HIPAA Notice of Privacy Practices
Effective: 2026-06-10 | Last reviewed: June 2026by RevalonMD Compliance & HIPAA Office
RevalonMD LLC is a HIPAA business associate that handles medical billing, coding, and credentialing PHI on behalf of covered-entity healthcare providers. This notice, issued under 45 CFR 164.520, describes how RevalonMD receives, uses, protects, and discloses that information and outlines your rights.
What Is RevalonMD’s HIPAA Notice of Privacy Practices?
RevalonMD LLC is a HIPAA business associate that handles medical billing, coding, and credentialing Protected Health Information (PHI) on behalf of covered-entity healthcare providers. This notice, issued under 45 CFR 164.520 (HIPAA Privacy Rule), describes how RevalonMD receives, uses, protects, and discloses that information and outlines your rights.
Under 45 CFR 164.520, covered entities — and, as a trust commitment, business associates like RevalonMD — must provide individuals with a clear description of their privacy practices. Although business associates are not required by regulation to issue their own Notice of Privacy Practices (NPP), RevalonMD publishes this notice voluntarily as a transparency commitment to every provider client and the patients whose PHI we handle.
The required NPP header, per 45 CFR 164.520(b)(1)(i): “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
How RevalonMD Receives and Uses Protected Health Information
RevalonMD receives PHI exclusively from covered-entity clients under a signed Business Associate Agreement (BAA). PHI is limited to the minimum necessary for billing, coding, and credentialing — diagnosis codes, procedure codes, patient demographics, and insurance information — as required by the minimum necessary standard under 45 CFR 164.502(b).
PHI flow: Step 1 — Healthcare Provider (Covered Entity) signs a BAA and shares minimum-necessary PHI with RevalonMD. Step 2 — RevalonMD (Business Associate) processes PHI for billing, coding, and credentialing under 45 CFR 164.504(e). Step 3 — RevalonMD transmits only claim-adjudication-necessary PHI to Payers and Clearinghouses under sub-BAA arrangements.
Table 1 — PHI Uses and Disclosures
| Purpose | Authorization Required? | Regulatory Basis |
|---|---|---|
| Treatment, Payment, Health Care Operations (TPO) | No | 45 CFR 164.502(a)(1) |
| Claim submission to insurance payers | No | 45 CFR 164.502(a)(1)(ii) — Payment |
| Coordination of benefits between payers | No | 45 CFR 164.502(a)(1)(ii) |
| Credentialing and enrollment with payers | No | 45 CFR 164.502(a)(1)(iii) — Operations |
| Disclosure to clearinghouses under BAA | No | 45 CFR 164.504(e) |
| Required by law (court order, public health) | No | 45 CFR 164.512 |
| Breach notification to HHS or affected individuals | No | 45 CFR 164.400–414 |
| Marketing, sale of PHI, or any non-TPO purpose | YES — patient authorization required | 45 CFR 164.508 |
| Research (if not part of operations) | YES — unless IRB waiver granted | 45 CFR 164.512(i) |
Permitted Disclosures of PHI Under HIPAA
RevalonMD discloses PHI only for the purposes permitted or required under the HIPAA Privacy Rule (45 CFR Parts 160 and 164) and as authorized by the covered entity’s BAA. No PHI is sold, shared for marketing, or disclosed to any party not covered by an executed BAA.
Permitted disclosures include, but are not limited to:
- To payers and insurance carriers — for claim submission, adjudication, and payment (45 CFR 164.502(a)(1)(ii)).
- To clearinghouses — for electronic claim transmission under a separate BAA (45 CFR 164.504(e)).
- To subcontractors acting as business associates— under executed BAA agreements, limited to services required by RevalonMD’s operations (45 CFR 164.504(e)(2)).
- As required by law — including court orders, subpoenas, public health authority requests, and law-enforcement requests within the limits of 45 CFR 164.512.
- For breach notification — to HHS and to affected individuals and covered entities within 60 days of discovery (45 CFR 164.412).
- To the covered entity — RevalonMD returns or securely destroys all PHI upon BAA termination, or extends protections if return or destruction is infeasible (45 CFR 164.504(e)(2)(ii)(J)).
Your Rights as a Patient Under HIPAA
Under HIPAA, patients retain all six privacy rights whether billing is handled in-house or by an outsourced business associate like RevalonMD: the right to access records, request amendments, receive an accounting of disclosures, request restrictions, request confidential communications, and receive a paper copy of this notice.
These rights are governed by the HIPAA Privacy Rule (45 CFR 164 Subpart E) and are exercised through your healthcare provider — the covered entity. RevalonMD, as a business associate, supports your provider in fulfilling these requests.
