AppealNest
Security & HIPAA

PHI, handled the way your compliance officer would want

AppealNest is a HIPAA Business Associate. Protecting patient information isn't a feature we bolted on — it's how the product is built, end to end.

A BAA across the whole chain

AppealNest signs a Business Associate Agreement with your practice, and every service in our stack that could touch PHI operates under a BAA in turn — our LLM provider (on zero-data-retention endpoints), our cloud host, and our storage. PHI never flows to a service that hasn't signed one.

Encrypted at rest and in transit

Uploaded EOBs, chart notes, and generated letters are encrypted in storage (server-side encryption) and travel only over TLS. Download links are short-lived and single-purpose. We keep the minimum necessary — we ask for a practice's own patient reference, not the patient's name.

Every access is logged

An append-only audit trail records who viewed, uploaded, or downloaded each document, and when. Practice admins can review it at any time — the evidence you need for your own compliance program.

A human signs every appeal

AppealNest drafts; your licensed staff reviews, edits, and signs. The product never submits an appeal on its own. This isn't just a safety rail — it's how a payer-acceptable, accountable appeal is supposed to work.

Grounded drafting — no invented facts

The AI writes only from the documents you upload. It quotes your actual chart note and charting; it does not fabricate clinical findings. Missing evidence is surfaced as a checklist item, never papered over.

No payer-portal automation, ever

AppealNest does not log into, scrape, or automate any payer or plan portal. Denial data enters only through what your practice uploads or forwards, or through clearinghouse APIs built for third parties. We respect payer terms of service by design.

A note on “HIPAA certified.” There is no such thing as a HIPAA certification — no government body issues one. Any vendor claiming to be “HIPAA certified” is overstating it. What we can offer, and do, is genuine HIPAA compliance: signed BAAs, encryption, minimum-necessary data handling, access controls, and audit logging. We're happy to walk your team through it.

Questions from your compliance team?

We'll provide our BAA and answer the security questionnaire before you upload a single document. Start the trial with synthetic data if you'd rather see it work first.