HIPAA Notice of Privacy Practices

Effective date: May 13, 2026 · Entity: AI Revenue Forge (ARF Inc.), a North Carolina corporation · Role under HIPAA: Business Associate (when applicable)

Plain-language summary: AI Revenue Forge does not act as a healthcare provider or insurer. We are a technology vendor that, in limited circumstances, may handle Protected Health Information (PHI) on behalf of healthcare-industry clients who are HIPAA-covered entities. When we do, we sign a Business Associate Agreement (BAA), follow HIPAA Security Rule safeguards, and never use PHI for our own marketing. This notice explains how that works.

1. Who this notice applies to

This Notice applies to AI Revenue Forge (ARF Inc.) only in situations where one of our clients is a HIPAA Covered Entity (a healthcare provider, health plan, or healthcare clearinghouse) and ARF technology — AI voice receptionists, SMS workflows, scheduling agents, or data orchestration — touches information that meets the HIPAA definition of Protected Health Information (PHI).

When that happens, ARF executes a Business Associate Agreement (BAA) with the Covered Entity before any PHI flows through our systems. This Notice supplements (but does not replace) the Covered Entity's own Notice of Privacy Practices, which is the authoritative notice that patients receive at the point of care.

2. What ARF does and does not do under HIPAA

ARF DOES	ARF DOES NOT
Sign a Business Associate Agreement with every Covered Entity client whose work touches PHI.	Use PHI for ARF's own advertising, marketing, or sales activities.
Apply HIPAA Security Rule administrative, physical, and technical safeguards to PHI under our control.	Sell PHI to third parties under any circumstances.
Encrypt PHI in transit (TLS 1.2+) and at rest (AES-256 or equivalent).	Disclose PHI for purposes outside the BAA without explicit Covered Entity authorization.
Log access to PHI and review logs for inappropriate access.	Aggregate, deidentify, or repurpose Covered Entity PHI without contractual permission.
Notify the Covered Entity of any suspected or confirmed breach of PHI within the timelines required by 45 CFR 164.410 (no later than 60 days).	Retain PHI longer than the BAA-defined retention period.
Train ARF personnel with PHI access on HIPAA Privacy + Security Rule requirements.	Permit unauthorized personnel, subcontractors, or vendors to access PHI.

3. The PHI we may handle

PHI is any information that identifies an individual and relates to their physical or mental health, healthcare services received, or payment for healthcare. In the context of ARF's services, this may include:

Patient or caregiver names, addresses, phone numbers, and email addresses captured through AI voice or SMS workflows running on behalf of a Covered Entity client.
Appointment scheduling data (date, time, provider, reason for visit when supplied).
Insurance plan or coverage references mentioned during a call routed through ARF infrastructure.
Caregiver shift assignments, patient addresses for in-home visits, and visit confirmations when ARF operates SMS workflows for a home-health-agency Covered Entity client.
Call recordings, transcripts, and metadata when those recordings contain PHI and were created on behalf of a Covered Entity client.

ARF does not directly collect PHI from patients in the absence of a Covered Entity client relationship. ARF's general marketing operations (cold outreach, sales calls, demos) do not involve PHI.

4. How we safeguard PHI

4.1 Administrative safeguards (45 CFR 164.308)

Designated HIPAA Privacy + Security Officer (currently the Founder, Rick Jenkins).
Workforce training on HIPAA Privacy + Security Rules at onboarding and annually thereafter.
Workforce sanction policy for HIPAA violations.
Access management procedures: least-privilege defaults, named-user accounts, immediate revocation on workforce separation.
Incident response procedures with documented escalation to Covered Entity within 60 days.
Periodic risk assessments of systems touching PHI.

4.2 Physical safeguards (45 CFR 164.310)

PHI is stored only on cloud infrastructure that maintains current SOC 2 Type II and/or HIPAA-eligible service status (e.g., AWS HIPAA-eligible services, Twilio HIPAA-eligible products, encrypted Notion enterprise tier when in use under BAA).
Workforce devices used to access PHI are full-disk encrypted, password-protected, and screen-lock enabled.
No PHI is stored on personal removable media (USB drives, external disks).

