Compliance, in plain English

This page exists to be forwarded to your compliance officer. Every claim on it is a checkable fact with the federal source linked. Print it, send it, interrogate it.

The one-paragraph version

The Clean Room de-identifies your files inside your own browser, before any transmission occurs. ReimburseOS never receives protected health information. Under HHS guidance, de-identified health information is not PHI and is not subject to HIPAA (45 CFR 164.514, HHS De-identification Guidance). A vendor that never accesses PHI is not a business associate and no BAA is required (HHS FAQ 256). This is not a workaround. It is the architecture HHS guidance describes.

Exactly what is kept and what is stripped

Field	Treatment	Why
Provider NPI	KEPT	Identifies the practice, not the patient. NPIs are public federal records.
Payer name	KEPT	Corporate entity, not an individual.
CPT / HCPCS, modifiers, units	KEPT	Describes the service, not the person.
Billed / allowed / paid amounts, adjustment reason codes	KEPT	The payment math. This is the entire point.
Service date	YEAR ONLY	Safe Harbor requires removing all date elements except year.
Patient name	STRIPPED	Direct identifier. Removed in your browser.
Member / subscriber ID	STRIPPED	Direct identifier. Removed in your browser.
Date of birth	STRIPPED	Direct identifier. Removed entirely.
Addresses, phone, contacts	STRIPPED	Direct identifiers. Removed in your browser.
Claim / account numbers	REPLACED	Substituted with anonymous codes generated from a key that exists only on your machine. We cannot reverse them; you can.
Diagnosis codes (837)	ROLLED UP	Reduced to chapter-level counts. Individual codes never transmitted.

Method: Safe Harbor de-identification, 45 CFR 164.514(b)(2), applied client-side. The anonymous claim codes follow 164.514(c): the re-identification key is held solely by you and is never disclosed to ReimburseOS.

The four questions your compliance officer will ask

1. Does this require a BAA?: No. A business associate relationship exists only when a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity or business associate. ReimburseOS receives only de-identified data. HHS states a software vendor without access to PHI is not a business associate (FAQ 256), and a recipient of properly de-identified data is not handling PHI at all. If your policies require a BAA for all vendors regardless, we will discuss one, but federal law does not require it here.
2. Are we allowed to de-identify our clients' data?: De-identification is a "use" of PHI. As a business associate of your provider clients, your right to de-identify comes from your agreements with them (see HHS FAQ 544). Most modern BAAs permit de-identification and aggregation; the submission flow requires you to confirm yours do. If you are an MSO or practice submitting your own data, you are the covered entity side and may de-identify your own records.
3. Is this HIPAA certified?: There is no such thing as HIPAA certification, and we will never claim one. The accurate statement: this workflow is designed so that no PHI is disclosed, which means the HIPAA Privacy and Security Rules do not attach to the transfer. You can verify the claim directly: open your browser's network inspector during a submission and read every byte that leaves.
4. What about 42 CFR Part 2, state privacy laws, and our E&O posture?: Properly de-identified data is outside Part 2's restrictions and outside the consumer health data laws of every US state, which regulate identifiable information. Your exposure surface is the de-identification step itself, which is why it runs on your machine, deterministically, with a preview you approve. If any file may contain substance use disorder program records, confirm your Part 2 consents permit de-identification before submitting.

What ReimburseOS does with the data

De-identified rate lines feed the national benchmark index that powers your own intelligence readouts: where your book is paid under peer rates, payer by payer, code by code. Your variance findings come back keyed to the anonymous claim codes, which only you can map to real claims using the key on your machine. We do not sell identified data because we never have any.

Data Submission Agreement (DSA-1.0), full text

1. Parties and scope. This agreement is between the submitting organization ("Partner") and TwinFlame Group LLC d/b/a ReimburseOS ("ReimburseOS") and governs data transmitted through the Clean Room.

2. Partner representations. Partner represents that (a) it is authorized to de-identify and share data derived from the submitted files, including under any business associate agreements governing that data; (b) the submission consists solely of the de-identified output previewed in the Clean Room; and (c) the individual submitting is authorized to bind Partner.

3. ReimburseOS commitments. ReimburseOS (a) receives only the de-identified rows displayed in the preview; (b) holds no key capable of re-identifying any record; (c) uses submitted data to provide benchmark intelligence, variance reporting, and aggregate market analysis; and (d) will not attempt re-identification of any record, ever.

4. Ownership and license. Partner retains all rights in its source files, which are never transmitted. Partner grants ReimburseOS a perpetual, non-exclusive license to use the de-identified rows for the purposes in Section 3.

5. No PHI. The parties intend and agree that no protected health information is disclosed under this agreement. If PHI is ever discovered in a submission, ReimburseOS will delete it promptly and notify Partner.

6. Electronic execution. This agreement is executed electronically under the federal ESIGN Act. The submitter's typed name, the agreement version, and a timestamp are recorded as the signature.

This page is provided for information and is not legal advice. Sources: HHS De-identification Guidance · HHS FAQ 256 · HHS FAQ 544 · HHS FAQ 247 (electronic agreements)

← Ready? Open the Clean Room