ReimburseOS / HIPAA-aligned workflow

ReimburseOS is not a HIPAA-covered entity.
Because we don't touch PHI.

Most healthcare SaaS pages plaster "HIPAA Compliant" badges over an architecture that hasn't been audited. We're going to do the opposite — explain exactly why HIPAA's protections aren't the right frame for us, and what is.

Posture · 2026-05-12

// the bottom line

We never see patient names, medical records, claim details, or any patient identifier.

We only see your NPI (already public in the federal NPI Registry) and your contracted rates (already public in federal MRF filings). That isn't PHI under HIPAA. It's public commercial data composed in a non-obvious way. Our HIPAA posture follows from that fact, not the other way around. We do not claim HIPAA certification and we do not imply an executed BAA. Free Snapshot results appear in your browser in about 15 seconds.

// 01What HIPAA actually regulates

HIPAA (the Health Insurance Portability and Accountability Act of 1996) creates two roles:

Covered Entities — health plans, healthcare providers, and clearinghouses that transmit health information electronically.
Business Associates — vendors who receive PHI on behalf of a Covered Entity, governed by a Business Associate Agreement (BAA).

If a vendor processes Protected Health Information for a Covered Entity, the BAA is mandatory and the vendor inherits a set of privacy and security obligations under the Privacy Rule and Security Rule.

// 02Why we're not a Business Associate by default

To be a Business Associate, a vendor must receive PHI. Our pipeline is designed so that no PHI ever enters our systems. Specifically:

// we never receive

Things that would make us a BA

Patient names, addresses, phone, email
DOB, SSN, MRN, member ID, account number
Diagnosis codes (ICD-10) tied to a patient
Claim numbers, encounter IDs, dates of service
Remittance advice (835), claims (837)
Chart notes, imaging, lab results

// we only receive

Things that aren't PHI

Your NPI (federally public, NPI Registry)
Your practice name (public business identifier)
Your taxonomy code (public, on your NPI record)
Your contracted rates (federally published MRFs)
Your work email (provided for snapshot delivery)
Your zip code (already on your NPI record)

None of the items in the right column qualify as PHI under 45 CFR §160.103. They are public business identifiers and public commercial rate data. Using ReimburseOS does not create a HIPAA business-associate relationship.

// 03What we are, then

We are a commercial reimbursement-intelligence platform that composes public datasets. The closest legal analog is a market-data provider (think Bloomberg for trade prices), not a healthcare clearinghouse. We follow HIPAA principles by architecture — minimum-necessary data collection, encryption at rest and in transit, audit logging, access control — but the statute itself does not apply because we don't process PHI.

// 04If you still need a BAA from us

◆ Available on request

The no-PHI BAA

Some billing-software vendors and EHR partners require a signed BAA from every connected vendor, regardless of PHI status. We'll sign one. It will accurately describe what we do: we have no PHI, we don't intend to receive PHI, and if PHI is ever inadvertently transmitted to us we will purge it, document the incident, and notify you within 24 hours. Request at david@reimburseos.com.

// 05Security posture (the things HIPAA still expects)

Even without processing PHI, we hold the data we do have to the same standard a HIPAA-covered system would:

TLS 1.3 for all data in transit (web, API, internal service-to-service).
AES-256 at rest via Supabase + Postgres encrypted volumes; key rotation on the cloud-provider schedule.
Row-level security on every user-scoped table. Service-role keys never leave the server side.
Audit logging on every authenticated read of your Snapshot data, retained 90 days.
Access control limited to the founder and signed contractors under written confidentiality. No external analytics SDKs touch authenticated routes.
Subprocessors are HIPAA-eligible (Supabase, Netlify, Stripe, Resend, Cloudflare) — should the PHI surface area ever change, all four can sign BAAs.

// 06Paid tiers and any future PHI workflow

We do not currently process PHI in any tier. If a paid workflow requires protected health information (for example, a customer-initiated review of actual remittance advice to confirm a contracted rate is being honored), it must be handled under the appropriate agreements and controls before use. In that case:

A BAA is signed before any PHI is shared. There is no implied or assumed BAA today.
PHI is processed in a segregated workspace with stricter access controls, audit logs, and the retention period required by law.
We minimize the data we receive. De-identified summaries are typically sufficient.
You can opt out of PHI sharing entirely and we'll work from your public TiC-derived rates alone. This is the default path.

// 07Contact

BAA requests, security inquiries, vulnerability reports: david@reimburseos.com. Acknowledged within 24 hours.

No PHI. No theater. Just public data, composed for you.

Type your NPI. See your underpayment matrix. Read the methodology while you wait.

⚡ Run My Free Snapshot

Posture v2026.05 · refreshed when our architecture changes

ReimburseOS

Get Started

ReimburseOS is not a HIPAA-covered entity.Because we don't touch PHI.