Trust & Security

Last updated: June 15, 2026

We work with denied health insurance claims and the Protected Health Information (PHI) tied to them. That is sensitive work. This page explains how we keep your data safe, what compliance looks like at our scale, and what we will sign before you send us a single byte of patient information.

If you have a security or compliance question that’s not answered here, email sarthak@relviohealth.com. We will get you a real answer, fast.

If you have been burned by a billing vendor before, this page is for you. Here is what we will commit to in writing before a single byte of patient data changes hands.

At a Glance

  • Data residency: PHI is stored in US-based, BAA-covered Google Workspace cloud infrastructure, configured for a United States data region for primary data at rest. PHI is not stored on any device or server outside that BAA-covered infrastructure.
  • Access: PHI is accessed only by trained, authorized workforce through encrypted, multi-factor-authenticated, audit-logged channels. No downloading, printing, or local storage of PHI.
  • HIPAA: We operate as a Business Associate. We sign a Business Associate Agreement before any PHI changes hands.
  • Florida focus: We currently serve practices in Florida only. Our compliance program is built around HIPAA, Florida FIPA, the Florida Patient Brokering Act, and OIG billing-company guidance.
  • Background screening: Monthly OIG LEIE and SAM.gov exclusion screening on all workforce members.
  • Company: Relvio Health is the trade name of SYBR INK Private Limited. Founder-led.

How Patient Data Flows

Here is exactly what happens with PHI from intake to recovery:

  1. Free audit (pre-engagement). No PHI exchanged. We collect business contact info only. Decision and proposal happen on de-identified or aggregate data.
  2. Sign BAA + Denial Recovery Services Agreement. Both signed before any PHI moves.
  3. Client provisions access. Client adds us as a sub-account on their clearinghouse (Availity, Office Ally, Waystar, etc.) OR provides authorized credentials. PHI lives in client systems and US-based clearinghouse and Google Workspace storage.
  4. Denial review. We pull denied claim data into BAA-covered Google Workspace. We analyze, prioritize, and prepare corrected claims and appeal letters.
  5. Submission. Corrected claims and appeal letters are submitted under the client’s National Provider Identifier (NPI) through the agreed clearinghouse or payer portal.
  6. Tracking and reporting. Weekly status reports show claims worked, appeals filed, and recoveries achieved. Reports use de-identified aggregate data where possible.
  7. Termination. PHI is returned or destroyed within 30 days, with written certification, per the Business Associate Agreement.

PHI is not stored on any device or server outside our BAA-covered infrastructure. Our authorized workforce accesses it remotely via encrypted, MFA-protected, audit-logged channels — with no download, print, or local copy.

Compliance Stack

Federal

  • HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
  • HIPAA Security Rule (45 CFR Part 164, Subpart C) — administrative, physical, and technical safeguards
  • HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)
  • HITECH Act — direct Business Associate liability
  • OIG Compliance Program Guidance for Third-Party Medical Billing Companies (63 Fed. Reg. 70138, December 18, 1998) — we maintain a compliance program consistent with the seven required elements
  • Anti-Kickback Statute (42 USC 1320a-7b) — our fee structure is fair market value for services rendered, not a referral payment
  • False Claims Act (31 USC 3729–3733) — every corrected claim is reviewed for accuracy before submission
  • Medicare Advantage subcontractor requirements — where a client’s Medicare Advantage payer contract imposes downstream obligations on the client’s vendors, we support the client’s compliance, including written attestation where applicable

Florida

  • Florida Information Protection Act (Fla. Stat. § 501.171) — 30-day breach notification
  • Florida Patient Brokering Act (Fla. Stat. § 817.505) — our scope explicitly excludes marketing, patient acquisition, and referral generation
  • Florida fee-splitting prohibition (Fla. Stat. § 458.331(1)(i)) — pure billing/recovery scope

Data protection

  • We operate under a comprehensive data-protection program covering both US and applicable non-US obligations, with PHI maintained in US-based BAA-covered infrastructure.

Security Controls

Administrative

  • Written HIPAA Privacy and Security policies, reviewed annually
  • Designated Compliance Officer
  • Workforce HIPAA training within 30 days of onboarding, annual refresher, FIPA-specific module
  • Background checks before any PHI access is granted
  • Monthly OIG LEIE and SAM.gov exclusion screening on all workforce members
  • Sanctions policy with documented enforcement
  • Annual risk assessment

Physical

  • No local storage, printing, or photographing of PHI at any workstation
  • Access restricted to authorized devices in controlled environments
  • Clean-desk and screen-privacy practices

Technical

  • Encryption at rest: AES-256 (or equivalent) for all stored PHI, leveraging Google Workspace’s built-in encryption
  • Encryption in transit: TLS 1.2 or higher for all PHI movement
  • Multi-factor authentication: Required on every account with PHI access
  • Role-based access controls: Least-privilege access, periodic reviews
  • Audit logs: Retained for at least 6 years, monitored for anomalies
  • Device controls: Full-disk encryption, automatic screen lock, remote-wipe capability
  • Endpoint protection: Up-to-date malware protection on all devices
  • Network controls: Secure VPN where required for client systems access

Organizational

  • Business Associate Agreements with every client and subcontractor handling PHI
  • Documented incident response plan tested annually
  • Documented business continuity plan
  • Breach notification procedures aligned with HIPAA’s 60-day federal timeline AND Florida FIPA’s 30-day state timeline

