How Revyola handles Protected Health Information as your Business Associate.
Revyola executes a Business Associate Agreement (BAA) with all covered entity clients prior to processing any PHI. Contact info@revyola.com to request your BAA.
Revyola is a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. We receive, process, and store Protected Health Information (PHI) on behalf of covered entities (medical practices) for the purpose of healthcare operations — specifically revenue cycle management.
In the course of providing RCM services, we may process the following PHI:
• Patient names and identifiers
• Dates of service
• Diagnosis codes (ICD-10)
• Procedure codes (CPT/CDT)
• Insurance claim numbers
• Provider NPI numbers
• Payment and remittance data
De-identification before AI processing: Before any claim data is sent to AI language models, our PHI scrubber strips or replaces all 18 HIPAA identifiers with synthetic placeholders. AI models never see real patient names, dates of birth, or member IDs.
Encryption: All PHI is encrypted at rest using AES-256 and in transit using TLS 1.3.
Access controls: PHI access is role-based, logged, and audited. Only authorized personnel can access identifiable data.
Minimum necessary: We access only the PHI necessary to provide the requested Service.
We use and disclose PHI only as permitted by our BAA and HIPAA, including:
• Processing and analyzing claims on your behalf
• Communicating with payers for appeals and recovery
• Subcontractors who are themselves HIPAA-compliant (see BAA)
• As required by law or to prevent serious harm
In the event of a breach of unsecured PHI, Revyola will notify you within 60 calendar days of discovery, as required by the HITECH Act. Notification will include: the nature of the breach, the PHI involved, steps taken to mitigate harm, and actions taken to prevent recurrence.
As a covered entity, you retain all rights to the PHI you provide to us. You may request an accounting of disclosures, restrict our use of PHI, or request deletion at any time by contacting info@revyola.com.
We require all subcontractors who may access PHI to execute their own BAA with Revyola and comply with HIPAA requirements. Current subcontractors handling PHI: Supabase (database), Vercel (infrastructure). AI processing (Anthropic) receives only de-identified data.
Contact us at info@revyola.com. We aim to respond within 2 business days.