Legal
Aira Health is committed to protecting the privacy and security of patient health information.
Aira Health is committed to protecting the privacy and security of patient health information. This Privacy Notice describes how we collect, use, protect, and share Protected Health Information (PHI) as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). PHI is disclosed to Aira Health by Covered Entities on behalf of their patients.
Aira Health is a Business Associate that provides healthcare technology services intended to simplify billing practices for Covered Entities and to streamline the patient authorization process. Our goal is to ensure that patient authorizations are in place so that insurers and health care providers can provide access to procedures to their patients. Aira Health partners with healthcare providers, health plans, and other covered entities (collectively, "Healthcare Partners") in order to do so.
We process PHI on behalf of and at the direction of our Healthcare Partners to help them deliver and improve healthcare services.
We are a Business Associate for the purposes of HIPAA compliance. We are not a healthcare provider and therefore do not provide medical treatment or advice. In Business Associate Agreements with Covered Entities, we ensure that we strictly limit the amount of PHI that is to be processed.
As a Business Associate, we may receive, process, or maintain the following types of PHI on behalf of our Healthcare Partners:
Important: We only handle PHI when authorized by a Healthcare Partner who has a relationship with the patient. We do not collect PHI directly from patients.
We use and share PHI only as directed by our Healthcare Partners and as permitted under our Business Associate Agreements (BAAs). This includes the following:
Aira Health uses some Artificial Intelligence to perform a number of enterprise tasks to effect service delivery. However, we strictly limit the amount of PHI that is used within AI models and do not disclose PHI to our AI vendors to train their enterprise model. While data retrieval and packet preparation are automated, a human specialist reviews every step before final submission to ensure accuracy and clinical appropriateness. Aira Health has signed a binding BAA with our AI service provider.
We may, on occasion, strip PHI of its identifiers to create data sets containing de-identified information. This is information that cannot reasonably identify individual patients, and would be used for research, analytics, and other purposes. De-identified information would therefore not be subject to this Privacy Policy.
Except as described above, we will not use or disclose PHI without written express authorization from the patient. If a patient provides authorization, they may revoke it at any time by contacting the Healthcare Partner who provided the authorization, who would then communicate to Aira Health that the consent to process PHI has been withdrawn.
We may share PHI with third-party service providers (subcontractors or third-party vendors) who assist us in delivering services to our Healthcare Partners. All subcontractors are required to protect PHI in accordance with HIPAA requirements, including executing a Business Associate Agreement as required.
While we handle PHI as a Business Associate, patient privacy rights are exercised through the Healthcare Partner who has a direct relationship with the patient. These rights include:
Patients may request deletion of their PHI held by Aira Health, subject to applicable legal requirements and exceptions. To request deletion:
Important Exceptions: We may be required to retain certain PHI for legal, regulatory, or compliance purposes, including audit requirements, ongoing legal proceedings, or to comply with record retention obligations under federal or state law. In such cases, we will inform the Healthcare Partner of any PHI that cannot be deleted and the reason for retention.
To Exercise Health Privacy Rights: Patients must contact their Healthcare Partner directly. Aira Health shall cooperate with the Healthcare Partner to facilitate the exercise of the patient's rights.
If a patient has a representative acting on their behalf, sufficient proof of such authorization is required before Aira Health can approve requests to exercise the above-noted privacy rights.
We take the security of PHI seriously and implement comprehensive safeguards to protect it:
Aira Health is based in the United States and may store or process your health information in other regions. We ensure that appropriate safeguards are in place to protect your information regardless of where it is processed, in accordance with HIPAA requirements and applicable international data protection laws.
In the event of a breach where PHI is involved, we will notify the affected Healthcare Partner(s) without unreasonable delay so they can provide the affected patient(s) with appropriate notification and any required protective services, mitigation, and remediation.
We reserve the right to revise this Privacy Notice at any time. When we make material changes, we will update the "Last Updated" date at the top of this notice and post the revised notice on our website at https://www.airahealth.io/privacy-policy. The revised notice will apply to all PHI we maintain.
If you have questions about this Privacy Notice or our privacy practices, please contact:
Privacy Officer / HIPAA Security Officer
Aira Health
Email: malak@get-aira.com
Phone: +1 917 327 8229
With Your Healthcare Partner:
If you believe your privacy rights have been violated, you should
first contact your Healthcare Partner directly, as they are
primarily responsible for protecting your PHI.
With Us:
You may also file a complaint with us by contacting our HIPAA
Security Officer using the information above. Please provide as much
detail as possible with respect to your complaint so that we may
provide you with a meaningful response.
With the U.S. Government:
You have the right to file a complaint with the U.S. Department of
Health and Human Services:
Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
Website: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
No Retaliation: You will not be retaliated against for filing a complaint.
We provide services to numerous healthcare providers, health plans, and healthcare clearinghouses. For a list of our Healthcare Partners or questions about how a specific Healthcare Partner uses your information, please contact that Healthcare Partner directly.
This Privacy Notice describes our practices as a Business Associate. Your Healthcare Partner is required to provide you with their own Notice of HIPAA Privacy Practices that describes how they use and share your health information. Please refer to your Healthcare Partner's notice for information about their privacy practices.
In addition to HIPAA, we comply with other applicable and binding privacy and security laws. Where laws provide greater privacy protections, we follow those stricter requirements.
This Privacy Notice is effective as of January 1, 2026 and applies to all health information we handle as a Business Associate.
Document Version: 0.1
Approved By: Malak Raihani, HIPAA Security Officer
Approval Date: December 22, 2025