medical bill you upload and the insurance information printed on it. When you have a CHA account, we additionally collect information you provide during onboarding and account management. Both categories meet the RCW 19.373.010(8) definition of “consumer health data.”
  2. Why we collect it. To run the bill audit you request, to find billing errors and overcharges, and (for de-identified data only) to improve our audit system. We do not use consumer health data for advertising, profiling, or geofencing.
  3. Your consent. We obtain affirmative consent before collecting consumer health data, as required by RCW 19.373.030. The consent panel above the upload form is that consent moment for anonymous visitors; the onboarding flow is that consent moment for account holders.
  4. Sale and sharing. CHA does not sell consumer health data. As of the effective date of this policy, CHA does not share consumer health data with any third party for that third party's own purposes. If we ever begin sharing de-identified analytics with a third party, we will obtain the separate share-consent that RCW 19.373.040 requires from Washington residents before any sharing begins. The HIPAA-aligned de-identification standard we use (Safe Harbor under §164.514(b)(2)) is supplemented by the public commitments described in the “De-identification” section above, which are intended to satisfy the deidentification carve-out at RCW 19.373.010(10).
  5. Your rights as a Washington resident. You have the right to (a) confirm whether we are collecting, sharing, or selling your consumer health data, (b) access that data, (c) have it deleted, and (d) withdraw your consent (RCW 19.373.060). Email privacy@mycha.health to exercise any of these. We will respond within the timeframes required by the Act.
  6. Geofencing. CHA does not operate any geofence around any in-person healthcare facility. RCW 19.373.050.
  7. Complaints. If you believe CHA has violated the My Health My Data Act, you can complain to the Washington State Attorney General. The Act provides a private right of action through the Washington Consumer Protection Act (RCW 19.86).

Contact

Privacy questions, deletion requests, or complaints: privacy@mycha.health.