Plain-language summary: We collect only what we need to run our business and serve clients. We do not sell your information. We do not use PHI in cloud tools without a BAA. Roster data submitted for LEIE screening is processed in-memory and not stored. If you send us an inquiry, we use that information to respond to you and, with your permission, to follow up. That's the whole story.
This Privacy Policy applies to Sundwyn Group LLC, doing business as Prognosis Consulting ("Prognosis Consulting," "we," "us," or "our"), a Georgia-registered limited liability company operating a boutique healthcare compliance and revenue cycle advisory practice at prognosisconsulting.com.
This policy describes how we collect, use, store, and share information obtained through our website, our consulting engagements, our LEIE exclusion screening service, and our digital products sold through Gumroad.
Information you provide directly. When you contact us, submit an inquiry form, request a screening, schedule a call, or engage our services, you may provide us with your name, email address, organization name, job title, and a description of your inquiry or situation. We collect and store this information in order to respond to your inquiry and, if an engagement proceeds, to deliver services.
Roster data for LEIE screening. Clients who engage our LEIE exclusion screening service submit roster data — typically first name, last name, and one or more of: date of birth, Social Security Number, National Provider Identifier, or employer identification number — for screening against the OIG LEIE. This data is described in detail under § 4 (PHI) and § 5 (How We Use Information).
Engagement-related documents. In the course of a consulting engagement — such as a hospice cap audit or coding review — clients may provide us with claims data, chart documentation, or other operational records. These are described under § 4.
Website analytics. Our website may collect standard server log information including IP addresses, browser type, referring pages, and pages visited. We may use third-party analytics tools. We do not use this data to personally identify individual visitors.
Communications. If you email us or contact us through a form, we retain those communications and any information contained in them.
We use the information we collect for the following purposes:
We do not use client information for marketing purposes without explicit consent. We do not sell client information. We do not use client information to train machine learning models or share it with AI services in ways that would disclose client data to third parties.
LEIE screening — no PHI architecture. Our LEIE exclusion screening tool processes submitted roster data in-memory. Roster files are not written to disk, not stored in any cloud environment, and not retained post-screening. The output — the screening certificate and findings detail — contains no patient identifiers and is delivered to the client via encrypted file transfer. No BAA is required for the LEIE screening tool itself, because no PHI is processed or retained within the tool. BAA obligations under our Google Workspace infrastructure are separately maintained.
Consulting engagements requiring PHI. Certain consulting engagements — including the Hospice Cap Liability and Eligibility Audit and chart-based coding reviews — require access to documents that may contain protected health information as defined under HIPAA (45 CFR § 160.103). For any such engagement, we execute a Business Associate Agreement with the client before any data is transferred. PHI received in connection with a consulting engagement is:
Google Workspace. We use Google Workspace for business communications and document management. Our Google Workspace account is covered by a Google BAA, which applies to business emails and any documents stored within that environment. Clients with PHI-sensitive engagements are advised not to transmit PHI via email; we provide secure file transfer instructions for all PHI-related data exchanges.
We do not sell, rent, or trade client information with third parties.
We may share information in the following limited circumstances:
We retain client contact information and engagement records for as long as necessary to support the client relationship and comply with our legal obligations. In general, we maintain records of completed engagements for a minimum of seven years, consistent with the False Claims Act look-back window and standard business record retention practice.
Roster data submitted for LEIE screening is processed in-memory and not retained after the screening is complete. PHI received in consulting engagements is handled per the applicable BAA, which specifies the retention and destruction terms.
If you request deletion of your contact information from our records and no active engagement or legal obligation requires us to retain it, we will honor that request within a reasonable time.
We implement reasonable technical and organizational measures to protect the information we hold — including encrypted file transfer for deliverables, local processing of sensitive data rather than cloud storage, and access controls on internal systems. No data transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.
If you believe your information has been compromised in connection with your engagement with us, contact us immediately at hello@prognosisconsulting.com.
Our website and business operations use the following third-party services, each of which has its own privacy policy:
We do not control the privacy practices of third-party services and are not responsible for their data handling. We select third-party services carefully and limit the data shared with them to what is necessary for their function.
You have the right to request access to the personal information we hold about you, to request correction of inaccurate information, and to request deletion of your information where we are not legally required to retain it. To exercise any of these rights, contact us at hello@prognosisconsulting.com.
If you are located in the European Economic Area or the United Kingdom, you may have additional rights under the GDPR or UK GDPR, including the right to data portability and the right to lodge a complaint with your supervisory authority. We process data on the basis of legitimate interests (responding to business inquiries, delivering contracted services) and, where required, with your explicit consent.
We do not engage in automated decision-making or profiling that produces legal or significant effects.
Our website and services are directed to healthcare organizations and professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected such information, we will delete it promptly.
We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our website or services after a policy update constitutes acceptance of the updated terms.
Questions, requests, or concerns about this Privacy Policy or our data practices should be directed to:
Sundwyn Group LLC d/b/a Prognosis Consulting
Email: hello@prognosisconsulting.com
Website: prognosisconsulting.com