HIPAA & BAA

Updated 2026-05-04 · TwinFlame Group, ReimburseOS

Bottom line

ReimburseOS is NOT a HIPAA-covered entity because the Free Snapshot uses no PHI. We use public NPPES (NPI Registry) and public Transparency-in-Coverage MRF data only. We never need patient names, diagnoses, claims, or records to compute a benchmark. We do not claim certification, we do not imply an executed BAA, and we will not claim more compliance than we have.

What HIPAA covers

HIPAA (the Health Insurance Portability and Accountability Act of 1996) regulates how Protected Health Information is handled by Covered Entities (most healthcare providers, health plans, and clearinghouses) and Business Associates (vendors who receive PHI on behalf of a Covered Entity).

If a vendor processes PHI for a Covered Entity, the two parties must sign a Business Associate Agreement (BAA) that obligates the vendor to specific privacy and security practices.

Free Snapshot uses no PHI

The Free Snapshot, accessed at app.reimburseos.com, only collects:

Account info at signup (full name, work email, practice or company name, optional NPI). None of this is PHI under HIPAA.
The 5-digit ZIP of your practice and the practice you select from a public NPI Registry lookup. Public business identifiers, not PHI.
Optional CPT codes and payer-mix percentages you choose to enter. Also not PHI.

We never receive patient names, dates of birth, claim numbers, diagnoses, or any record-level data on the Free Snapshot. Because the Free Snapshot does not receive PHI, no BAA is required for it and using it does not create a HIPAA business-associate relationship. Results appear in your browser in about 15 seconds.

Paid tiers and any future PHI workflow

We do not currently process PHI in any tier. If a future paid workflow requires PHI (for example, reviewing actual remittance advice to confirm a contracted rate is being honored), it must be handled under the appropriate agreements and controls before use. Specifically:

A Business Associate Agreement (BAA) would be signed before any PHI is shared. We do not currently have an executed BAA with you unless you have requested one and we have signed it.
PHI would be processed in segregated systems with access controls, audit logging, and encryption at rest and in transit.
We would minimize the data we receive. De-identified summaries are typically sufficient.

To request our BAA template, email david@reimburseos.com.

Subprocessors

Our infrastructure subprocessors (Supabase, Netlify, Resend, Stripe, Cloudflare) all maintain HIPAA-compliant offerings. Each can sign a BAA where their service plan supports it. We will engage their HIPAA-eligible plans before processing any PHI on your behalf.

Security posture

TLS for all data in transit.
Encryption at rest via standard cloud-provider mechanisms.
Access limited to the founder and authorized contractors under signed confidentiality agreements.
No PHI is logged or stored in non-HIPAA-eligible systems.

Contact

For BAA requests, security inquiries, or to report a concern: david@reimburseos.com.