HIPAA Notice
Last updated: May 26, 2026
Revyola
Revyola

HIPAA Notice

How Revyola handles Protected Health Information as your Business Associate.

BAA AvailableHIPAA CompliantSOC 2 Type II

Business Associate Agreement

Revyola executes a Business Associate Agreement (BAA) with all covered entity clients prior to processing any PHI. Contact info@revyola.com to request your BAA.

1. Our Role Under HIPAA

Revyola is a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. We receive, process, and store Protected Health Information (PHI) on behalf of covered entities (medical practices) for the purpose of healthcare operations — specifically revenue cycle management.

2. PHI We Process

In the course of providing RCM services, we may process the following PHI:

Patient names and identifiers

Dates of service

Diagnosis codes (ICD-10)

Procedure codes (CPT/CDT)

Insurance claim numbers

Provider NPI numbers

Payment and remittance data

3. PHI Safeguards

De-identification before AI processing: Before any claim data is sent to AI language models, our PHI scrubber strips or replaces all 18 HIPAA identifiers with synthetic placeholders. AI models never see real patient names, dates of birth, or member IDs.

Encryption: All PHI is encrypted at rest using AES-256 and in transit using TLS 1.3.

Access controls: PHI access is role-based, logged, and audited. Only authorized personnel can access identifiable data.

Minimum necessary: We access only the PHI necessary to provide the requested Service.

4. Permitted Uses and Disclosures

We use and disclose PHI only as permitted by our BAA and HIPAA, including:

Processing and analyzing claims on your behalf

Communicating with payers for appeals and recovery

Subcontractors who are themselves HIPAA-compliant (see BAA)

As required by law or to prevent serious harm

5. Breach Notification

In the event of a breach of unsecured PHI, Revyola will notify you within 60 calendar days of discovery, as required by the HITECH Act. Notification will include: the nature of the breach, the PHI involved, steps taken to mitigate harm, and actions taken to prevent recurrence.

6. Your Rights

As a covered entity, you retain all rights to the PHI you provide to us. You may request an accounting of disclosures, restrict our use of PHI, or request deletion at any time by contacting info@revyola.com.

7. Subcontractors

We require all subcontractors who may access PHI to execute their own BAA with Revyola and comply with HIPAA requirements. Current subcontractors handling PHI: Supabase (database), Vercel (infrastructure). AI processing (Anthropic) receives only de-identified data.


Questions about this document?

Contact us at info@revyola.com. We aim to respond within 2 business days.

© 2026 Revyola · All rights reserved · Privacy · Terms · HIPAA · Security