4.3 Technical safeguards (45 CFR 164.312)

Encryption in transit: TLS 1.2 or higher on all PHI-bearing connections.
Encryption at rest: AES-256 (or platform-provided equivalent) for all PHI-bearing storage.
Unique user identification for all PHI access.
Automatic session timeouts on PHI-bearing systems.
Audit controls: access logs reviewed periodically by the Privacy + Security Officer.
Integrity controls: backup and recovery procedures for PHI-bearing systems.

5. Subcontractors and downstream BAAs

When ARF engages a subcontractor whose services may touch PHI on behalf of a Covered Entity client, ARF requires that subcontractor to execute a downstream Business Associate Agreement before PHI access is granted. Subcontractors that may fall under this requirement (depending on the specific Covered Entity engagement) include:

Cloud hosting providers (AWS, Notion, OneDrive enterprise, etc.) under their HIPAA-eligible service offerings.
Communications platforms (Twilio, Retell AI, etc.) under their HIPAA-eligible service offerings, where the offering is contractually elected for that workload.
Voice transcription and AI inference providers used in the specific workflow.

A current list of ARF subcontractors with PHI exposure can be requested in writing by a Covered Entity client.

6. Your rights when you are a patient of an ARF Covered Entity client

If you are a patient or member of a healthcare entity that uses ARF technology, your HIPAA rights are exercised through that Covered Entity, not through ARF directly. Those rights include:

The right to inspect and copy your PHI.
The right to request amendment of your PHI.
The right to receive an accounting of disclosures.
The right to request restrictions on uses and disclosures.
The right to request confidential communications.
The right to receive a paper copy of the Covered Entity's Notice of Privacy Practices.
The right to file a complaint with the Covered Entity, with ARF, and with the U.S. Department of Health and Human Services Office for Civil Rights.

To exercise any of these rights, contact the Covered Entity directly. ARF will support the Covered Entity's response per the BAA. ARF cannot act unilaterally on patient HIPAA requests in the absence of Covered Entity direction.

7. Breach notification commitment

If ARF discovers a breach of unsecured PHI in our possession or under our control:

We will notify the affected Covered Entity client without unreasonable delay and in no case later than 60 days following discovery of the breach, in accordance with 45 CFR 164.410.
Our notification will include the identification of each affected individual, a description of the PHI involved, the date of the breach, and the date of discovery.
We will cooperate with the Covered Entity in its required notifications to affected individuals, HHS, and (where applicable) the media.
We will conduct a root-cause investigation, document corrective actions, and provide the Covered Entity with that documentation.

8. Marketing and TCPA

ARF operates SMS and voice campaigns under separate consent frameworks (TCPA/CTIA, A2P 10DLC). PHI is never used to populate marketing audiences. Where ARF runs SMS workflows on behalf of a Covered Entity (for example, caregiver shift call-outs for a home-health-agency client), those workflows are treatment, payment, or healthcare operations messages, not marketing, and are sent under the Covered Entity's authority and consent records.

9. How to contact ARF about this notice

Questions about ARF's Business Associate practices, BAA requests, breach reports, or this Notice can be directed to:

AI Revenue Forge (ARF Inc.)
HIPAA Privacy + Security Officer: Rick Jenkins
Email: airevenueforge@proton.me
Phone: 1-877-640-3761 (general business line)
Web: airevenueforge.tech

Covered Entities seeking to execute a BAA with ARF prior to onboarding may request a draft via the email above.

10. Changes to this notice

ARF reserves the right to update this Notice. Material changes will be posted on this page with an updated Effective Date. The current Notice is always available at https://airevenueforge.tech/hipaa.

This Notice describes ARF's Business Associate practices under HIPAA. It is not a substitute for legal advice and does not establish ARF as a Covered Entity or healthcare provider. Patients and members should refer to their healthcare provider's or health plan's Notice of Privacy Practices for the authoritative description of how their PHI is handled.