HIPAA Notice

RevDone is built for healthcare practices, many of which are HIPAA covered entities. When a covered entity uses RevDone to process information that may include protected health information (PHI), RevDone acts as a Business Associate as defined by HIPAA and the HITECH Act.

This notice explains the controls RevDone applies to PHI. It supplements, and does not replace, the Business Associate Agreement (BAA) between RevDone and a covered entity.

A BAA is included on the Practice and Practice Group paid plans at no additional cost. Once a paid plan is active, an authorized signer can review, sign, and download the BAA from Settings → HIPAA. The BAA governs how RevDone may use and disclose PHI and the obligations both parties carry.

Every reply RevDone drafts passes through HIPAA-aware guardrails before a human ever sees it. By design, AI-generated replies will never:

• Reference a patient’s treatments, procedures, diagnoses, conditions, or medications.
• Confirm or deny that any individual is, or ever was, a patient of the practice.
• Disclose appointment details, clinical history, or other identifying information about an individual.
• Repeat sensitive details from a review, even when the reviewer themselves disclosed them publicly.

These guardrails are foundational to RevDone and are not a setting that can be turned off.

RevDone never auto-posts by default for negative reviews. Reviews rated 1 or 2 stars — and any reply flagged as billing, clinical, or service-recovery — are always held for human approval and are never published automatically, regardless of a practice’s autopilot configuration. This control is built in and cannot be disabled.

RevDone maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule:

• Encryption of data in transit (TLS) and at rest (AES-256).
• Per-organization row-level isolation so one practice can never read another’s data.
• Role-based access controls and least-privilege access for the RevDone workforce.
• Audit logging of access to sensitive records.
• Workforce training on privacy and security, and due diligence on sub-processors.

Where a sub-processor may handle PHI on RevDone’s behalf, RevDone executes a Business Associate Agreement or equivalent data-protection terms with that vendor before PHI is shared. RevDone keeps the set of sub-processors deliberately small.

If RevDone discovers a breach of unsecured PHI, it will notify affected covered entities without unreasonable delay and consistent with the timelines and content requirements of the HIPAA Breach Notification Rule and the governing BAA.

Covered entities should provide only the minimum information necessary to use RevDone and should avoid entering PHI into free-text fields where it is not required. Customers control which platforms and locations are connected and are responsible for configuring team roles so that staff have only the access they need.

RevDone supports covered entities in meeting their obligations to individuals — including access, amendment, and accounting-of-disclosures requests — to the extent RevDone holds relevant information. Requests should be directed to the covered entity, which can coordinate with RevDone as needed.

For HIPAA, BAA, or compliance questions, contact RevDone Health, Inc. at privacy@revdone.com.