Version v1.0
Effective May 4, 2026
Athena Core Technologies, Inc. | Effective Date: May 4, 2026 | Last Updated: May 4, 2026
HIPAA Notice: Noesis Health is designed for use by healthcare providers and insurance organizations. Where Noesis Health processes Protected Health Information ("PHI") on behalf of a HIPAA covered entity, we operate as a Business Associate. PHI is encrypted at rest using AES-256-GCM and in transit using TLS 1.2 or higher.
Noesis Health is powered by Athena Core Technologies, Inc. ("Athena Core"), a Delaware-incorporated company. Noesis Health is a healthcare revenue-cycle-management ("RCM") and claims-workflow platform serving healthcare providers and payer organizations. We support claims submission, eligibility verification, prior authorization, and reimbursement workflows.
Contact: support@noesiscfo-io.us
Provider or staff name, professional role, and organization; email address and password (passwords are hashed using bcrypt; never stored in plaintext); National Provider Identifier (NPI), where applicable; billing information for subscription management (processed by Stripe; we do not store full card numbers).
When you use Noesis Health to process claims, eligibility checks, or prior authorizations on behalf of a covered entity, we process PHI on your direction, including: patient names, dates of birth, and member identifiers (encrypted at rest with AES-256-GCM); insurance and payer information; diagnosis codes (ICD-10-CM) and procedure codes (CPT/HCPCS); prior authorization requests and clinical notes you supply; claims data, explanations of benefits ("EOBs"), and remittance information; audit metadata required by HIPAA (who accessed which record, and when). PHI is processed solely to deliver the contracted services. PHI is NOT sold, rented, used for advertising, or used to train general-purpose machine-learning models.
IP address, device type, operating system, and app version; session timestamps and feature usage (used to maintain session security and improve the platform); audit log of API requests and PHI access events, retained 7 years per HIPAA; crash reports and diagnostic data (where enabled).
To deliver claims processing, eligibility verification, and prior-authorization services you request; to authenticate you and enforce role-based access; to generate denial-prevention analyses and reimbursement estimates derived from CMS-published reference data; to meet HIPAA audit, retention, and integrity-control requirements; to send service notifications, billing communications, and breach notifications where required; to improve platform reliability, performance, and security. We do not use PHI or personal information for behavioral advertising or for any purpose outside the scope of services agreed in your subscription terms and applicable Business Associate Agreement.
Important Disclaimer: Noesis Health is a workflow and administrative tool. It does not provide medical, legal, tax, or insurance advice. Reimbursement estimates are reference values based on published payer and CMS data and are not guarantees of payment. Coverage, authorization, and payment determinations are made exclusively by the applicable payer, provider, or administrator. No output from this platform should be construed as a clinical recommendation.
We do not sell personal information or PHI. Sharing is limited to the following. Payers and EDI clearinghouses (e.g., Office Ally, Change Healthcare, Availity, Waystar): claim data is transmitted to the clearinghouse and to insurance payers as directed by your organization in the normal course of claims processing. EHR / FHIR integrations (e.g., Epic, Athenahealth, Cerner): when you authorize an EHR connection, data is exchanged under the FHIR partner program of the respective EHR vendor. Service providers (data processors): we use AWS for hosting, a managed PostgreSQL host for storage, a managed Redis host for session/cache infrastructure, SendGrid for transactional email, and Stripe for payment processing. Each is bound by a written agreement and, where they may receive PHI, by a Business Associate Agreement. Stripe receives only the billing email address and plan tier. Stripe does not receive PHI. Government and regulators: where required by law, court order, regulatory directive, or HIPAA Breach Notification Rule. We maintain a current BAA inventory available to covered-entity customers on request.
PHI and audit logs: retained 7 years from the most recent access date, consistent with HIPAA section 164.530(j). Account data: retained for the duration of the subscription and for 3 years thereafter for business and tax purposes, unless a longer retention period applies under HIPAA, state law, or a customer's BAA. Session data: session tokens expire after 30 minutes of inactivity (HIPAA section 164.312(a)(2)(iii)). Billing records: 7 years (IRS and financial-compliance retention).
Depending on your role and jurisdiction, you may have the right to: access the personal data we hold about you; correct inaccurate personal data; request deletion of your account data, subject to HIPAA retention requirements (we cannot delete records HIPAA requires us to retain); export your organization's claim and administrative data; object to or restrict certain processing activities. For PHI, patient rights of access, amendment, and accounting of disclosures flow through the covered entity (your healthcare provider organization). Patients should direct PHI requests to their provider in the first instance. To exercise account-level rights, email support@noesiscfo-io.us. Requests are processed within 30 days where feasible.
All PHI encrypted at rest using AES-256-GCM with rotatable keys; key fingerprint logged with each ciphertext for traceability. All traffic encrypted in transit via TLS 1.2 or higher; HSTS preload enforced. JWT-based authentication with token revocation on logout. Automatic session termination after 30 minutes of inactivity. Role-based access control enforced server-side. Complete audit trail of PHI access events; PHI paths sanitized in logs to prevent incidental disclosure. No PHI written to analytics, error-tracking, or general-purpose logging systems. Administrative, physical, and technical safeguards mapped to the HIPAA Security Rule (45 CFR section 164.302 to section 164.318). We undergo continuous security-controls monitoring (Vanta) and engage independent security assessors at appropriate cadences.
We use session cookies for authentication only. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics trackers that share data with advertising networks. We do not engage in behavioral advertising.
Noesis Health is for use by licensed healthcare professionals and authorized payer representatives. We do not knowingly collect personal information from individuals under the age of 18 as account holders. PHI relating to pediatric patients is processed solely on the direction of the treating covered entity.
California residents have the right to know what personal information is collected, the right to delete personal information, the right to correct inaccurate information, and the right to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise CCPA rights, email support@noesiscfo-io.us.
In the event of a breach of unsecured PHI, we will notify affected covered-entity customers without unreasonable delay and in no case later than 60 days after discovery, in accordance with HIPAA Breach Notification Rule (45 CFR section 164.410). Covered entities are responsible for downstream notification to affected individuals.
We will notify active customers of material changes to this policy by email at least 30 days before the change takes effect. Continued use of the platform after that date constitutes acceptance of the updated policy.
Athena Core Technologies, Inc.
Attn: Privacy Officer
c/o Harvard Business Services, Inc. (Registered Agent)
16192 Coastal Highway, Lewes, DE 19958, United States
Email: support@noesiscfo-io.us