Privacy Policy

1. Introduction

Revella Health, Inc. (“Revella Health,” “we,” “us,” or “our”) deploys clinical teams into communities to deliver point-of-care preventive screenings, close HEDIS care gaps, capture risk adjustment data, and improve quality outcomes for the health plans that contract with us. We serve Medicare Advantage plans, ACA Marketplace plans, network providers, and the members enrolled in those plans.

We respect your privacy and are committed to protecting the information you share with us — whether you are a health plan executive evaluating a partnership, a provider learning about our services, or a member receiving care at one of our community clinics.

This Privacy Policy explains:

• What information we collect
• How we use it
• When and with whom we share it
• The choices and rights you have

If you have questions, contact us using the information in Section 13.

2. Scope

This Privacy Policy applies to information we collect through:

• Our website at revellahealth.com (and any subdomains, including the financial case site, member portal, and RSVP pages)
• Demo bookings and inquiries submitted through Calendly, our contact forms, email, or phone
• Our SMS text messaging program for plan members
• Community mini-clinics, health fair events, and on-site clinical encounters
• Data exchange with our health plan partners (member files, eligibility files, claims feedback)

Health information collected during clinical care is also governed by our HIPAA Notice of Privacy Practices, which describes in detail how protected health information (PHI) may be used and disclosed. The Notice is provided at every service location and is available on request.

3. Information We Collect

The information we collect depends on how you interact with us. We collect only what we need to deliver our services, support our business relationships, and meet our legal and contractual obligations.

3.1 Website Visitors

When you visit revellahealth.com, we automatically collect:

• IP address, approximate location, device type, operating system, and browser type
• Pages visited, time on page, referring URL, search terms used to find us
• Cookie identifiers and similar technologies used to maintain your session and measure site performance

3.2 Health Plan Prospects and Business Contacts

When you book a demo through Calendly, fill out a contact form, email us, or call us to discuss a partnership, we collect:

• Your name, business email, phone number, employer, and job title
• The health plan or organization you represent and basic information about your needs (state, plan type, member volume, areas of interest)
• Notes from our conversations, follow-up correspondence, and any documents you choose to share

We do not require or collect Personal Health Information (PHI) during sales or business development conversations.

3.3 Providers and Practice Inquiries

When a provider or practice reaches out about working with us, we collect business contact information, practice information (name, location, specialty, payer mix), and notes from our conversations.

3.4 Health Plan Members (Service Recipients)

When you receive services from us at a community event or mini-clinic, when you RSVP to an event, or when you opt in to our SMS program, we collect:

• Name, date of birth, mobile number, email, mailing address
• Health insurance information (plan name, member ID, group number)
• Demographic information and social determinants of health (SDoH) responses
• Vital signs, screening results, and other clinical findings collected during the encounter
• Information about your primary care provider (assigned and self-reported)
• Refusal documentation if you decline a recommended service or referral
• SMS opt-in records, consent timestamps, and message logs

3.5 Information from Health Plan Partners

Health plans that contract with us (such as Ambetter of Alabama / Celtic Insurance Company) may share with us:

• Member rosters with names, contact information, demographics, and care gap status
• Eligibility data
• Claims and outcomes feedback
• Provider attribution data

This sharing is authorized under HIPAA for treatment, payment, and healthcare operations and is governed by Business Associate Agreements (BAAs) and Data Use Agreements where applicable.

4. How We Use Your Information

We use the information we collect for the following purposes:

Clinical and care coordination:

• Deliver preventive screenings, education, and clinical encounters
• Identify, document, and close HEDIS care gaps
• Capture risk adjustment and HCC diagnosis data with clinical care
• Coordinate referrals with primary care providers, case managers, and specialists
• Generate visit summaries and follow-up communications

Communications:

• Send SMS event invitations, RSVP confirmations, appointment reminders, and follow-ups (only if you have opted in)
• Respond to inquiries from health plans, providers, and members
• Confirm scheduled demos and follow up after sales conversations

Reporting and quality improvement:

• Generate measure-level gap closure, risk adjustment, and outcomes reporting for the health plans we serve
• Submit supplemental data to support HEDIS and Star Ratings reporting
• Improve the safety, effectiveness, and operational quality of our services

Business operations:

• Site analytics and performance monitoring
• Marketing and outreach to health plans and providers (business audiences only — never to members based on SMS opt-in data)
• Compliance with our legal, regulatory, and contractual obligations (HIPAA, HITECH, state privacy laws, payer contracts)

5. Information Sharing — We Do Not Sell Your Data

We share information only in the following limited circumstances:

