Skip to main content
Claimie

Compliance

HIPAA isn't a badge on our footer. It's the architecture.

HIPAA Business Associate·BAA With Every Client·US-Based Team·Encrypted In Transit & At Rest (TLS 1.2+/AES-256)

Our Role Under HIPAA

Claimie operates as a Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164. We execute a Business Associate Agreement (BAA) with every client, without exception, before receiving, accessing, or transmitting any Protected Health Information (PHI). Our BAA obligates us to use PHI solely to perform the claims-recovery services described in our services agreement, consistent with the Privacy Rule’s minimum-necessary standard.

Safeguards

Administrative. Physical. Technical.

Administrative

  • Designated Privacy & Security Officer
  • Documented policies and procedures
  • Annual HIPAA workforce training with attestation
  • Role-based access assignments reviewed quarterly
  • Sanction policy
  • Security risk analysis conducted at least annually per 45 C.F.R. §164.308(a)(1)
  • Vendor management with BAAs executed with every subcontractor that may access PHI

Physical

  • No PHI on removable media
  • Facility and workstation access controls
  • Clean-desk and screen-lock policies
  • Secure disposal (NIST 800-88-aligned media sanitization)

Technical

  • PHI encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Unique user IDs with multi-factor authentication
  • Automatic session timeouts
  • Audit logging of PHI access and system activity
  • Least-privilege access provisioning
  • Regular access reviews and deprovisioning on role change or termination

Breach Notification

In the event of a breach of unsecured PHI, Claimie follows the notification requirements of 45 C.F.R. §§164.400–414 and our BAA: we notify affected covered-entity clients without unreasonable delay and no later than the timeframe specified in the applicable BAA [standard: within X business days of discovery; set by counsel], and we cooperate fully in risk assessment, individual notification support, and remediation.

What We Don’t Do

  • We don't sell, license, or monetize PHI.
  • We don't use client data to train models shared across clients. [confirm architecture before publishing]
  • We don't move PHI offshore. [confirm]
  • We don't retain PHI beyond the retention period in your BAA. On termination, PHI is returned or destroyed per §164.504(e)(2)(ii)(J).

BAA & Security Documentation

Compliance officers: ask us anything.

Request our standard BAA, security overview, and policies index. Email hello@claimie.ai with “BAA request” in the subject line, or use the contact form; we respond within one business day.

Accessibility Statement

Claimie is committed to meeting WCAG 2.1 AA on this website: semantic landmarks, visible focus states, sufficient contrast, and respect for reduced-motion preferences. If you encounter an accessibility barrier anywhere on this site, email hello@claimie.ai and we will address it promptly.

Know your number before you sign anything.

The Recovery Audit is a $500 analysis, yours free, in writing, with an honest go/no-go. Limited slots each month.