Back to home
Legal

Privacy Policy

Effective date: May 13, 2026

Working Draft — Not Yet Counsel-Reviewed

This document is a working draft prepared by RevHive Health and has not yet been reviewed by counsel. It is provided for transparency during pre-launch development and is not a binding legal agreement until reviewed and ratified by attorneys for both RevHive Health and any contracting party. Last updated: May 2026.

1. Introduction

RevHive Health LLC ("RevHive," "we," "us," or "our") operates a software platform that helps independent outpatient physical therapy clinics recover outstanding patient balances through compliant, automated email and SMS outreach. We are headquartered in Boston, Massachusetts and provide our service to U.S.-based healthcare providers.

This Privacy Policy explains what information we collect from the clinics that contract with us (our customers) and from the patients of those clinics (the individuals on whose behalf outreach is performed), how we use that information, how we share it, and the rights available to both groups. This Policy applies to revhivehealth.com, any subdomains we operate, and the software services delivered to authenticated clinic users.

2. Information We Collect

We collect two distinct categories of information that we keep logically and operationally separate.

Clinic-side information

When a clinic registers for and uses our service, we collect:

  • Account information including the clinic's legal name, practice address, NPI number where provided, and the name, title, business email, and business phone number of each authorized user.
  • Billing information including the name on file, billing address, and tokenized payment details handled by our payment processor (we do not store full card numbers on our systems).
  • Account activity including login timestamps, IP address at login, browser and device metadata, dashboard interactions, and audit-log entries for actions taken inside the platform.
  • Communications you send to RevHive support, including the contents of those communications and any attachments.

Patient-side information (provided to us by the clinic)

In order to perform balance-recovery outreach on the clinic's behalf, the clinic uploads a limited dataset about its patients. We collect only what is necessary to identify the patient, contact them, and reference the amount owed:

  • Patient first and last name.
  • Patient contact information: email address, mobile phone number, and optionally a mailing address.
  • Balance details: outstanding balance amount, date of the statement giving rise to the balance, and an internal patient or invoice identifier supplied by the clinic.
  • Outreach metadata generated by the platform: which messages were sent, when they were delivered, opens and clicks where available, replies, opt-out requests, and payment confirmation events relayed back from the clinic.

We do not collect, request, or store medical record details, clinical notes, diagnoses, treatment plans, procedure codes, prescriptions, lab results, or any other clinical content. The data we receive is limited to what is required to send a friendly, compliant balance reminder.

3. How We Use Information

We use the information described above strictly to provide the service the clinic has engaged us to deliver. Specific uses include:

  • Authenticating clinic users and delivering the dashboard, reporting, and account-management features of the platform.
  • Generating and sending personalized email and SMS outreach to patients regarding their outstanding balances, on behalf of and under the name of the clinic.
  • Honoring patient opt-out requests, suppression-list management, and stop-keyword handling required under TCPA, CAN-SPAM, and carrier rules.
  • Reconciling payments reported by the clinic, calculating contingency fees, and generating invoices to the clinic.
  • Operating, monitoring, securing, and improving the service, including troubleshooting errors, detecting abuse, and maintaining audit logs.
  • Communicating with the clinic about its account, service status, billing, security incidents, and material changes to our terms or this Policy.
  • Complying with our legal and regulatory obligations, including HIPAA, state debt-collection and consumer-protection laws, and lawful requests from government authorities.

We do not sell patient information. We do not rent patient information. We do not use patient information to train third-party machine-learning models, and we do not use patient information for advertising or marketing purposes unrelated to the clinic's engagement with us.

4. How We Share Information

We share information only with the subprocessors that are necessary to operate the service. Before any Protected Health Information is transferred to a subprocessor, we execute a HIPAA-compliant Business Associate Agreement (BAA) with that subprocessor, or restrict that subprocessor to non-PHI data only. The current status of each subprocessor is noted below.

