HIPAA & Security

Claimo is designed for sensitive ABA operational records, including claims, session notes, authorizations, payer rules, provider information, and related documentation. The platform is built to reduce unnecessary exposure of patient-identifying information, enforce workspace access controls, and maintain auditability around document processing and risk review workflows.

Claimo is an early-stage platform. We describe our current safeguards transparently, but we do not currently claim SOC 2 attestation, HITRUST certification, a completed third-party penetration test, dedicated single-tenant storage, enterprise SSO, cyber-insurance limits, or a default business associate agreement for every customer.

Security and compliance are shared responsibilities. Claimo provides platform controls and safeguards; customers remain responsible for their own HIPAA compliance program, workforce training, minimum-necessary determinations, user access decisions, payer submissions, clinical documentation practices, and internal policies.

When Claimo creates, receives, maintains, or transmits protected health information for or on behalf of a covered entity or business associate, Claimo expects to operate under appropriate written business associate or data protection terms. Those terms must be reviewed and agreed before production PHI is submitted.

Claimo's public website, waitlist, demos, screenshots, and general email channels are not approved channels for PHI. Customers should not use Claimo to process production PHI unless the required contractual, security, and organizational approvals are in place.

Claimo does not provide legal advice and does not determine whether a customer is a covered entity, business associate, or subcontractor. Customers should consult counsel or privacy leadership to determine their HIPAA obligations and contracting requirements.

A typical workflow starts when an authorized user uploads or imports a claim, note, authorization, or related document into the customer's workspace. Claimo stores operational metadata, extracts text or structured fields, applies PHI minimization where feasible, and runs ABA-specific analysis over the relevant billing, authorization, and documentation context.

Claimo then stores generated outputs such as extracted fields, risk flags, match statuses, utilization summaries, review decisions, and audit events. Customer users review outputs in the dashboard and decide what, if any, action is appropriate.

Some workflows may preserve encrypted identity-linkage records so authorized users can reconcile pseudo IDs back to real clients when necessary. Reveals of sensitive identities are intended to be role-gated and audit-logged.

Claimo is built around PHI minimization. Product workflows are intended to strip, tokenize, or avoid unnecessary patient-identifying information before AI-assisted review where feasible for the workflow. The purpose is to allow risk analysis of billing, authorization, and documentation patterns without exposing more patient information than necessary.

Downstream analysis prompts are designed around de-identified or tokenized text. Certain narrow preprocessing steps may need to inspect source text to identify client identity, classify documents, or improve PHI stripping before downstream analysis. Those steps should be limited, server-side, and logged.

AI-assisted outputs are operational review aids. They do not create legal conclusions, clinical determinations, payer approvals, or audit guarantees. Customers are responsible for reviewing AI-assisted results before taking billing, clinical, compliance, or legal action.

Claimo does not intentionally use identifiable customer PHI to train general-purpose AI models. De-identified or aggregate information may be used to improve workflow quality, model evaluation, and product reliability when allowed by the applicable agreement and privacy terms.

Claimo uses authenticated access for protected application areas. Password rules require strong passwords, and session controls are designed around inactivity timeouts, absolute session limits, secure cookies, and re-authentication for sensitive operations.

The platform includes infrastructure for multi-factor authentication and organization-level MFA enforcement. Customers should confirm the current MFA configuration for their workspace during onboarding or security review.

Users should use strong, unique credentials and should protect devices, browsers, password managers, and email accounts used to access Claimo. Suspected account compromise should be reported promptly to founders@tryclaimo.com.

Claimo is intended to support role-aware access to customer workspaces. Current roles include administrative and operational roles for organization owners, clinical leadership, billing workflows, and elevated platform administration.

Database access is designed around row-level security policies and organization scoping so users can access only records associated with organizations they are permitted to use. Server-side routes also perform authorization checks for sensitive workflows.

Claimo is currently a multi-tenant application. We do not currently claim dedicated per-customer storage buckets, single-tenant deployments, or customer-managed encryption keys unless those are separately implemented and agreed in writing.

Claimo is designed to protect data in transit using HTTPS/TLS and security headers such as HSTS, frame restrictions, content-type protections, referrer controls, permissions policies, and a content security policy.

Sensitive application fields are designed to use AES-256-GCM application-layer encryption with key version tracking and tenant-scoped key derivation. Cloud infrastructure also provides underlying encryption for database, storage, and backup layers.

Encryption reduces risk but does not remove the need for careful access control, logging, key management, secure administration, customer endpoint security, and contractual review for production PHI workflows.

Claimo is intended to preserve operational context around document processing, extracted fields, risk scores, review activity, and user actions so teams can understand how outputs were produced and what records were involved.

Audit events are designed to capture security-relevant and workflow-relevant actions such as authentication events, document activity, PHI stripping events, identity reveals, review decisions, exports, administrative actions, and system changes. Audit metadata should avoid storing raw PHI.

