HIPAA, Compliance, and Data Security

Yes. A Business Associate Agreement under HIPAA 45 CFR 164.504(e) is signed before any Protected Health Information (PHI) exchange occurs, including before access credentials are issued for the practice EHR or PM system. The MedPrecision BAA addresses the seven required elements under HHS guidance: permitted uses and disclosures, safeguard requirements, subcontractor flow-down, breach reporting timelines, return or destruction of PHI at termination, audit access for the covered entity, and material breach termination rights. The BAA explicitly limits PHI use to the minimum necessary for billing operations under 45 CFR 164.502(b). MedPrecision does not subcontract PHI access offshore; all billing staff with PHI access are US-based employees under signed individual confidentiality agreements. The BAA template is available for legal review during the proposal stage and accommodates practice-specific addenda for state-level laws stricter than HIPAA (Texas HB 300, California CMIA, New York SHIELD).

PHI safeguards follow the HIPAA Security Rule under 45 CFR Part 164 Subpart C across three control families. Administrative safeguards include role-based access control with least-privilege provisioning, mandatory annual HIPAA training for all staff with billing access, documented sanction policies for violations, and a designated Privacy Officer per 45 CFR 164.530. Physical safeguards include facility access controls, workstation lock screens after 10 minutes of inactivity, and a clean-desk policy preventing PHI exposure. Technical safeguards include AES-256 encryption for PHI at rest, TLS 1.2 or higher for PHI in transit, multi-factor authentication on all systems handling PHI, audit logging on every PHI access event with 6-year retention per 45 CFR 164.316, and quarterly access reviews. All PHI is processed inside a HIPAA-aligned production environment; no PHI flows through email, consumer messaging, or unencrypted file shares.

Breach response follows HIPAA Breach Notification Rule timing under 45 CFR 164.410: any suspected breach involving practice PHI triggers a written notice to the covered entity within 60 calendar days of discovery, with practical communication to the practice Privacy Officer initiated within 24 hours of detection. The breach process has four stages: (1) immediate containment within 24 hours including credential rotation and isolation of affected systems, (2) forensic assessment within 72 hours to determine scope, root cause, and PHI exposure (using the four-factor risk analysis from 45 CFR 164.402), (3) practice notification with full incident report and remediation plan, and (4) regulatory and individual notification support per HHS Breach Reporting requirements when the breach exceeds the low-probability-of-compromise threshold. MedPrecision carries cyber liability insurance with coverage for forensic, notification, and credit monitoring costs in the event of a breach involving practice PHI.

MedPrecision operates under the AICPA SOC 2 Trust Services Criteria covering security, availability, confidentiality, and privacy, with a SOC 2 Type II audit report available under NDA to qualifying enterprise clients (practices over 10 providers and hospital-employed physician groups). The audit covers a 12-month observation window with continuous monitoring across access management, change management, incident response, vendor management, and data-handling controls. For smaller practices not requesting the full SOC 2 report, MedPrecision provides a HIPAA Risk Analysis summary mapped to the same controls under 45 CFR 164.308(a)(1)(ii)(A). Beyond SOC 2 and HIPAA, MedPrecision maintains compliance with PCI DSS for any patient card-on-file processing (typically Level 4 merchant scope), and follows NIST Cybersecurity Framework controls for security operations. SOC 2 reports are reissued annually; the most recent report covers the calendar year ending December 2025.

Encryption follows NIST SP 800-111 (storage) and NIST SP 800-52 Rev 2 (transport) standards, exceeding HIPAA Security Rule encryption guidance under 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii). Data at rest uses AES-256 encryption on all production databases, application servers, and backup volumes; encryption keys are managed in a FIPS 140-2 validated key management service with key rotation every 90 days. Data in transit uses TLS 1.2 or higher for all external connections and mutual TLS for clearinghouse and EHR API connections; SSH connections use Ed25519 or RSA-4096 keys. Endpoints (laptops, workstations) use full-disk encryption (FileVault on macOS, BitLocker on Windows) and are managed through MDM with remote wipe capability. ANSI X12 837 claim files and 835 ERA files transmitted over EDI are encrypted via AS2 with X.509 certificates per the trading-partner agreement with each clearinghouse and direct-submission payer.

All employees with PHI access complete documented HIPAA training within 30 days of hire and annually thereafter, satisfying 45 CFR 164.530(b)(1) workforce training requirements. The curriculum covers six modules: Privacy Rule fundamentals (45 CFR Part 164 Subpart E), Security Rule controls (Subpart C), Breach Notification Rule (Subpart D), the minimum-necessary standard, role-based PHI access policies, and incident reporting procedures. Specialty roles receive additional training: billing staff complete a 4-hour module on payer-specific PHI handling, IT staff complete the HHS HIPAA Security Series modules covering technical safeguards, and the Privacy Officer maintains AAPC, AHIMA, or HCCA HIPAA-specialized certification. Training completion is documented per employee with quiz score (80 percent passing required), retained for 6 years per HIPAA documentation requirements. Sanction policy includes documented warnings, suspension, and termination paths for violations, applied uniformly under 45 CFR 164.530(e).

MedPrecision's billing operations team handling US claims is US-based; PHI access for charge entry, coding review, denial management, payer phone work, and patient phone support is restricted to US employees under direct W-2 employment with signed individual confidentiality agreements layered on top of the HIPAA BAA. This is a deliberate operational decision driven by three factors: (1) HIPAA does not prohibit offshore PHI access if a BAA flows down properly, but state laws in Texas (HB 300), California (CMIA), and several others impose stricter offshore disclosure rules that complicate compliance for multi-state practices, (2) payer phone navigation and appeals work requires fluent US-payer-system literacy that produces measurably better recovery rates, and (3) practice clients consistently request US-based staff during proposal stage. Non-PHI engineering, infrastructure, and product work may involve offshore contributors, but production PHI never crosses the US border.