  • Amazon Web Services (AWS) — primary cloud infrastructure provider. Hosts encrypted application backends, object storage, and queueing infrastructure in U.S. regions. BAA executed.
  • Neon — managed Postgres database provider. Stores clinic and patient records used by the platform. BAA executed.
  • Vercel — application hosting and edge delivery provider for the marketing site and authenticated dashboard. BAA not yet executed (requires a plan upgrade); will be executed before any PHI is processed through this subprocessor.
  • Cloudflare — DNS provider. Currently provides DNS resolution only and does not proxy or terminate application traffic carrying PHI. BAA not yet executed (requires a plan upgrade); a BAA will be executed before Cloudflare is placed in the path of any PHI.

We may add or change subprocessors as the service evolves. Where a new subprocessor will receive PHI, we will execute a Business Associate Agreement with that subprocessor before transferring any PHI, and we will update this Policy.

We may also disclose information when required by law, in response to valid legal process, to protect our rights or the rights of others, or in connection with a corporate transaction such as a merger or asset sale, in which case the receiving party will be bound by terms at least as protective as those in this Policy.

5. HIPAA Notice

When RevHive provides services to a clinic that is a HIPAA Covered Entity, RevHive acts as a Business Associate of that clinic under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the HITECH Act and the Omnibus Rule.

We sign a Business Associate Agreement (BAA) with every clinic before any patient data is uploaded. The BAA sets out the permitted and required uses and disclosures of Protected Health Information (PHI), our safeguards obligations, our breach notification obligations, and the disposition of PHI on termination.

We execute a BAA with each subprocessor before that subprocessor receives or stores PHI; the current per-subprocessor status is listed in Section 4. Patients who believe their PHI has been used or disclosed in violation of HIPAA may contact us at privacy@revhivehealth.com, should contact their clinic directly, and may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights.

6. Data Retention

The retention period for patient information is set by the clinic in its underlying Business Associate Agreement and service order. In the absence of a different retention period, our default policy is to retain billing-related records (including outreach metadata and balance records) for seven (7) years from the date the balance is closed, in line with standard healthcare billing record-retention practice.

Clinic-side account records are retained for the duration of the service relationship and for a reasonable period thereafter to support tax, accounting, audit, and dispute-resolution needs.

On termination of the clinic's engagement, we will return or destroy PHI in accordance with the BAA. Patients with questions about retention of their specific records should contact their clinic, who controls the underlying data.

7. Security Measures

RevHive maintains administrative, physical, and technical safeguards appropriate to the sensitivity of the information we handle, consistent with the HIPAA Security Rule.

  • Encryption in transit using TLS 1.2 or higher for all connections to the platform and to subprocessors.
  • Encryption at rest for databases, object storage, and backups using AES-256 or equivalent.
  • Role-based access controls; access to patient data is restricted to authorized users with a documented need-to-know.
  • Append-only audit logging of access to and modification of patient records. Each entry records the acting user, the clinic, the action, and the record affected; it does not store the underlying patient data values themselves.
  • Automatic session logoff: authenticated sessions terminate after a period of inactivity, reducing the risk of unattended access on shared clinic workstations.
  • An incident response procedure including patient and clinic notification timelines that meet or exceed HIPAA breach notification requirements.

Planned controls (not yet in place)

The following controls are on our security roadmap and are not yet implemented. They will be in place before we process Protected Health Information for clinic customers:

  • Multi-factor authentication for access to production systems. (Sign-in currently uses single-use email magic links.)
  • Routine third-party vulnerability scanning and penetration testing.
  • Background checks for personnel with access to PHI. All personnel with such access receive HIPAA training.

8. Patient Rights

Because RevHive operates as a Business Associate of the clinic, the clinic remains the primary point of contact for most rights that patients may exercise over their PHI under HIPAA. We will cooperate with the clinic to support those requests promptly.