Table 2 — Patient Rights Under HIPAA
| Right | How to Exercise | Response Timeline | Regulatory Basis |
|---|---|---|---|
| Right of Access — inspect and copy your PHI | Request in writing to your provider or RevalonMD's Privacy Officer | 30 days (one 30-day extension permitted) | 45 CFR 164.524 |
| Right to Amend — correct inaccurate or incomplete PHI | Submit written amendment request to your provider | 60 days (one 30-day extension permitted) | 45 CFR 164.526 |
| Right to Accounting of Disclosures — list of non-TPO disclosures | Request in writing; covers prior 6 years | 60 days (one 30-day extension permitted) | 45 CFR 164.528 |
| Right to Request Restrictions — limit certain uses or disclosures | Request in writing to your provider; provider must honor out-of-pocket restrictions | No statutory timeline for general requests; immediate for out-of-pocket | 45 CFR 164.522(a) |
| Right to Confidential Communications — receive PHI by alternate means | Request in writing specifying preferred method or address | Provider must accommodate reasonable requests | 45 CFR 164.522(b) |
| Right to a Paper Copy — obtain a copy of this notice | Request from your provider or RevalonMD's Privacy Officer | Provided upon request | 45 CFR 164.520(c)(1)(ii) |
How RevalonMD Protects Your PHI (Security Safeguards)
RevalonMD implements HIPAA-required administrative, physical, and technical safeguards under the HIPAA Security Rule (45 CFR 164.300–318) to protect electronic Protected Health Information (ePHI) from unauthorized access, use, or disclosure. These safeguards are reviewed and updated annually.
Table 3 — RevalonMD HIPAA Security Safeguards
| Category | Safeguard | HIPAA Standard |
|---|---|---|
| Administrative | Annual HIPAA workforce training and sanctions policy | 45 CFR 164.308(a)(5) |
| Administrative | Designated Privacy & Security Officer | 45 CFR 164.308(a)(2) |
| Administrative | Risk analysis and risk management program | 45 CFR 164.308(a)(1) |
| Administrative | Business Associate Agreement with every covered-entity client | 45 CFR 164.504(e) |
| Administrative | Documented breach-response procedure; 60-day notification outer limit | 45 CFR 164.400–414 |
| Physical | Facility access controls limiting physical entry to authorized personnel | 45 CFR 164.310(a) |
| Physical | Workstation use policies and device controls | 45 CFR 164.310(b),(c) |
| Technical | Role-based access controls (RBAC) — minimum-necessary PHI access only | 45 CFR 164.312(a) |
| Technical | TLS encryption for ePHI in transit | 45 CFR 164.312(e)(2)(ii) |
| Technical | Encryption for ePHI at rest | 45 CFR 164.312(a)(2)(iv) |
| Technical | PHI access logging and audit controls | 45 CFR 164.312(b) |
RevalonMD’s Business Associate Agreement and Your Provider’s Responsibility
Yes. RevalonMD signs a Business Associate Agreement (BAA) with every covered-entity client before any PHI is exchanged, as required under 45 CFR 164.504(e). No PHI is accessed, processed, or transmitted without an executed BAA in place.
The BAA defines RevalonMD’s obligations as a business associate: using PHI only as permitted, implementing the required safeguards, reporting breaches, ensuring subcontractors comply, and returning or destroying PHI at contract termination. Your healthcare provider (the covered entity) remains responsible for issuing their own Notice of Privacy Practices to patients and for directing RevalonMD’s permissible uses of PHI.
RevalonMD integrates with all major EHR platforms and practice management systems — including Epic, athenahealth, eClinicalWorks, Kareo, DrChrono, and others — without requiring covered-entity clients to replace or change their existing technology stack. Our billing workflow adapts to the provider’s EHR; PHI data flows use the BAA-approved channels regardless of platform, ensuring the minimum-necessary standard and BAA obligations are maintained across every system integration.
Request a Copy of RevalonMD’s Business Associate Agreement
Evaluating RevalonMD as your billing partner? Request a copy of our standard BAA and practice-profile form at revalonmd.com/contact. We sign a Business Associate Agreement before any PHI is exchanged.
This contact channel collects practice profile information only. Do not submit patient health information through any web form or email on this site.
2026 Update: Substance Use Disorder PHI Protections
Effective February 16, 2026, the HIPAA Privacy Rule was updated to align with 42 CFR Part 2 (SUD Record Confidentiality). Covered entities and their business associates must update their NPP to address new Substance Use Disorder (SUD) PHI protections. RevalonMD’s notice and internal procedures reflect this update.
The 42 CFR Part 2 alignment — finalized by HHS OCR and effective February 16, 2026 — strengthens protections for SUD treatment records held by programs regulated under Part 2. Key changes that affect billing operations:
- Consent-based disclosure: SUD PHI from Part 2 programs may be disclosed for payment and health care operations only with patient consent, except in specific limited circumstances (e.g., medical emergency, audit, evaluation under 42 CFR Part 2.53).
- NPP update required: Covered entities serving patients with SUD diagnoses must update their NPP by February 16, 2026, to disclose the new consent requirements. RevalonMD notifies client practices of this obligation.
- Billing-BA obligations: RevalonMD applies Part 2-compliant handling to any SUD PHI received from Part 2-regulated programs — including restricting re-disclosure and honoring consent limitations in the billing workflow.
