Built on public federal payer-rate data — no PHI, ever. See how it works
HIPAA posture

Reddenda is not a HIPAA-covered entity.
Because we don't touch PHI.

Most healthcare SaaS pages plaster "HIPAA Compliant" badges over an architecture that hasn't been audited. We're going to do the opposite — explain exactly why HIPAA's protections aren't the right frame for us, and what is.

Posture · 2026-06-11
// the bottom line

We never see patient names, medical records, claim details, or any patient identifier.

We only see your NPI (already public in the federal NPI Registry) and your contracted rates (already public in federal MRF filings). That isn't PHI under HIPAA. It's public commercial data composed in a non-obvious way. Our HIPAA posture follows from that fact, not the other way around. We do not claim HIPAA certification and we do not imply an executed BAA. Free Snapshot results appear in your browser in about 15 seconds.

How the platform works

Two distinct operating modes.
Different inputs. Different compliance requirements.

Most reimbursement intelligence platforms mix public-data workflows with claim-level workflows under one compliance umbrella and leave you guessing which is which. Reddenda separates them explicitly.

Mode 1 · Public-data mode

Public Rate Intelligence

  • Free Snapshot
  • Rate benchmarking across payers
  • CPT-level opportunity analysis
  • Payer comparison and peer comparison
  • Public contracted-rate intelligence
  • CMS Physician Fee Schedule and benchmark-based analysis
  • Leverage Memo based on public and business-level data
  • NPI, specialty, payer mix, CPT codes, ZIP code, and optional average reimbursement inputs only
Mode 2 · Private workflow · Compliance review required

Private Revenue Workflow

  • EOB analysis
  • Paid-claims export review
  • Denial appeal workflows
  • Underpayment recovery workflows using remittance data
  • Claim scrubber workflows
  • Contract PDF extraction with claim-level data
  • Claim-level confirmation and variance analysis
  • BAA may be required depending on data involved

The public Snapshot and all Leverage Memo products operate entirely in Mode 1. No PHI is required. If your use case requires Mode 2 capabilities, contact us to discuss private workflow onboarding and applicable compliance terms at info@reimburseos.com.

// 01What HIPAA actually regulates

HIPAA (the Health Insurance Portability and Accountability Act of 1996) creates two roles:

  • Covered Entities — health plans, healthcare providers, and clearinghouses that transmit health information electronically.
  • Business Associates — vendors who receive PHI on behalf of a Covered Entity, governed by a Business Associate Agreement (BAA).

If a vendor processes Protected Health Information for a Covered Entity, the BAA is mandatory and the vendor inherits a set of privacy and security obligations under the Privacy Rule and Security Rule.

// 02Why we're not a Business Associate by default

To be a Business Associate, a vendor must receive PHI. Our pipeline is designed so that no PHI ever enters our systems. Specifically:

// we never receive

Things that would make us a BA

  • Patient names, addresses, phone, email
  • DOB, SSN, MRN, member ID, account number
  • Diagnosis codes (ICD-10) tied to a patient
  • Claim numbers, encounter IDs, dates of service
  • Remittance advice (835), claims (837)
  • Chart notes, imaging, lab results
// we only receive

Things that aren't PHI

  • Your NPI (federally public, NPI Registry)
  • Your practice name (public business identifier)
  • Your taxonomy code (public, on your NPI record)
  • Your contracted rates (federally published MRFs)
  • Your work email (provided for snapshot delivery)
  • Your zip code (already on your NPI record)

None of the items in the right column qualify as PHI under 45 CFR §160.103. They are public business identifiers and public commercial rate data. Using Reddenda does not create a HIPAA business-associate relationship.

// 03What we are, then

We are a commercial reimbursement-intelligence platform that composes public datasets. The closest legal analog is a market-data provider (think Bloomberg for trade prices), not a healthcare clearinghouse. We follow HIPAA principles by architecture — minimum-necessary data collection, encryption at rest and in transit, audit logging, access control — but the statute itself does not apply because we don't process PHI.

// 04If you still need a BAA from us

◆ Available on request

The no-PHI BAA

Some billing-software vendors and EHR partners require a signed BAA from every connected vendor, regardless of PHI status. We'll sign one. It will accurately describe what we do: we have no PHI, we don't intend to receive PHI, and if PHI is ever inadvertently transmitted to us we will purge it, document the incident, and notify you within 24 hours.

Request at info@reimburseos.com.

// 05Security posture (the things HIPAA still expects)

Even without processing PHI, we hold the data we do have to the same standard a HIPAA-covered system would:

  • TLS 1.3 for all data in transit (web, API, internal service-to-service).
  • AES-256 at rest via Supabase + Postgres encrypted volumes; key rotation on the cloud-provider schedule.
  • Row-level security on every user-scoped table. Service-role keys never leave the server side.
  • Audit logging on every authenticated read of your Snapshot data, retained 90 days.
  • Access control limited to the founder and signed contractors under written confidentiality. No external analytics SDKs touch authenticated routes.
  • Subprocessors are HIPAA-eligible (Supabase, Netlify, Stripe, Resend, Cloudflare). Should the PHI surface area ever change, every one of them can sign a BAA.

// 06Mode 2 workflows and compliance terms

All standard Reddenda tiers operate in Mode 1: public-data, no PHI required. Mode 2 workflows, which involve claim-level data, remittance advice, denial workflows, or contract PDF extraction with patient-level inputs, require private onboarding with separate compliance terms. Mode 2 is not available through the standard purchase flow. If your use case requires it, contact us before sharing any protected health information.

When a Mode 2 workflow is engaged:

  • A BAA is signed before any PHI is shared. There is no implied or assumed BAA for standard tiers today.
  • PHI is processed in a segregated workspace with stricter access controls, audit logs, and the retention period required by law.
  • We minimize the data we receive. De-identified summaries are typically sufficient for most underpayment confirmation use cases.
  • You can remain in Mode 1 entirely and we will work from public TiC-derived rates alone. This is the default path and covers the majority of practice needs.

// 07Contact

BAA requests, security inquiries, vulnerability reports: info@reimburseos.com. Acknowledged within 24 hours.

HIPAA-aligned by architecture

No PHI enters our system — by design. Encryption at rest, TLS in transit, row-level security, 90-day audit logs. The same controls a covered entity would use, applied to non-PHI data.

Public data only

NPI Registry (NPPES) + TiC MRFs + CMS PFS. Every input is already public under a federal mandate. No claim data, no patient identifiers, no private aggregator in the chain.

BAA available on request

If your billing partner requires it, we'll sign. The BAA accurately describes our zero-PHI posture. Request at info@reimburseos.com. Acknowledged within 24 hours.

No PHI. No theater.

Just public data, composed for you.

Type your NPI. See your documented reimbursement opportunity. Results appear in your browser in about 15 seconds. Read the methodology while you wait.

Run My Free Snapshot What data we use

Reddenda identifies documented opportunity based on public contracted rates and submitted practice inputs. Actual recovery depends on payer response, contract terms, documentation, and negotiation outcome.

Posture v2026.06 · refreshed when our architecture changes