Security & HIPAA Posture

Exactly what we do with your documents. Nothing we can't defend.

This page states ClaimGuard's data handling precisely — including what is not yet in place. Compliance software that overstates its own compliance isn't worth betting a license on.

Current Status — Read This First

ClaimGuard does not yet operate under an executed Business Associate Agreement (BAA) chain. Until BAAs are executed with our infrastructure vendors, the product accepts de-identified or test documents only — strip patient names, medical record numbers, addresses, dates of birth, and the other HIPAA identifiers before upload. The product enforces this with an explicit notice at every upload point. BAA execution is staged and this page will be updated the day it is active.

What happens to a document you upload

  1. Your document travels over TLS encryption to our server (hosted on Vercel).
  2. It is sent to the Anthropic Messages API only — inline, in-context. We do not use the Anthropic Files API or Batch API for document content, because those endpoints are excluded from Anthropic's HIPAA Business Associate Agreement.
  3. The audit runs and the result returns to your browser. The document is processed in-context and discarded — ClaimGuard has no document database and stores no document content server-side.
  4. Your audit history lives in your own browser's local storage, on your machine — summaries and scores only, not document text.
  5. Nothing you upload is used to train any AI model.

Architecture commitments

LLM PROCESSING
Anthropic Claude via the Messages API exclusively, with Zero Data Retention as the operating standard for any future PHI path. The Files API is architecturally banned for document content.
EMAIL
Email (via Resend) is used for login links only — never for patient documents or any clinical content. Patient-document flows will use a HIPAA-eligible (BAA-covered) channel only, once activated.
PAYMENTS
Stripe processes payment only. No clinical data, diagnosis, or claim detail ever appears in payment metadata, line items, descriptors, or receipts.
STORAGE
No server-side document storage. No PHI database exists to breach.
THE ENGINE
A deterministic compliance rules engine paired with LLM reasoning. We do not claim a “trained ML fraud model,” because that is not what this is. Every finding cites the regulation it derives from, so it can be independently verified.

The BAA roadmap (staged, honest)

Before ClaimGuard accepts identified PHI, the full Business Associate chain executes — in this order, with nothing skipped:

  • Anthropic BAA executed and activated, Messages API confirmed in scope, Zero Data Retention confirmed in writing.
  • Hosting BAA (Vercel HIPAA add-on or equivalent).
  • HIPAA-eligible email channel for any document-related notifications.
  • A BAA signed with every client agency before their first identified document.

Legal scope & disclaimers

ClaimGuard is a healthcare compliance and audit-support software tool. We are not a law firm and do not provide legal advice or legal representation. Our services do not create an attorney-client relationship. For legal advice — including litigation, settlement, or False Claims Act matters — consult a licensed attorney.

This software and any generated documents are informational tools and are not a substitute for the advice of a licensed attorney (Tex. Gov’t Code § 81.101(c)).

ClaimGuard makes no guarantee regarding the outcome of any claim review, audit appeal, or the avoidance of any overpayment demand, penalty, or sanction. Past results do not predict future outcomes.

All findings are based on data and documentation provided by the user, who is solely responsible for the accuracy and lawful submission of its billing and medical records. ClaimGuard does not direct or control clinical or coding decisions.

Questions about this page: admin@seniorliving.expert. Last updated June 10, 2026.
Powered byErikapoweredbyerika.com