How to File a HIPAA Privacy Complaint
Complaints regarding RevalonMD’s privacy practices may be filed with RevalonMD’s Privacy Officer or directly with the HHS Office for Civil Rights (OCR). No retaliation will occur against any individual for filing a good-faith complaint.
File with RevalonMD’s Privacy Officer:
RevalonMD LLC — Privacy Officer1621 Central Ave #8966, Cheyenne, WY 82001
Email: support@revalonmd.com
Phone: (307) 333-8199
File with HHS Office for Civil Rights: Complaints may be submitted to HHS OCR at hhs.gov/hipaa/filing-a-complaint or by calling 1-800-368-1019 (TTY: 1-800-537-7697). OCR may investigate complaints and impose civil monetary penalties up to $71,162 per violation (adjusted annually for inflation; source: HHS OCR Enforcement, current 2026).
Effective Date, Review Cadence, and Contact Information
Effective date: 2026-06-10. This notice is effective for all PHI RevalonMD receives, uses, or discloses on or after this date under any Business Associate Agreement with a covered entity.
Review cadence:RevalonMD reviews this notice annually per HIPAA’s requirement to promptly update the NPP when material changes occur (45 CFR 164.520(b)(3)). Mandatory review triggers include any material change to RevalonMD’s privacy practices, any update to the HIPAA Privacy Rule or OCR guidance, and any regulatory change affecting PHI handling in the medical billing context — including 42 CFR Part 2 updates. The HIPAA compliance in medical billing guide addresses the broader compliance framework.
Last reviewed: June 2026 by RevalonMD Compliance & HIPAA Office (CHC, CHPC). Reviewed by RevalonMD Leadership & Editorial Review.
Contact for questions:Direct questions about this notice to RevalonMD’s Privacy Officer at support@revalonmd.com or via revalonmd.com/contact. Do not submit PHI through email or the contact form — those channels are for practice profile and general inquiries only.
Related: RevalonMD’s compliance and security program · Business Associate Agreement · HIPAA compliance in medical billing · Privacy Policy · Billing & Coding Disclaimer · Contact RevalonMD
Frequently Asked Questions About RevalonMD and HIPAA
RevalonMD LLC is a HIPAA business associate that handles medical billing, coding, and credentialing PHI on behalf of covered-entity healthcare providers. This notice, issued under 45 CFR 164.520, describes how RevalonMD receives, uses, protects, and discloses that information and outlines your rights.
Business associates are not required under 45 CFR 164.520 to issue their own notice — that obligation falls on covered entities (providers and health plans). RevalonMD publishes this notice voluntarily as a transparency and trust commitment to provider clients and their patients.
Yes. RevalonMD signs a Business Associate Agreement (BAA) with every covered-entity client before any Protected Health Information (PHI) is exchanged, as required under 45 CFR 164.504(e). No PHI is accessed, processed, or transmitted without an executed BAA in place.
Patients retain all six HIPAA privacy rights: the right to access their records, request amendments, receive an accounting of disclosures, request restrictions, request confidential communications, and receive a paper copy of this notice — whether billing is handled in-house or by an outsourced business associate.
Complaints may be filed with RevalonMD's Privacy Officer at support@revalonmd.com or mailed to 1621 Central Ave #8966, Cheyenne, WY 82001. Complaints may also be filed with the HHS Office for Civil Rights at hhs.gov/ocr or by calling 1-800-368-1019. No retaliation will occur for filing a complaint.
Effective February 16, 2026, the HIPAA Privacy Rule was updated to align with 42 CFR Part 2 (SUD Record Confidentiality). Covered entities and their business associates must update their NPP to address new Substance Use Disorder (SUD) PHI protections. RevalonMD's notice reflects this update.
RevalonMD implements HIPAA-required administrative, physical, and technical safeguards: role-based access controls, TLS encryption in transit, encryption at rest, annual workforce training, sanctions for violations, and a documented breach-response procedure with a 60-day outer notification limit per 45 CFR 164.412.
This notice is reviewed annually by RevalonMD's Compliance & HIPAA Office (CHC, CHPC) and RevalonMD Leadership & Editorial Review. The effective date and last-reviewed date are displayed at the top of this page. Any material regulatory change triggers an immediate review.
Book a Free Revenue Cycle Audit
We sign a Business Associate Agreement before any PHI is exchanged. Start with a free, no-obligation revenue cycle audit — no patient data required.
Who Stands Behind This Notice
Methodology:This notice was prepared by RevalonMD’s Compliance & HIPAA Office through annual review of 45 CFR 164.520 (eCFR current text), HHS OCR guidance, HHS model NPP templates, and the February 16, 2026 regulatory update aligning the HIPAA Privacy Rule with 42 CFR Part 2. All regulatory citations trace to HHS.gov or eCFR.gov primary sources. Patient rights timelines, penalty figures, and regulatory dates are verified against current HHS published guidance. The reviewer, RevalonMD Leadership & Editorial Review, confirmed that the BAA-with-every-client commitment and compliance posture statements accurately reflect RevalonMD’s operational practices as of June 2026.