Revamend Start now

Vendor due diligence

12 questions to ask any denial recovery vendor. Including us.

Your practice is obligated to vet anyone who touches PHI, and most vendor conversations never get past the pitch. This is the checklist we would use in your position, with our own honest answers inline. Take it to every vendor you evaluate, including us.

1

Will you sign a BAA before receiving any PHI?

Why it matters

HIPAA requires a signed Business Associate Agreement before any vendor handles protected health information. A vendor that wants your files first and paperwork later is asking you to break the rules.

Our answer

Yes. The BAA is e-signed during onboarding, before any file upload is possible. The full text is public at /legal/baa, so you can read every word before you begin.

Verify Read the BAA

2

Where is our data stored, and who can access it?

Why it matters

The physical location of PHI determines which laws protect it, and access controls determine who can actually read it.

Our answer

In the United States only, on AWS us-west-1 via Supabase. Practice data is isolated at the database level with row-level security, and no offshore staff access PHI. The full breakdown is at /security.

Verify Read the trust center

3

Do you take remote access to our practice management system?

Why it matters

Remote PMS access is the largest attack surface a billing vendor can open into your practice, and many vendors require it by default.

Our answer

No. We are file-based. You export your 835 remittance files or a CSV and upload them through the encrypted portal. We hold no credentials to your systems and never log into them.

4

How do you charge, exactly?

Why it matters

A percentage of billed, of collected, or of recovered are three very different numbers. Vague fee language is where surprise invoices come from.

Our answer

20% of dollars actually recovered, and nothing otherwise. No minimums and no setup fees. Founding practices pay 10%. An optional monitoring subscription is available on top, and the full fee schedule is shown before you sign anything.

Verify See pricing

5

Is there a contract lock-in?

Why it matters

Long terms and auto-renewal clauses are how underperforming vendors keep clients. Leaving should be as easy as joining.

Our answer

No. The letter of authorization is revocable in writing at any time, effective immediately. The only obligation that survives is our fee on recoveries from work already performed.

Verify Read the LOA

6

What happens to our data if we leave?

Why it matters

Your patients' PHI should not sit on a former vendor's servers indefinitely after the relationship ends.

Our answer

It is returned or destroyed within 30 days of termination, as the BAA requires, and we confirm the deletion in writing.

Verify Read the BAA

7

Who actually works our claims, and is AI involved?

Why it matters

You deserve to know whether appeals are written by people, by software, or by both, and who is accountable for what reaches a payer.

Our answer

Both, in a fixed order. AI drafts appeals from the minimum-necessary claim data, then a human specialist reviews every letter before it reaches a payer. Nothing is auto-submitted.

8

Can we see the work as it happens?

Why it matters

A monthly summary is not transparency. If a vendor cannot show you live status, you cannot verify that they are working.

Our answer

Yes. The portal shows every claim, its status, every action taken on it, and every recovered dollar, live, with a full audit log behind it.

Verify Tour the portal

9

How long have you been in business, and can we talk to references?

Why it matters

Track record matters. This is also the one question a new vendor cannot answer with a client list, so watch how they handle it.

Our answer

We are a new company, and we will not pretend otherwise. We have no reference clients yet. That is exactly why the founding practice program exists: half rate in exchange for a written case study. Instead of asking for blind trust, we publish our contracts, our security practices, and this checklist.

Verify Read the MSA Security practices

10

Are you HIPAA certified?

Why it matters

This one is a trick. No government or standards body issues a HIPAA certification, so a vendor claiming one is either confused or lying.

Our answer

No, because no such certification exists, and anyone claiming one is showing you a red flag. We operate documented HIPAA-compliant practices and sign a BAA with every practice. We do not yet hold a SOC 2 report; independent audits are on our roadmap.

Verify Compliance status

11

What do you NOT do?

Why it matters

A vendor that claims to do everything is rarely excellent at any of it. Clear scope boundaries protect your practice.

Our answer

We do not bill patients, we do not make collections calls to patients, we do not access clinical charts, and we do not take over your billing department. We do denial recovery and denial monitoring, nothing else. If you need full-service RCM, a full-service biller is a better fit.

12

How do we reach a human?

Why it matters

Support during the sales process is the best it will ever be. Test it before you sign, not after.

Our answer

Email us through /contact. A human replies within 4 business hours on business days. No call centers and no bots.

Verify Send us a message

Every answer above is verifiable on this site.

Read the security practices, read the full service agreement, or run the free denial audit without creating an account. Then hold us to all of it.