Vendors and Sub-processors

VendorFunctionData TypeBAA StatusData Location
Google LLC (Google Workspace)Email, Drive, Forms, Sheets, Calendar, MeetBusiness + PHIBAA signedUS-based BAA-covered infrastructure
Cloudflare, Inc.Hosting, DNS, edge securitySite logs, no PHIConduit (no BAA needed)Distributed (no PHI)
Calendly LLCAppointment schedulingBusiness contact, no PHIN/AUnited States
Namecheap, Inc.Domain registrationDomain registration dataN/AUnited States
GitHub, Inc.Source code repositoryNo PHIN/AUnited States
Wise Payments LimitedPayment processingPayment data, no PHIN/AMulti-jurisdiction
Client clearinghouses (Availity, Office Ally, Waystar, etc.)Claim and appeal submissionPHISub-BAA flows down through clientUnited States

We do not subcontract any PHI processing to additional third-party vendors. All workforce performing PHI work are direct workforce of SYBR INK Private Limited.

Data Residency & Access

Your patients’ data stays in US-based, BAA-covered infrastructure. Our authorized workforce accesses it remotely under strict, audited controls. Here is what that means for you:

  • US data residency. PHI is stored in Google Workspace cloud infrastructure under the Google Workspace BAA, configured for a United States data region for primary data at rest. PHI is not stored on any device or server outside that BAA-covered infrastructure.
  • Controlled remote access. Access is limited to trained, authorized workforce through encrypted, MFA-protected, audit-logged sessions. No PHI is downloaded, printed, or stored locally.
  • Florida jurisdiction. All disputes are governed by Florida law in Miami-Dade County. This is in writing in our BAA and Services Agreement.
  • Continuous screening. Monthly OIG LEIE and SAM.gov screening on all workforce.
  • Disclosed, not buried. Our corporate structure, data practices, and data-processing locations are disclosed in our BAA, our Services Agreement, and our Privacy Policy. We are happy to walk any prospective client through them before engagement.

Breach Response

If we ever experience a breach involving your PHI:

  1. Within 48 hours: We notify you in writing with the details required under HIPAA and FIPA.
  2. We support your patient notifications: Within timelines that allow you to meet Florida’s 30-day patient notification window.
  3. We support regulator notifications: HHS OCR (federal) and Florida Department of Legal Affairs (state) for breaches affecting 500+ Florida residents.
  4. We bear notification costs: Including credit monitoring (minimum 12 months) where the breach is attributable to our acts or omissions, subject to our liability cap.
  5. Forensics and remediation: We engage independent forensics where warranted and document remediation steps.
  6. Annual tabletop exercises: We test our incident response plan at least annually.

What We Will Sign

Before any PHI is exchanged, we sign:

  • Business Associate Agreement (our standard template, Florida-tailored, attorney-reviewed) — or your template if it covers what HIPAA + FIPA require. We will redline.
  • Denial Recovery Services Agreement — defines payer scope, 25% contingency, pilot or term, AAA arbitration in Miami-Dade.
  • Insurance Certificate of Insurance — naming you as additional insured where commercially available.
  • Mutual NDA — if you want one before sharing payer mix or financial details during sales conversations.

We do not sign BAAs missing the 48-hour breach notification clause required by FIPA, or agreements that bundle billing services with marketing or patient acquisition.

Frequently Asked Questions

“How do you keep my patient data secure with a remote team?”

PHI is stored in US-based Google Workspace cloud infrastructure under the Google Workspace BAA, configured for a US data region for primary data at rest. PHI is not stored on any device or server outside that BAA-covered infrastructure. Our authorized workforce accesses it remotely with multi-factor authentication, encrypted devices, and audit logging. No data is downloaded, printed, or stored locally.

“Can you support my Medicare Advantage compliance obligations?”

Yes. Where your Medicare Advantage payer contract imposes downstream obligations on your vendors, we support your compliance, including providing written attestation where applicable. Tell us what your payer requires and we will meet it.

“What happens to my data if I terminate?”

Per the BAA, we return or destroy all PHI within 30 days of termination and provide written certification. We retain only logs required for compliance recordkeeping (6 years), and those contain no patient-identifiable PHI.

“What’s your jurisdiction for legal disputes?”

Florida law in Miami-Dade County. Arbitration through AAA. This is in writing in both the BAA and the Services Agreement.

“Will you sign my custom BAA or vendor agreement?”

We’ll redline yours or you can use ours. Either way, the BAA must include the 48-hour breach notification timeline (FIPA).

“Do you handle Medicaid?”

No. Our payer scope is commercial private insurance + Medicare Advantage (Part C). We exclude Florida Medicaid, original Medicare (Part A/B fee-for-service), Medicare Advantage Special Needs Plans for dual-eligibles (D-SNP), Workers Compensation, auto/PIP, and self-pay.

“What if a patient asks for their records?”

Patient access requests must go to the Covered Entity (your practice). We are a Business Associate. If you need our help to fulfill an access request, we provide records within 7 business days to support your HIPAA timeline.

Contact Us

Email: sarthak@relviohealth.com

Audit / engagement requests: /free-audit

Privacy questions: Privacy Policy

Site terms: Terms of Service

Relvio Health is operated by SYBR INK Private Limited, an Indian private limited company.