Skip to content
Approva
Legal

Privacy Policy

Last updated June 26, 2026

01The short version

Approva prepares and files prior authorizations for healthcare practices. To do that, we process protected health information (PHI), the clinical notes, codes, and patient and payer details a prior auth requires, on behalf of the practice.

We handle PHI under a Business Associate Agreement (BAA), only use it to do the job you hired us for, and never sell it or use it to train third-party AI models. We maintain SOC 2 and follow HIPAA.

02Who this covers

This policy covers Approva Health, Inc. (Approva, we, us) and the organizations that use our service: healthcare practices, billing teams, and revenue-cycle groups (our customers, the covered entities or their business associates).

For PHI, the practice is the covered entity and Approva is a business associate acting on its instructions. If you are a patient, direct requests about your information to your provider; we will support them in responding.

03PHI and our BAA

Approva signs a Business Associate Agreement with every customer before handling PHI. The BAA governs how we may use and disclose PHI and controls in the event of any conflict with this policy.

We use and disclose PHI only to perform prior-authorization services for the practice, and as the BAA and law permit or require. We do not use PHI for advertising, we do not sell it, and we do not use it to train third-party AI models.

PHI is encrypted in transit and at rest, access is restricted on a need-to-know basis, and we keep audit logs of access and of every request and decision. We retain PHI only as long as needed to provide the service and meet the practice's instructions and legal obligations, then dispose of it securely.

04Information we process

Account information: names, work emails, roles, and billing details for the staff at your organization who use Approva.

Prior-auth information (may include PHI): patient identifiers, clinical documentation, diagnosis and procedure codes, payer and plan details, submission confirmations, and decision status.

Usage information: how your team uses the dashboard, plus basic device and log data we need to keep the service secure and reliable. We keep operational logs separate from PHI wherever practical.

05How we use information

To provide the service: match payer requirements, gather the required documentation, file the prior authorization, chase status to a decision, and surface exceptions to your team.

To support and improve reliability: diagnose problems, prevent abuse, and keep the service running. Any internal quality work uses the minimum data needed, is access-controlled, and never includes selling data or training third-party models on PHI.

To bill you and communicate about your account.

06Subprocessors and sharing

We share information only with vetted service providers who help us run Approva (for example, cloud hosting and payment processing), under contracts, and BAAs where PHI is involved, that require them to protect it and use it only for us.

We disclose PHI to payers and clearinghouses as needed to file and follow up on your prior authorizations, at your direction. We may disclose information if the law requires it. If Approva is ever involved in a merger or acquisition, we will require the successor to honor this policy and our BAAs.

07Your organization's controls

Administrators can manage user access, configure what stays with a human, and set retention within the bounds we support. You can request export or secure deletion of your data, subject to legal and BAA obligations.

Patient rights requests (access, amendment, restriction) are handled by the covered entity; we assist our customers in fulfilling valid requests.

08Security

We use encryption, least-privilege access, monitoring, and audit logging to protect data, and we maintain a SOC 2 program. No system is perfect, but handling PHI to a high standard is the core of what we sell, so we treat it that way. Security questions and documentation requests go to security@approvahealths.com.

09Changes and contact

If we make a material change to this policy, we will notify affected customers before it takes effect. Questions or requests go to privacy@approvahealths.com.