  • Right to opt out of communications — every email we send on a clinic's behalf includes an unsubscribe link, and every SMS we send honors industry-standard stop keywords (STOP, END, QUIT, CANCEL, UNSUBSCRIBE). Opt-outs are processed within the timeframes required by TCPA, CAN-SPAM, and applicable state law.
  • Right to request correction or amendment of patient information should be directed to the patient's clinic, which controls the source data. We will support the clinic in propagating any corrections to our systems.
  • Right of access and right to data portability under HIPAA — patients may request a copy of their PHI in an accessible electronic format from their clinic; we will support fulfillment of those requests as required under our BAA.
  • Right to an accounting of disclosures may be exercised through the clinic; we maintain records sufficient to support such an accounting for the period required by HIPAA.
  • Right to file a complaint with the clinic, with RevHive at privacy@revhivehealth.com, or with the U.S. Department of Health and Human Services, Office for Civil Rights.

9. State-Specific Disclosures

Massachusetts

RevHive operates in compliance with applicable Massachusetts consumer-protection regulations, including the Attorney General's debt-collection regulations at 940 CMR 7.00 (and specifically 940 CMR 7.04 governing communications with debtors), to the extent those regulations apply to the technology-agent role we play on behalf of healthcare creditors. We do not call patients at unreasonable hours, do not contact patients more frequently than allowed, and honor cease-contact requests on receipt.

California

Where the California Consumer Privacy Act (CCPA), as amended by the CPRA, applies to a California resident's personal information processed through our platform, that resident has the right to know what personal information has been collected, the right to request deletion (subject to HIPAA and record-retention obligations), the right to correct inaccurate information, and the right not to be discriminated against for exercising these rights. PHI processed under HIPAA is generally exempt from CCPA, but non-PHI personal information about California residents is handled in accordance with these rights. Requests may be sent to privacy@revhivehealth.com.

Other states

Residents of other U.S. states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Virginia, Utah, and Texas) may have analogous rights with respect to non-PHI personal information; we honor those rights to the extent applicable.

10. Children's Privacy

RevHive's service is intended for use by healthcare providers and adult patients. We do not knowingly collect information from children under 13. If a clinic uploads patient data that includes a minor, that information is treated under HIPAA and the BAA between RevHive and the clinic; outreach in such cases should be directed to the parent or guardian on file. If we become aware that we have inadvertently collected information directly from a child under 13 without appropriate parental authorization, we will delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and bottom of this page. For material changes that affect how we handle patient information, we will provide reasonable advance notice to clinic administrators by email and post a prominent notice in the dashboard. Continued use of the service after the effective date of an updated Policy constitutes acceptance of the updated terms.

12. SMS / Text Messaging Program

When you opt in to receive text messages from RevHive Health (sent on behalf of your healthcare provider, the "Clinic"), we collect your mobile phone number, your opt-in timestamp, and a record of messages sent to and received from that number. We use this information solely to deliver account notifications, payment reminders, payment confirmations, and related account communications regarding your patient account with the Clinic.

We do not sell, rent, or share your mobile phone number or SMS opt-in data with third parties for marketing purposes, and no mobile opt-in information will be shared with third parties or affiliates for marketing or promotional purposes. Information about your text-messaging activity is shared only with the Clinic on whose behalf the messages are sent and with the subprocessors listed in Section 4 that are necessary to deliver the messages (such as our SMS carrier-aggregation provider).

Message frequency varies based on the status of your account. Message and data rates may apply, as set by your mobile carrier. You may opt out at any time by replying STOP to any message; for help, reply HELP or contact us at support@revhivehealth.com. Opt-out requests are honored on receipt; you will receive a single confirmation message after opting out and will then receive no further messages unless you re-subscribe.

Supported U.S. carriers include AT&T, T-Mobile, Verizon, Sprint, U.S. Cellular, Boost, Cricket, MetroPCS, and other major and regional carriers. Carriers are not liable for delayed or undelivered messages.

13. Contact Us

Questions, requests, or complaints about this Privacy Policy or about our handling of your information may be directed to:

Privacy Office
RevHive Health LLC
Email: privacy@revhivehealth.com
Mailing address: Boston, MA (full address to be published prior to general availability).

Last updated: May 13, 2026 • Contact: privacy@revhivehealth.com