Audit logs are designed as append-only operational records, with database protections intended to prevent ordinary update or delete operations. Certain maintenance or test-only tooling may exist for non-production reset workflows and should not be used for production audit-history deletion.

Audit logs and metadata are operational safeguards, not a substitute for a customer's legal record retention program. Customers remain responsible for deciding what records must be retained, amended, exported, or produced during payer, regulatory, or legal review.

Claimo's retention design distinguishes between raw uploaded files, de-identified analysis results, audit records, and de-identified training or evaluation examples. Raw files are intended to be kept only as long as needed for processing and short-term operational support.

The application includes a retention policy function designed to delete raw uploaded files from storage after analysis and a short retention period, while preserving de-identified analysis results, operational metadata, and audit trails for longer review and compliance needs.

Customer-specific retention, deletion, export, legal hold, and backup obligations should be confirmed in a written agreement before production use. Backup, audit, security, and archival records may persist where needed for continuity, security, auditability, or legal obligations.

Claimo's engineering practices are intended to include code review, dependency awareness, environment separation, least-privilege access, and controlled handling of production data. Specific controls may mature as the product moves through early access and broader release.

Security-sensitive changes, access changes, and data-handling changes should be reviewed with attention to patient privacy, auditability, and customer obligations. Customers with formal control-mapping, CI/CD, branch protection, change approval, or evidence requirements should request current documentation during contracting.

Claimo does not currently publish a completed third-party penetration test, SOC 2 report, or formal external control attestation. These may be roadmap items, but they should not be assumed available unless Claimo provides current documentation under appropriate confidentiality terms.

Claimo may use vendors for hosting, storage, authentication, email, security monitoring, analytics, AI infrastructure, and other operational needs. Vendors are evaluated based on their role, access to sensitive data, and security posture.

Where PHI is processed by a vendor acting as a subcontractor business associate, Claimo expects appropriate contractual protections to be in place before that vendor is used for the relevant production workflow. We do not currently publish a public default subprocessor list with executed BAA status for every vendor.

Customers with subprocessor review, data residency, vendor risk, or approval requirements should request current documentation during contracting and before uploading production PHI.

Claimo maintains procedures intended to identify, investigate, contain, and remediate security incidents. If an incident affects customer data, Claimo will provide notice consistent with applicable law and contractual obligations.

Incident handling may include triage, containment, access revocation, log review, customer communication, remediation, evidence preservation, and post-incident review. Notification timelines and breach-specific obligations should be defined in the applicable customer agreement and any required business associate terms.

Security reports should include a description of the issue, affected route or account if known, reproduction steps, and contact information for follow-up. Please do not include patient information in initial vulnerability reports unless specifically requested through a secure channel.

Customers are responsible for workforce training, role assignment, user offboarding, endpoint security, internal access reviews, payer submissions, clinical documentation practices, legal holds, minimum-necessary determinations, and determining whether Claimo is appropriate for a given workflow.

Customers should review outputs against source documents before taking action. Claimo can help surface risk patterns, but it does not decide whether a service was medically necessary, whether a note is clinically adequate, or whether a payer will accept a claim.

Customers should not upload production PHI until they have completed their own vendor review, confirmed the approved workflow, configured appropriate users and roles, and completed any required contractual terms.

Is Claimo HIPAA compliant? Claimo is built with HIPAA-aligned safeguards and PHI-minimization controls, but HIPAA compliance depends on the full technical, administrative, physical, and contractual context. Claimo does not make a customer HIPAA compliant by itself.

Is Claimo SOC 2 certified? No. Claimo does not currently claim SOC 2 Type I or Type II attestation. Any future report would be made available only after completion and under appropriate confidentiality terms.

Does Claimo support SSO? Not as a current public commitment. Authentication is based on the platform's current auth stack and role-aware access controls unless an enterprise SSO option is separately implemented and agreed in writing.

Is each customer stored in a dedicated bucket or database? Not currently as a public claim. Claimo is designed as a multi-tenant application with organization scoping, row-level security, and role-aware access controls.

Does Claimo train AI models on identifiable PHI? Claimo does not intentionally use identifiable customer PHI to train general-purpose AI models. De-identified or aggregate information may be used for evaluation and product improvement when allowed by applicable terms.

Claimo does not claim to make a customer HIPAA compliant by itself. Claimo does not guarantee payer acceptance, audit immunity, legal compliance, clinical adequacy, claim payment, or the absence of all documentation risk. Claimo does not replace counsel, compliance officers, billing specialists, or clinical supervisors.

Claimo does not currently claim SOC 2 certification, HITRUST certification, annual third-party penetration testing, enterprise SSO, dedicated per-customer storage isolation, customer-managed keys, formal disaster-recovery drill evidence, cyber-insurance limits, or a default BAA for every customer.

Security questions, vulnerability reports, vendor review requests, HIPAA contracting questions, or privacy questions may be sent to founders@tryclaimo.com.