You're right to ask this question. After years of data breaches making headlines, apps harvesting personal information for advertising, and AI tools with murky privacy policies, being cautious about where your health data goes is smart. It's exactly what you should be doing.

So here's the straightforward answer: yes, your health data is safe with Claimable. But you shouldn't just take our word for it – that’s why we’ve brought in independent 3rd parties to evaluate and certify every piece of our operations. Here's what those certifications mean, what protections are actually in place, and how to think about the services you choose to trust with your information.

What counts as protected health information,and where it lives today

Any time you interact with the healthcare system, you generate what's legally known as protected health information, or PHI. That includes your diagnoses, prescriptions, lab results, treatment history, insurance details, and billing records. PHI is created every time you see a doctor, fill a prescription, file an insurance claim, use a patient portal, or receive lab results.

The organizations that handle this information — your physician's office, pharmacy, insurance company, lab, telehealth platform — are all governed by the same core federal law: HIPAA, the Health Insurance Portability and Accountability Act. HIPAA exists specifically to ensure that any entity handling your health data meets strict standards for how it's stored, transmitted, and accessed.

Claimable handles PHI in the course of building your appeal, and we’re fully HIPAA certified. That means we’re held to the same standards as your doctor's office or your insurance company.

What HIPAA compliance actually means

HIPAA gets referenced constantly in healthcare, but most people have never had someone explain what it actually requires in practical terms.

At its core, HIPAA sets rules for how organizations that handle PHI must store, transmit, and control access to that data. It covers things like who within an organization can see your records, how data must be encrypted so it can't be intercepted, what happens in the event of a breach, and under what circumstances your information can be shared with anyone else.

HIPAA isn't a one-time checkbox. It's an ongoing set of requirements that covered organizations must maintain, document, and be able to demonstrate compliance with at any time.

Claimable completed a third-party HIPAA attestation through cybersecurity firm Workstreet in November 2025. That means an independent organization reviewed our data handling practices, security controls, and policies against HIPAA requirements and confirmed that we meet them. This is a higher bar than self-attestation — it means someone from outside the company verified it.

Any partner that handles protected health information on Claimable's behalf is also covered by a Business Associate Agreement (BAA), which legally requires them to maintain the same HIPAA standards.

The security side: What SOC 2 Type II means, in plain English

If HIPAA is the healthcare-specific standard, SOC 2 Type II is the gold standard for security in the technology industry — the way companies prove their systems are trustworthy to the organizations and people who depend on them.

Here's the simplest way to think about it: an independent auditing firm comes in and examines how a company protects data — not just on paper, but in practice, over an extended period of time. They look at security controls, access management, encryption, monitoring, incident response, and operational processes. Then they either certify the company or they don't.

The "Type II" part is important. A Type I audit evaluates whether the right controls exist at a single point in time. A Type II audit evaluates whether those controls actually worked, consistently, over a sustained period. It's the difference between checking that a fire extinguisher is on the wall versus confirming that the fire safety system has been operational and tested for months.

Claimable is SOC 2 Type II certified as of January 2026.

For context, many healthcare providers' offices — the doctor you visit, the urgent care you trust — are required to meet HIPAA standards but do not typically undergo SOC 2 audits. Claimable meets both.

How your data is actually protected

Without getting deep into technical jargon, here's what's happening behind the scenes when you use Claimable.

Your data is encrypted in transit and at rest. "In transit" means while it's being sent between your device and our servers — it's scrambled so that even if someone intercepted it, they couldn't read it. Claimable uses TLS 1.3+, the latest standard for this. "At rest" means while it's stored on our servers, it's encrypted using AES-256, the same standard used by banks and government agencies.

Access to your data within Claimable is restricted by role-based controls. Not everyone on the team can see everything. Access is limited to what's necessary for the function someone performs, and every access requires two-factor authentication.

All activity is logged and monitored. If someone accesses data, there's a record of it. Those activity logs are even accessible to you directly in the Claimable app, so you can see what's happening with your case.

Claimable's infrastructure runs on AWS with multi-layered security including firewalls and intrusion detection. The company conducts annual penetration testing — where security professionals actively try to break in — and maintains an incident response plan with a 72-hour notification commitment.

Other data we collect: Why Claimable asks about your daily life, work, and finances

In addition to medical records and details about your history, Claimable's questionnaire asks about things that might not seem like typical health data: how your condition affects your daily routine, your ability to work, your relationships, and your financial situation.

There's a specific reason for this. A strong appeal doesn't just cite clinical studies and legal standards: it tells the story of what the denial actually means for you as a person. Insurers review appeals, and the human reviewers reading them need to understand the real-world consequences of withholding coverage, not just the clinical justification for the treatment.

When you share that you've had to stop working because your condition makes it physically impossible to do your job, or that routine tasks like cooking and grocery shopping have become painful or impossible, that information becomes part of your appeal's narrative argument. It demonstrates functional impairment and medical necessity in concrete, specific terms that a clinical summary alone can't convey.

This personal context is subject to the same protections as every other piece of data Claimable handles: encrypted, access-controlled, and used exclusively to build your appeal. We collect only the data we need to build a strong appeal, and it goes nowhere else.

What Claimable does NOT do with your data

This is as important as what we do. Claimable does not sell your data. Not to advertisers, not to data brokers, not to anyone. Your health information is not used for marketing or ad targeting. It's fully de-identified and aggregated when we look at things like denial rate trends, and isn’t shared with any third parties.

Claimable's AI uses your case information to build your appeal — and that's it. The system doesn't make medical diagnoses, doesn't recommend treatments, and doesn't share your information outside the scope of your specific case.

You stay in control

Claimable operates on a human-in-the-loop model. The AI generates your appeal based on your case details and the relevant evidence, but you review the final document before anything is submitted. You see exactly what's being sent, to whom, and why. If something doesn't look right, you flag it.

This isn't a system that takes your data and does something opaque with it behind closed doors. You're involved at every decision point, and you can see what's happening with your case through your Claimable account at any time.

Questions you should ask any platform

We'd encourage you to apply the same scrutiny to every service that handles your health data. When evaluating any platform — especially one that uses AI — ask: Are they HIPAA compliant, and has it been independently verified? Do they have SOC 2 Type II certification? What do they do — and not do — with your data? Who has access, and is there an audit trail?

And just as importantly: how does their AI actually work? Is it a wrapper on top of ChatGPT or another general-purpose language model, or have they built a custom system designed specifically for the task? 

A general-purpose AI generates responses from broad internet training data, which means your health information may be processed in ways that aren't purpose-built for privacy or accuracy. A custom-built system like Claimable's uses retrieval-augmented generation from curated, verified sources, so your data is used to build your appeal and nothing else.

Those are the right questions. And we're glad to answer every one of them.

For a deeper look at how Claimable's AI works and why it's uniquely suited to insurance appeals, read our companion post: How Claimable's AI works for patients

If you've been denied coverage for a medication or procedure, start your appeal here.

‍