Privacy Policy

Effective Date: August 1, 2025

Legacy Billing Management ("we," "us," or "our") provides Medicaid billing software services, including the Legacy Time app and Legacy Verify website, which facilitate electronic visit verification (EVV) for direct service workers and clients in home and community-based services. Our services interact with state aggregators such as LaSRS to capture accurate login/logout data via geolocation and geofencing. We also offer billing services to providers and handle sensitive data, including protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA). Additionally, we may use communication tools like Zoom Phone to enable calling and texting through provided phone numbers for service-related updates, marketing campaigns, and other communications.

This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our website (www.dlegacybilling.com), apps, or services (collectively, "Services"). By using our Services, you agree to the practices described here. If you do not agree, please do not use our Services.

This policy supplements our HIPAA Notice of Privacy Practices, which is provided separately to individuals whose PHI we handle. For questions about HIPAA, contact our Privacy Officer at the details below.

Information We Collect

We collect the following types of information:

Personal Information
  • From Users and Providers: Name, email, phone number, address, billing details, and account credentials when you register, subscribe, or use our Services. Phone numbers may be collected for communications, including calls and SMS/text messages via services like Zoom Phone.
  • From Direct Service Workers and Clients: Login/logout times, geolocation data (via GPS or geofencing for EVV compliance), service details, and identifiers required for Medicaid billing and verification.
  • HIPAA-Protected Health Information (PHI): Health-related data, such as client diagnoses, service records, and identifiers, obtained from providers or state systems like LaSRS.
Automatically Collected Information
  • Device and browser details (e.g., IP address, device type, operating system).
  • Usage data (e.g., pages visited, time spent, interactions with features).
  • Geolocation data for EVV purposes, collected only with consent and as required by state regulations.
Information from Third Parties
  • Data from state aggregators (e.g., LaSRS) for verification and billing.
  • Aggregated analytics from service providers (e.g., Google Analytics), without personal identifiers.

We do not collect information from children under 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).

How We Use Information

We use collected information to:

  • Provide and improve our Services, including EVV logging, geofencing, and Medicaid billing.
  • Communicate with you via calls, emails, or SMS/text messages (e.g., service updates, billing statements, or marketing campaigns) using tools like Zoom Phone. SMS messages may include promotional content, with frequency varying based on campaigns; message and data rates may apply.
  • Comply with legal requirements, such as HIPAA, state Medicaid rules, EVV mandates under the 21st Century Cures Act, and the Telephone Consumer Protection Act (TCPA) for communications.
  • Detect and prevent fraud, security issues, or misuse.
  • Analyze usage trends to enhance functionality (using de-identified data where possible).
  • Share de-identified data for research or statistical purposes, ensuring no re-identification risks.

PHI is used solely for treatment, payment, and healthcare operations as permitted by HIPAA, or with your authorization. We do not send PHI via SMS unless it complies with HIPAA and you have consented.

SMS and Call Communications

We may send SMS/text messages or make calls to the phone number you provide for purposes such as service notifications, appointment reminders, billing updates, or marketing campaigns. These communications may be delivered via Zoom Phone or similar services.

Consent: By providing your phone number and opting in, you consent to receive automated calls and SMS/text messages from us, including marketing messages. This constitutes prior express written consent under the TCPA. You are not required to provide consent as a condition of purchasing goods or services. Consent can be revoked at any time.

Opt-In Process: When opting in (e.g., via form submission or keyword), we provide clear disclosures including: program description, message frequency (varies; e.g., up to 4 messages per month for campaigns), that message and data rates may apply, how to opt out (text STOP), and links to this Privacy Policy and Terms of Service.

Opt-Out: Reply STOP, END, CANCEL, UNSUBSCRIBE, or QUIT to any SMS to opt out. We honor opt-outs promptly and cease further messages (except a confirmation). You may also opt out of calls by request. We respect the National Do Not Call Registry and maintain our own do-not-contact list.

Quiet Hours: We send SMS/calls only during permitted hours (typically 8 AM to 9 PM local time) unless urgent or with separate consent.

Costs: Message and data rates may apply; check your mobile plan.

We use confirmed opt-in (e.g., reply Y to confirm) where appropriate to verify consent.

Sharing of Information

We share information as follows:

  • With Service Providers: To vendors for hosting, analytics, payment processing, or communications (e.g., Zoom Phone for calls/SMS delivery), under strict confidentiality agreements, TCPA compliance, and HIPAA business associate agreements (BAAs) where applicable.
  • With State Aggregators and Regulators: Data required for EVV compliance (e.g., to LaSRS) or audits by Medicaid agencies.
  • For Legal Reasons: When required by law, subpoena, or to protect our rights, safety, or property.
  • In Business Transfers: If we are acquired or merge, your information may transfer to the new entity, subject to this policy.
  • With Consent: For any other purpose with your explicit permission.

We do not sell personal information. PHI is shared only as permitted by HIPAA, and we require recipients to protect it accordingly. Phone numbers are not shared for third-party marketing without consent.

Data Security

We implement administrative, technical, and physical safeguards to protect information, including:

  • Encryption for data in transit (e.g., SSL/TLS) and at rest.
  • Access controls, firewalls, and regular security audits.
  • HIPAA-compliant measures for PHI, such as risk assessments and employee training.
  • TCPA-compliant processes for SMS, including consent tracking.
  • Geolocation data is secured and used only for EVV verification.

Despite these measures, no system is 100% secure. We notify affected individuals of breaches as required by law, including HIPAA's breach notification rule.

Data Retention

We retain information as long as necessary for the purposes described, or as required by law:

  • Billing and service records: At least 6 years per Medicaid requirements.
  • PHI: As specified in our HIPAA policies, typically until no longer needed for operations plus any retention periods.
  • Usage logs: Up to 2 years for analytics and security.
  • Consent records for SMS/calls: At least 4 years to demonstrate TCPA compliance.

Data is securely deleted or anonymized when no longer needed.

Your Rights

You have rights regarding your information:

  • Access and Correction: Request to view or update your personal data.
  • Deletion: Request deletion, subject to legal retention obligations.
  • Opt-Out: From marketing communications, SMS/calls (as described above), or certain data sharing.
  • HIPAA-Specific Rights: For PHI, request access, amendments, accounting of disclosures, restrictions, or confidential communications.
  • Revoke Consent: Withdraw consent for SMS/calls at any time without affecting prior lawful processing.

To exercise rights, contact us below. We respond within 30 days (or as required by law). Verification may be needed.

Cookies and Tracking

We use cookies, pixels, and similar technologies for functionality, analytics, and advertising. You can manage preferences via browser settings, but this may limit features. We do not track across third-party sites without consent.

Third-Party Links

Our Services may link to external sites (e.g., LaSRS, Zoom). We are not responsible for their privacy practices; review their policies.

International Transfers

Data is processed in the U.S. If transferred internationally, we ensure adequate protections (e.g., standard contractual clauses).

Changes to This Policy

We may update this policy. Changes are posted here with the effective date. Significant changes will be notified via email, SMS, or prominent notice. Continued use constitutes acceptance.

Contact Us

For questions, requests, or complaints:

Email: privacy@dlegacybilling.com
Mail: 8446 Le Marie Ct, Denham Springs, LA 70706
Phone: 225-424-9233
For HIPAA matters, contact our Privacy Officer at the above email.