HIPAA Notice
Effective Date: May 22, 2026
Last Updated: May 22, 2026
This HIPAA Privacy Notice explains how Rekva LLC handles Protected Health Information (PHI) when used by healthcare providers and other HIPAA-covered entities. If you have questions, contact hipaa@rekva.ai.
1. Understanding Our HIPAA Role
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations (the Privacy Rule and Security Rule) govern the use and disclosure of Protected Health Information. PHI includes any individually identifiable health information — such as a patient's name combined with a reason for a medical visit, diagnosis, appointment details related to a health condition, or other identifiers.
Covered Entities and Business Associates
A Covered Entity is a healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically. If you are a dental practice, medical clinic, physical therapy office, or similar healthcare provider, you are likely a Covered Entity.
A Business Associate is a vendor or service provider that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. When Rekva handles calls for a Covered Entity customer where PHI may be involved, Rekva acts as a Business Associate.
2. Business Associate Agreement (BAA)
HIPAA requires a written Business Associate Agreement (BAA) between a Covered Entity and any Business Associate before the Business Associate handles PHI. Rekva offers a BAA to all eligible Covered Entity customers.
How to Request a BAA
- Email hipaa@rekva.ai with the subject line "BAA Request"
- Include your business name, primary contact, and the approximate date you intend to begin using Rekva for PHI workflows
- A fully executed BAA must be in place before you use the Service for any call, workflow, or integration that may involve PHI
If you have not executed a BAA with Rekva, you must not route PHI through the platform. Operating the Service with PHI without an executed BAA is a violation of HIPAA and of our Terms of Service.
3. Subprocessors — BAA Status
Rekva uses the following subprocessors in delivering the Service. When a Covered Entity customer has an executed BAA with Rekva, we ensure that PHI flows only through subprocessors with whom we also maintain BAAs.
Subprocessors WITH Business Associate Agreements
PHI may flow through these subprocessors when a BAA is in place between you and Rekva:
- Google Workspace — Business email and administrative communication
- Twilio — Telephony infrastructure carrying voice calls and SMS
- Retell AI — Voice agent runtime that processes call audio and generates transcripts (which may contain PHI)
Subprocessors WITHOUT Business Associate Agreements
The following subprocessors do not have BAAs with Rekva. As a result, PHI is never routed to these systems by design:
- Resend (transactional email) — Resend is used only to deliver email notifications such as appointment summaries. These emails contain only: the business name, appointment date and time, and the caller's contact name. They do not contain the reason for a medical visit, diagnosis, health history, insurance information, or any other PHI. If you operate in a healthcare context, you must ensure your agent scripts are configured to prevent PHI from appearing in email summaries.
- Cal.com (lower tiers) — Cal.com's lower subscription tiers do not include a BAA. Where Cal.com is used for scheduling, it receives appointment slot data (name, date, time) only. It does not receive the reason for the visit, health conditions, or any clinical information. For healthcare customers requiring a fully HIPAA-compliant scheduling integration, contact us to discuss supported integration options.
4. Customer Obligations Under HIPAA
If you are a Covered Entity using Rekva, you are responsible for:
- Requesting and executing a BAA before using the platform for PHI workflows (see Section 2 above)
- Configuring your AI agent appropriately — work with Rekva support to ensure your agent script, greeting, and data collection fields do not prompt callers for unnecessary PHI
- Minimum necessary standard — limiting PHI collection to only what is required for the appointment-booking purpose; do not configure the agent to collect diagnoses, medication details, or other clinical data unless specifically necessary and you have appropriate safeguards in place
- Workforce training — ensuring that your staff who access Rekva transcripts and call data understand their HIPAA obligations with respect to that data
- Breach reporting — notifying Rekva promptly (at hipaa@rekva.ai) if you become aware of a potential breach or unauthorized disclosure of PHI processed through the Service
5. Patient Rights Under HIPAA
Patients (end users who call covered entity businesses using Rekva) have the following rights under HIPAA's Privacy Rule. These rights are exercised through the Covered Entity (the healthcare provider), not directly through Rekva as a Business Associate:
- Right of Access: Patients have the right to inspect and receive copies of their PHI held by the Covered Entity, which may include transcripts of calls handled by Rekva on the Covered Entity's behalf.
- Right to Amendment: Patients may request that the Covered Entity correct inaccurate PHI in their records, including any call data.
- Right to an Accounting of Disclosures: Patients may request a list of certain disclosures of their PHI made by the Covered Entity or its Business Associates.
- Right to File a Complaint: Patients who believe their HIPAA rights have been violated may file a complaint with the Covered Entity, with Rekva (at hipaa@rekva.ai), or directly with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint.
Rekva will cooperate with Covered Entity customers in facilitating the exercise of patient rights to the extent required by our BAA and applicable law.
6. Security Practices
Rekva implements administrative, physical, and technical safeguards designed to protect PHI in accordance with HIPAA's Security Rule. Our practices include:
- Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
- Access controls limiting PHI access to authorized personnel
- Subprocessors with BAAs are required to maintain HIPAA-compliant infrastructure. Twilio, Retell AI, and Google Workspace each maintain security programs consistent with their BAA obligations.
- Incident response procedures for potential breaches, including notification obligations
Rekva does not claim HIPAA certification — no such government certification exists. We provide HIPAA-compliant infrastructure and practices and offer BAAs as required by law.
7. Contact for HIPAA Matters
For all HIPAA-related inquiries, including BAA requests, breach reports, and compliance questions:
- Email: hipaa@rekva.ai
We aim to respond to all HIPAA inquiries within 5 business days.
8. Changes to This Notice
Rekva may update this HIPAA Privacy Notice to reflect changes in our practices, subprocessors, or applicable law. Material changes will be communicated to affected Covered Entity customers via email. The current version of this Notice is always available at rekva.ai/hipaa.