Privacy Policy
MedCode Pro Chrome Extension — Last updated: February 9, 2026
MedCode Pro is built with a Zero-PHI (Protected Health Information) architecture. We never collect, store, process, or transmit any patient health information. Period.
1. Overview
MedCode Pro is a Chrome extension that provides real-time healthcare coding, billing, and compliance intelligence by aggregating free, publicly available U.S. Government data sources. This privacy policy explains what data we collect, how we use it, and your rights.
2. Data We Do NOT Collect
We want to be explicit about what MedCode Pro does not do:
- No patient data — We never collect, store, or transmit any Protected Health Information (PHI), Personally Identifiable Information (PII) of patients, or any clinical data.
- No browsing history — We do not track which websites you visit.
- No web page content — We do not read, scrape, or analyze the content of web pages you view, including EHR screens.
- No clipboard access — We do not read or monitor your clipboard contents.
- No keystroke logging — We do not log your keystrokes outside of the extension's own search interface.
- No analytics or telemetry — We do not use Google Analytics, Mixpanel, Sentry, or any third-party analytics, advertising, or tracking services.
- No data transmission to our servers — We do not operate any data collection servers. The only network requests are to official U.S. Government APIs.
3. Data We Collect and Store Locally
All data is stored locally on your device using Chrome's built-in storage APIs (IndexedDB and chrome.storage). This data never leaves your browser:
| Data Type | Purpose | Storage |
|---|---|---|
| Search queries | Recent search history for convenience | chrome.storage.local |
| Cached code data | Faster lookups for previously retrieved codes | IndexedDB (local) |
| Workspace codes | Your saved coding workspaces and sessions | chrome.storage.local |
| User preferences | Specialty, locality, theme settings | chrome.storage.local |
| Usage counters | Daily lookup counts for free tier rate limiting | chrome.storage.local |
4. External API Requests
MedCode Pro queries the following free U.S. Government APIs to retrieve publicly available medical coding data. These requests contain only the search terms you enter (medical codes or provider names) — no personal information, cookies, or authentication tokens are transmitted:
- NLM Clinical Tables API (clinicaltables.nlm.nih.gov) — ICD-10-CM, CPT, and HCPCS code lookups
- CMS Physician Fee Schedule API (pfs.data.cms.gov) — Medicare fee schedule data
- RxNorm API (rxnav.nlm.nih.gov) — Drug name lookups and NDC codes
- NPPES NPI Registry (npiregistry.cms.hhs.gov) — Provider NPI lookups
These are publicly funded government services. We do not control their privacy policies. Please refer to their respective websites for their data handling practices.
5. Permissions Explained
MedCode Pro requests only the minimum Chrome permissions necessary for its functionality:
| Permission | Why We Need It |
|---|---|
| storage | Save your preferences, cached data, and workspaces locally on your device |
| contextMenus | Add right-click option to look up medical codes from selected text |
| activeTab | Access the current tab only when you explicitly right-click to look up a code |
| alarms | Schedule periodic background refresh of cached medical code datasets |
| offscreen | Perform background IndexedDB operations without impacting browsing performance |
| sidePanel | Display the extension in Chrome's side panel for a larger coding workspace |
6. HIPAA Compliance Statement
MedCode Pro is designed to be HIPAA-safe by architecture. Because the extension:
- Never accesses, reads, or processes Protected Health Information
- Cannot read EHR screens, clinical notes, or patient records
- Does not read web page content or DOM elements of any website
- Stores all data exclusively on the user's local device
- Transmits only medical code search terms (e.g., "E11.65" or "99213") to government APIs
It does not meet the definition of a Business Associate under HIPAA. No Business Associate Agreement (BAA) is required or offered. MedCode Pro eliminates HIPAA risk by never interacting with protected data in the first place.
7. Data Retention and Deletion
All locally stored data follows automatic retention policies:
- Cached medical codes expire after 60–90 days and are automatically refreshed
- NPI provider data expires after 30 days
- Usage counters reset daily at midnight local time
You can clear all extension data at any time by:
- Using Chrome's "Clear browsing data" with the extensions option selected
- Right-clicking the extension icon → "Remove from Chrome"
- Going to
chrome://extensionsand clicking "Remove"
8. Security Measures
MedCode Pro implements multiple layers of security:
- HTTPS only — All API requests use TLS encryption. No HTTP fallback.
- Content Security Policy — Strict CSP prevents loading of external scripts, styles, or resources.
- Origin validation — All internal message passing validates sender origin (
sender.id === chrome.runtime.id). - Input sanitization — All search inputs are length-limited and sanitized before API requests.
- No remote code execution — All JavaScript is bundled at build time. No
eval(), no dynamic script loading. - Auditable code — Full source code is available for security review upon request.
9. Children's Privacy
MedCode Pro is a professional tool designed exclusively for healthcare coding professionals. It is not directed at children under 13 and we do not knowingly collect data from children.
10. Changes to This Policy
We may update this privacy policy as the extension evolves. Significant changes will be communicated through the extension's update notes on the Chrome Web Store. The "Last updated" date at the top will always reflect the most recent revision.
11. Disclaimer & Limitation of Liability
Not medical advice. MedCode Pro is a reference and productivity tool for qualified healthcare coding professionals. It does not provide medical advice, clinical decision support, or treatment recommendations. All coding decisions should be made by certified professionals using their professional judgment and official code publications.
Data accuracy. While MedCode Pro sources data exclusively from official U.S. Government APIs (NIH, CMS), we do not guarantee the accuracy, completeness, or timeliness of any data presented. Government data sources may contain errors, omissions, or lag behind regulatory updates. Users should always verify codes against the most current official publications, including the AMA CPT codebook, WHO ICD-10-CM classification, and CMS HCPCS releases.
Limitation of liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW, MEDCODE PRO AND ITS CREATORS, CONTRIBUTORS, AND AFFILIATES SHALL NOT BE LIABLE FOR ANY CLAIM DENIALS, REIMBURSEMENT ISSUES, AUDIT FINDINGS, PENALTIES, FINES, OR OTHER FINANCIAL, LEGAL, OR PROFESSIONAL CONSEQUENCES ARISING FROM THE USE OF THIS TOOL. The software is provided "AS IS" and "AS AVAILABLE" without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement.
Indemnification. By using MedCode Pro, you agree that you are a qualified healthcare professional and accept full responsibility for verifying the accuracy of any codes, rules, or data presented by the tool before using them in professional practice, claim submission, or any official capacity.
No HIPAA obligations. Because MedCode Pro operates under a Zero-PHI architecture and never accesses, stores, or transmits Protected Health Information, it does not function as a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA). No Business Associate Agreement (BAA) is required, offered, or applicable.