← Back to Simera

HIPAA Notice of Privacy Practices

Effective: June 1, 2026

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Who We Are

Simera Health, Inc. ("Simera") operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. We provide revenue cycle intelligence services to covered healthcare entities ("Covered Entities"). We receive, process, and store Protected Health Information (PHI) on behalf of those Covered Entities under a signed Business Associate Agreement (BAA).

This Notice applies to PHI that Simera receives, creates, or maintains in the course of providing services to Covered Entities. It does not replace the Notice of Privacy Practices provided by your healthcare provider.

What Is Protected Health Information (PHI)?

PHI is individually identifiable health information transmitted or maintained in any form or medium. In the context of Simera's services, PHI typically appears in 835 Electronic Remittance Advice (ERA) files uploaded by Covered Entities and may include patient names, claim identifiers, diagnosis codes, service dates, and payment information.

How We Use and Disclose PHI

As a Business Associate, Simera may use and disclose PHI only as permitted by our BAA and applicable law:

  • To provide services: We process PHI to generate revenue cycle analysis, denial pattern reports, and financial intelligence on behalf of your Covered Entity.
  • For operations: We may use PHI to monitor the quality of our services, train staff (using de-identified data only), and ensure the integrity of our systems.
  • As required by law: We may disclose PHI when required by law, including to respond to lawful government requests, court orders, or legal proceedings.
  • To prevent harm: We may disclose PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
  • To subcontractors: We may share PHI with our subcontractors (e.g., cloud infrastructure providers) who agree to the same restrictions through executed sub-BAAs.

We will not use or disclose PHI for marketing purposes, sell PHI, or use PHI in any manner that is not permitted by our BAA or required by law.

Subcontractors and Sub-BAAs

Simera uses the following subcontractors that may access PHI, each under a signed sub-BAA or equivalent data processing agreement:

  • Amazon Web Services (AWS) — cloud infrastructure, encrypted storage (us-east-1)
  • Anthropic — AI analysis engine (PHI processed under BAA)
  • Supabase — database (hosted on AWS infrastructure)

Safeguards

Simera implements the following administrative, physical, and technical safeguards for PHI:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls: role-based access, least privilege, multi-factor authentication
  • Audit logging: all PHI access events are logged and retained for 6 years
  • Workforce training: all personnel with PHI access complete annual HIPAA training
  • Incident response: written breach notification procedures per 45 CFR § 164.410
  • Data minimization: PHI is processed only as necessary to fulfill service obligations

Breach Notification

In the event of a breach of unsecured PHI, Simera will notify the affected Covered Entity without unreasonable delay and no later than 60 calendar days following discovery of the breach, in accordance with 45 CFR § 164.410. The notification will include the information required by HIPAA.

Data Retention and Destruction

PHI is retained for the duration of the BAA and for any period required by applicable law or regulation. Upon termination of the BAA, Simera will return or destroy all PHI in its possession, unless retention is required by law, in which case we will continue to protect the PHI and limit further use.

Individual Rights

Because Simera acts as a Business Associate (not a Covered Entity), individuals must exercise their HIPAA rights (access, amendment, accounting of disclosures, restriction, etc.) directly with their healthcare provider or the Covered Entity that holds their records. Simera will support Covered Entities in fulfilling these obligations as required by our BAA.

Changes to This Notice

Simera reserves the right to change this Notice at any time. Changes will be posted on our website with an updated effective date. Material changes will be communicated to Covered Entities directly.

Contact Us

For questions about this Notice or our HIPAA compliance practices, contact our Privacy Officer:

Simera Health, Inc.
Privacy Officer
compliance@simera.health