Built on public federal payer-rate data — no PHI, ever. See how it works
← Back to Reddenda
Trust · HIPAA & PHI posture

Built so we never need PHI.

Updated 2026-06-11 · TwinFlame Group, Reddenda

Reddenda computes contracted-rate benchmarks from public federal filings, not patient records. The Free Snapshot runs with no PHI required, so there is no patient data on our side to protect, lose, or audit. This page sets out exactly where that line sits and what would have to happen before it ever moves.

Bottom line

Reddenda is not a HIPAA covered entity, and the Free Snapshot does not create a business associate relationship, because it uses no PHI. We work from the public NPI Registry (NPPES) and public Transparency-in-Coverage filings only, and we never need patient names, diagnoses, claims, or records to compute a benchmark. No federal body certifies HIPAA compliance, so we do not wear badges. We state what is true: no PHI in the pipeline, no BAA implied unless we have both signed one, and no claim of more compliance than we have.

01 · Architecture

The zero-PHI architecture

Most reimbursement tools ask you to upload claims first and explain their safeguards second. Reddenda inverts that order. Every Snapshot benchmark is computed from Reddenda's own normalized dataset built on public federal Transparency-in-Coverage filings, the NPI Registry, and the CMS Physician Fee Schedule. Patient data never has to be secured here because it is never requested.

What the Snapshot uses

Public and practice-level inputs only

  • Your NPI, selected from the public NPI Registry
  • The 5-digit ZIP of your practice
  • Optional CPT codes and payer-mix percentages you choose to enter
  • Account basics at signup: name, work email, practice name
Business identifiers under HIPAA. None of it is PHI.
What never enters the system

Not requested, not collected, not stored

  • Patient names, dates of birth, member IDs
  • Claims, remittance advice, EOB files
  • Diagnoses, chart notes, clinical records
  • Any record-level billing or clinical data
If a workflow ever needed these, it would launch under a signed BAA first.
ZeroPHI fields anywhere in the Snapshot pipeline
100%public federal sources behind every benchmark
Beforewhen a BAA gets signed if PHI is ever involved, never after
02 · The law

What HIPAA actually covers

HIPAA, the Health Insurance Portability and Accountability Act of 1996, governs how Protected Health Information is handled by Covered Entities (most healthcare providers, health plans, and clearinghouses) and Business Associates (vendors that receive PHI on a covered entity's behalf).

When a vendor processes PHI for a covered entity, the two parties must sign a Business Associate Agreement (BAA) that obligates the vendor to specific privacy and security practices. That obligation attaches to PHI. It does not attach to public business identifiers like an NPI, a practice ZIP, or a payer's publicly filed contracted rate.

03 · The Snapshot

The Free Snapshot uses no PHI

The Free Snapshot, run from reimburseos.com/dashboard, collects only:

  • Account basics at signup: full name, work email, practice or company name, optional NPI. None of this is PHI under HIPAA.
  • The 5-digit ZIP of your practice and the practice you select from a public NPI Registry lookup. Public business identifiers, not PHI.
  • Optional CPT codes and payer-mix percentages you choose to enter. Also not PHI.

We never receive patient names, dates of birth, claim numbers, diagnoses, or any record-level data on the Free Snapshot. Because no PHI is received, no BAA is required for it, and using it does not create a HIPAA business associate relationship. Results appear in your browser in about 15 seconds.

04 · The line

Paid tiers and any future PHI workflow

We do not currently process PHI in any tier. If a future paid workflow ever required it, for example reviewing actual remittance advice to confirm a contracted rate is being honored, that workflow would launch only under the right agreements and controls:

  • A Business Associate Agreement signed before any PHI is shared. Unless you have requested a BAA and we have countersigned it, no BAA exists between us today.
  • PHI processed in segregated systems with access controls, audit logging, and encryption in transit and at rest.
  • Data minimization by default. De-identified summaries are usually sufficient, so that is what we would ask for first.
BAA requests

Want our BAA template on file for your counsel?

Email us and we will send the template. The rule it encodes is simple: the BAA is executed before any PHI moves, or the PHI does not move.

Request the BAA template
05 · The stack

Subprocessors

Our infrastructure subprocessors are Supabase, Netlify, Resend, Stripe, and Cloudflare. Each offers HIPAA-eligible service plans and can execute a BAA where its plan supports one. Before processing any PHI on your behalf, we would move the affected workload onto those HIPAA-eligible plans and put the BAAs in place down the chain.

06 · The posture

Security posture

  • TLS for all data in transit.
  • Encryption at rest through standard cloud-provider mechanisms.
  • Access limited to the founder and authorized contractors under signed confidentiality agreements.
  • No PHI is logged or stored in any system, because no PHI enters the system.
07 · Contact

Contact

BAA requests, security questions, or anything you want to verify directly: info@reimburseos.com.

See the numbers without moving a single record.

The Free Snapshot reads public filings, not your PHI, and shows documented reimbursement opportunity from public contracted rates. Results appear in your browser in about 15 seconds. No credit card. No PHI.

Run My Free Snapshot Read the methodology

Reddenda identifies documented opportunity based on public contracted rates and submitted practice inputs. Actual recovery depends on payer response, contract terms, documentation, and negotiation outcome.