• With your health plan — for treatment, payment, and healthcare operations as authorized under HIPAA. This is the core purpose of our service: delivering encounter data, closed gaps, and risk adjustment captures back to the plan that covers you.
• With your healthcare providers and care team — including the primary care provider on your record, case managers, and specialists you are referred to.
• With business associates and service providers — secure cloud hosting, electronic health record systems, SFTP/data transfer services, SMS delivery vendors, scheduling platforms, and analytics tools that help us operate. Each is bound by contractual obligations limiting how they may use information, and HIPAA-covered vendors operate under Business Associate Agreements (BAAs).
• In response to legal process — court orders, subpoenas, regulatory investigations, or to protect the safety of any person.
• In aggregated or de-identified form — that cannot reasonably be used to identify you, for research, benchmarking, or product improvement.
• In connection with a corporate transaction — such as a merger, acquisition, or financing, subject to applicable confidentiality and HIPAA protections.

6. Cookies and Online Tracking

Our website uses cookies and similar technologies to:

• Maintain your session as you navigate the site
• Remember your preferences
• Measure site performance and understand how visitors find and use our content
• Support marketing measurement on business-audience pages (excluding pages where member health information is collected)

You can disable cookies in your browser settings. Doing so may limit some site functionality.

We do not use advertising cookies or third-party advertising trackers on member-facing pages, including the RSVP page, intake forms, or any page where personal health information is collected.

7. Third-Party Services We Use

We rely on a small number of vetted vendors to operate our website and services. Each is contractually limited in how they may use the information they process on our behalf:

• Calendly — appointment scheduling for sales and demo bookings
• Cloud hosting and infrastructure providers — secure storage and processing of website and clinical data, with HIPAA-compliant safeguards where PHI is involved
• SMS messaging platform — message delivery; opt-in records and message logs are not used by the vendor for any purpose other than delivering our messages
• Analytics tools — site performance and usage measurement (configured to exclude PHI)
• Electronic health record (EHR) and clinical platform vendors — operating under HIPAA Business Associate Agreements
• Email and productivity providers — internal operations and communications

We do not authorize any of these vendors to sell, rent, or use your information for their own marketing.

8. SMS Communications

If you opt in to our SMS program, you will receive messages such as event invitations, RSVP confirmations, appointment reminders, location and timing updates, and post-visit follow-ups. The full program terms are available in our SMS Terms and Conditions.

Specifically with respect to SMS:

• We obtain your prior express consent before sending any SMS message
• Your mobile opt-in data and consent records are not shared with any third party or affiliate for marketing purposes
• You may opt out at any time by replying STOP to any message
• Standard message and data rates from your mobile carrier may apply
• We do not transmit protected health information (such as diagnoses, lab results, or member ID numbers) over SMS

9. Data Security

We use administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption of protected health information in transit and at rest
• HIPAA-compliant cloud infrastructure and secure file transfer (SFTP) for data exchange with health plans, including static-IP allowlisting
• Role-based access controls and least-privilege permissions for our workforce
• Audit logging of access to clinical records and member data
• Workforce training on HIPAA, privacy, and security
• Business Associate Agreements with all vendors that touch protected health information

No system can be made perfectly secure. If a breach affects your information, we will notify you as required by HIPAA and applicable state law.

10. Your Rights

Depending on the type of information and the law that applies, you may have the right to:

• Access the personal and health information we hold about you
• Correct or amend inaccurate information in your records
• Receive an accounting of disclosures of your protected health information
• Withdraw consent for SMS messages (reply STOP) or for other communications
• Restrict certain uses or disclosures of your protected health information
• Receive a copy of our HIPAA Notice of Privacy Practices
• Opt out of marketing communications (we do not send marketing SMS, but if you receive any business-audience email marketing, every message contains an unsubscribe link)
• Exercise applicable rights under state privacy laws, where they apply to the information we hold

To exercise any of these rights, contact our Privacy Officer using the information in Section 13. We will respond within the timeframes required by HIPAA and applicable state law.

11. Children's Privacy

We provide preventive health services to members of all ages as authorized by their health plan. However, our website RSVP and SMS opt-in forms are intended for use by adults age 18 and older. A parent or legal guardian must complete any opt-in or registration on behalf of a minor.

We do not knowingly collect personal information online from children under 13 without verifiable parental consent.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this page. If changes are material, we will provide additional notice — for example, by email, SMS to opted-in members, or a banner on our website — before the changes take effect.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or wish to report a privacy concern, please contact:

For SMS-specific questions, you may also reply HELP to any message you receive from us.

Revella Health is a HIPAA-covered healthcare provider. This Privacy Policy supplements, but does not replace, our HIPAA Notice of Privacy Practices, which describes in detail how protected health information may be used and disclosed.