Privacy Policy

Recupera Record Retrieval Services LLC (“Recupera,” “we,” “us”) respects your privacy and is committed to protecting information we process. This Privacy Policy describes the types of information we may collect and our practices for collecting, using, maintaining, protecting, and disclosing that information in connection with our website and Services.

At a glance

  • Recupera provides record retrieval and secure delivery services for insurance carriers, TPAs, and law firms.
  • We process Protected Health Information (PHI) only to perform requested services (record retrieval, quality checks, secure delivery, invoicing/support).
  • We do not use PHI for marketing and we do not sell PHI.
  • Client users access records through an MFA-protected portal; records are delivered via encrypted portal downloads (TLS).

Questions: privacy@recuperars.com

Last updated January 2026

Table Of Contents
  1. Privacy Policy

Scope

This statement applies to Recupera Record Retrieval Services and client portal (the “Services”) and describes how we process PHI and other information when performing Services for our clients.

Our role under HIPAA

In many engagements, clients are HIPAA Covered Entities (or their agents) and Recupera acts as a Business Associate, processing PHI only as permitted by client instructions and applicable agreements (including BAAs where required).

Notice of Privacy Practices: The HIPAA Privacy Rule does not require a Business Associate to create a Notice of Privacy Practices (NPP); Covered Entities provide the NPP to individuals.

Information we process

As directed by clients, we may process:

  • Claimant/patient identifiers (e.g., name, DOB, claim/case identifiers)
  • Medical records and related clinical documentation
  • Billing records and related documentation returned by custodians
  • Authorizations and supporting documents used to request records
  • Operational metadata (provider details, date ranges, request status)

Permitted uses

We use PHI only to provide the Services requested by the client (record retrieval, quality checks, secure delivery, invoicing, and support).

  • We do not use PHI for marketing or advertising.
  • We do not sell PHI.

How we handle PHI

We process PHI only as necessary to perform the Services requested by our clients and as permitted by applicable agreements and law. Access to PHI is restricted to authorized personnel, and PHI is transmitted using secure methods intended to protect confidentiality and integrity. We do not use PHI for marketing and we do not sell PHI.

Security and compliance

Recupera maintains a written information security program with administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information we process, including PHI where applicable.

Key elements of our program include policies and controls for access management, authentication, secure transmission and storage, monitoring and logging, workforce training, vendor risk management, and incident response.

HIPAA: When acting as a Business Associate, we process PHI only as permitted by applicable agreements and law, and we maintain safeguards consistent with our obligations as a Business Associate. HHS+1

SOC 2: Recupera undergoes SOC 2 examinations, which report on controls relevant to the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and/or Privacy). SOC 2 reports are available to clients upon request (typically under NDA). AICPA & CIMA+1

No method of transmission over the Internet or electronic storage is 100% secure. However, we take reasonable measures intended to reduce risk and protect information.

Retention and disposal

PHI/case artifacts: Retained through the end of the calendar year in which litigation concludes, plus 3 years (unless client instructions or legal hold require otherwise).

Logs (summary):

  • Portal audit logs: retained in-application for approximately 180 days (exported/preserved as needed)
  • Security and operational logs: retained for 7 years (subject to technical limits)
  • Physical security video: retained for ~90 days (exported/preserved if needed)

Data is securely disposed of at end of retention using methods appropriate to the system/media.

Website information

We may collect the following categories of information from website visitors and business contacts:

  • Contact and business information (such as name, company, email address, phone number, and message content) when you submit a form or contact us.
  • Website usage and device information (such as IP address, browser type, pages viewed, and approximate location derived from IP) collected automatically through standard logs and similar technologies.
  • Cookie or similar technology data (see “Cookies & analytics” below).

How we use this information

We use website and business contact information to:

  • Respond to inquiries and communicate with you
  • Provide and improve the website and its performance
  • Maintain the security and integrity of the website
  • Comply with legal obligations and enforce our terms/policies

Cookies & analytics

Our website may use cookies and similar technologies for:

  • Essential functions (for example, security and basic site functionality)
  • Analytics/performance (to understand website usage and improve the site)

You can control cookies through your browser settings. If you disable cookies, some site features may not function properly.

How we disclose website information

We may share website-related information with:

  • Service providers that help us operate our website and business (such as hosting, security, analytics, and communications tools), subject to appropriate confidentiality and security obligations
  • Legal/regulatory authorities if required to comply with law, legal process, or to protect rights, safety, and security
  • Successors in connection with a merger, acquisition, or sale of assets (to the extent permitted by law)

We do not sell personal information in the ordinary sense of the term. We do not share personal information for cross-context behavioral advertising.

Data retention (website)

We retain website inquiry submissions and related business records for as long as reasonably necessary to respond to you, maintain business records, and comply with legal obligations.

This policy applies to / does not apply to

This policy applies to information we collect through our website, client portals, communications, offline interactions, and other business interactions.

PHI and client data: Where we process PHI on behalf of clients as a HIPAA Business Associate, our use and disclosure of PHI is governed by applicable agreements (including Business Associate Agreements where required) and applicable law.

Contact

Questions about this statement or our privacy practices:

privacy@recuperars.com

If you are an individual (patient/claimant) with questions about records, please contact the organization that requested the records (your insurer, provider, TPA, or law firm). Recupera supports our clients in responding as appropriate.