HIPAA Compliance & Privacy Policy

Our Commitment to Protecting Protected Health Information (PHI)

We are committed to protecting the privacy, security, and integrity of Protected Health Information (“PHI”) and Electronic Protected Health Information (“ePHI”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and applicable updates, including modifications aligned with 42 CFR Part 2 where applicable.

As a Business Associate to Covered Entities, we implement administrative, physical, and technical safeguards designed to ensure the confidentiality, integrity, and availability of PHI entrusted to us.

Scope of PHI Handling

We may access, receive, maintain, transmit, or process PHI in connection with:

• Operational support services
• Administrative or virtual workforce services
• Technology-enabled coordination or workflow management
• Client-directed healthcare administrative activities

We do not use or disclose PHI except as permitted or required by our Business Associate Agreements (BAAs) and applicable law.

Administrative Safeguards

We maintain documented policies and procedures that include:

• Annual HIPAA risk assessments and documented risk mitigation plans
• Workforce HIPAA training upon onboarding and annually thereafter
• Role-based access controls and least-privilege standards
• Documented incident response and breach notification protocols
• Vendor and subcontractor due diligence and compliance review

All workforce members are required to sign confidentiality agreements and acknowledge HIPAA compliance responsibilities.

Technical Safeguards

In alignment with current regulatory guidance and evolving cybersecurity standards, we implement:

• Multi-Factor Authentication (MFA) for systems containing ePHI
• Encryption of ePHI in transit and at rest
• Secure cloud-hosted environments that meet industry security standards
• Access logging and activity monitoring
• Routine vulnerability scanning and system updates
• Secure device management protocols

We continuously evaluate our security posture to remain aligned with regulatory updates and industry best practices.

Physical Safeguards

Where applicable, we maintain:

• Secure workstation standards
• Controlled access to devices containing ePHI
• Remote workforce security protocols
• Secure disposal and media sanitization procedures

Breach Notification

In the event of a suspected or confirmed security incident involving PHI:

• We conduct a documented investigation.
• We notify the Covered Entity without unreasonable delay and in accordance with our BAA.
• We cooperate in mitigation and regulatory reporting as required under HIPAA.

Patient Rights & Privacy Practices

When applicable and directed by our Covered Entity partners, we support:

• Access, amendment, and accounting of disclosure rights
• Restrictions on disclosure where required
• Compliance with applicable updates involving substance use disorder records under 42 CFR Part 2

For questions regarding individual rights, patients should contact their healthcare provider directly.

Compliance Oversight

We designate a Privacy and Security Officer responsible for:

• Oversight of HIPAA compliance
• Risk assessment review
• Incident management
• Policy updates

For compliance inquiries, please contact our Fractional Compliance Officer: [email protected]