HIPAA Compliance

HIPAA Compliance Policy

Last updated: March 2026 · Effective: March 2026 · ClaimVise operates as a HIPAA Business Associate for covered healthcare entities.

ClaimVise (Innodel Technologies Private Limited) processes Protected Health Information (PHI) on behalf of covered healthcare entities as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. This policy describes our HIPAA compliance commitments and safeguards.

1. Our Role Under HIPAA

As a medical billing automation platform, ClaimVise is a Business Associate as defined under 45 CFR §160.103. We create, receive, maintain, and transmit PHI on behalf of Covered Entities (healthcare providers and their billing companies) for the purpose of processing medical claims.

Our obligations as a Business Associate include compliance with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), the HIPAA Security Rule (45 CFR Part 164, Subpart C), and the Breach Notification Rule (45 CFR Part 164, Subpart D).

2. Business Associate Agreements (BAA)

BAA Required Before PHI Processing

ClaimVise requires a signed Business Associate Agreement (BAA) with every Covered Entity before processing any Protected Health Information. This is a legal requirement under HIPAA and a non-negotiable condition of our enterprise service.

To request a BAA or enquire about our standard BAA terms, contact: info@innodel.com with the subject line "BAA Request — ClaimVise".

During pilot programmes operating on de-identified or synthetic test data, a BAA is not required. A BAA must be in place before any real patient data is processed.

3. Technical Safeguards (§164.312)

🔐

Access Control

Unique user identification

JWT-based authentication

Role-based access controls

Session timeout enforcement

🔒

Encryption

TLS 1.3 for data in transit

AES-256 for data at rest

Encrypted database volumes

Secure API communications

📋

Audit Controls

SHA-256 integrity hashing

Immutable audit log entries

All PHI access recorded

Tamper-evident records

4. Administrative Safeguards (§164.308)

Security Officer: A designated security officer oversees HIPAA compliance and security programme management
Workforce training: All personnel with access to PHI receive HIPAA training before access is granted
Access management: Access to PHI is limited to personnel who require it for their specific job function
Risk analysis: Regular risk assessments are conducted to identify and address potential vulnerabilities
Contingency planning: Data backup, disaster recovery, and emergency access procedures are documented and tested
Business Associate management: All our sub-processors who may access PHI operate under appropriate data processing agreements

5. Physical Safeguards (§164.310)

ClaimVise operates on cloud infrastructure with physical security controls managed by our infrastructure provider
Access to server infrastructure is restricted to authorised personnel only
Workstations accessing PHI are subject to security policies including encrypted storage and screen lock requirements
Media containing PHI is securely disposed of when no longer needed

6. PHI Use & Disclosure Limitations

ClaimVise uses PHI only for the following permitted purposes:

Processing medical claims and generating billing outputs on behalf of the Covered Entity
Providing the services described in the applicable Business Associate Agreement
As required by law or regulatory mandate
For our own legal and compliance obligations

ClaimVise does NOT use PHI to train AI models, for marketing purposes, for analytics beyond what is required to deliver services, or for any purpose not explicitly permitted by the applicable BAA. This is an unconditional commitment.

7. Breach Notification

In the event of a breach of unsecured PHI, ClaimVise will:

Notify the affected Covered Entity without unreasonable delay and in no case later than 60 calendar days of discovery
Provide all information required under 45 CFR §164.410, including the nature of the breach, PHI involved, and steps taken
Cooperate fully with the Covered Entity's breach notification obligations to patients and HHS
Document all breaches and our response actions

8. Patients' Rights

ClaimVise supports Covered Entities in meeting their obligations regarding patient rights under HIPAA, including:

Right of access — making PHI available to patients or their authorised representatives upon request from the Covered Entity
Right to amend — cooperating with corrections or amendments to PHI
Right to an accounting of disclosures — providing records of disclosures as required

9. Sub-Processors

ClaimVise uses the following key sub-processors that may process PHI:

Anthropic (Claude API): AI processing of clinical documents. Anthropic operates under a data processing agreement and does not use customer data to train models.
Cloud infrastructure provider: Server hosting and storage. Operates under data processing agreements with appropriate security certifications.

We maintain a current list of sub-processors and will notify Covered Entities of material changes in sub-processor relationships as required by applicable BAA terms.

10. Requesting a BAA or Reporting a Concern

HIPAA & Security Contact

To request a BAA, report a security concern, or ask questions about our HIPAA compliance programme:
Innodel Technologies Private Limited
Email: info@innodel.com
Subject: "HIPAA — ClaimVise"

We acknowledge all HIPAA-related enquiries within 1 business day.