HIPAA Compliance

MedPrecision operates as a HIPAA Business Associate under 45 CFR Parts 160 and 164. Because our work routinely involves access to Protected Health Information (PHI) on behalf of covered entities -- physician practices, specialty groups, and telehealth providers -- we treat the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule as the foundation of every workflow, system, and training program we run. This page summarizes the controls, obligations, and operating practices that support that commitment.

What HIPAA Requires of Business Associates

The HIPAA Omnibus Rule (2013) made business associates directly liable for compliance with the Security Rule and specific portions of the Privacy Rule. Three regulatory pillars apply to our operations:

• Privacy Rule (45 CFR 164.500-534): Governs permissible uses and disclosures of PHI. We use PHI only for treatment, payment, and health care operations functions explicitly authorized by each client's Business Associate Agreement.
• Security Rule (45 CFR 164.302-318): Requires administrative, physical, and technical safeguards for electronic PHI (ePHI), along with documented policies and periodic risk analyses.
• Breach Notification Rule (45 CFR 164.400-414): Mandates timely notification to the covered entity following the discovery of a breach of unsecured PHI, along with documentation requirements under the HITECH Act.

Our Business Associate Agreement (BAA)

Before we access a single claim, eligibility record, or remittance file, we execute a written BAA with every covered entity. Our standard BAA addresses the elements required by 45 CFR 164.504(e), including:

• Permitted and required uses and disclosures of PHI, limited to the minimum necessary for billing, coding, A/R follow-up, denial management, credentialing, and related revenue cycle services.
• Prohibition on further use or disclosure except as permitted by the agreement or required by law.
• Obligation to implement appropriate safeguards and to report any use or disclosure not provided for in the BAA, including breaches of unsecured PHI.
• Subcontractor flow-down: any subcontractor we engage must sign a downstream BAA with equivalent obligations.
• Return or destruction of PHI upon termination, to the extent feasible, and continued protection of any retained PHI.
• Indemnification, audit, and recordkeeping provisions negotiated in good faith with each client.

Administrative Safeguards

Physical Safeguards

MedPrecision operates as a remote-first organization. Because we do not house on-premise servers containing client PHI, our physical safeguards are engineered around endpoint and workspace controls rather than traditional facility access:

• Workstation security: All workforce devices are company-managed or enrolled in a mobile device management (MDM) profile that enforces full-disk encryption, automatic screen lock, strong passcodes, and remote wipe capability.
• Device and media controls: Removable media use is restricted by policy; authorized media are encrypted and tracked. Decommissioned devices undergo documented sanitization before disposal or reassignment.
• Workspace expectations: Workforce members are required to work in private, non-shared spaces, use privacy screens where needed, and follow clean-desk practices that prohibit printing or storing PHI locally.
• Cloud infrastructure: Production systems that store or process ePHI are hosted with cloud providers that maintain SOC 2 Type II attestations and execute BAAs with us.

Technical Safeguards

• Encryption in transit: All PHI transmitted across public networks uses TLS 1.2 or higher. SFTP, VPN tunnels, and HTTPS endpoints are the default transfer mechanisms; unencrypted email is never used to transmit PHI.
• Encryption at rest: ePHI stored in databases, file storage, and backups is encrypted using AES-256 or equivalent industry-standard algorithms.
• Multi-factor authentication (MFA): MFA is required for all workforce accounts that access ePHI, administrative consoles, email, and client systems where supported.
• Role-based access and least privilege: Permissions are scoped to the minimum necessary PHI elements for each role; elevated access is time-boxed and logged.
• Automatic logoff and session timeouts: Idle sessions terminate after a defined interval, and re-authentication is required to resume access.
• Endpoint protection: Managed devices run endpoint detection and response (EDR) tooling, automatic OS/application patching, and policy-enforced firewalls.
• Integrity controls: Change management, version control, and transmission integrity checks protect PHI from improper alteration or destruction.

Incident Response & Breach Notification

Our incident response procedure follows a documented lifecycle: detection, triage, containment, eradication, recovery, and post-incident review. When a suspected incident involves PHI, we:

• Initiate investigation within 24 hours of discovery and preserve relevant logs and evidence.
• Conduct a four-factor risk assessment under 45 CFR 164.402 to determine whether the event constitutes a reportable breach of unsecured PHI.
• Notify the affected covered entity in accordance with the BAA and, in all cases, no later than the 60-day outer limit required by the Breach Notification Rule -- typically far sooner.
• Cooperate with the covered entity on notifications to individuals, HHS Office for Civil Rights, and, where applicable, the media under 45 CFR 164.404-408.
• Document root cause, remediation, and preventive controls, and fold findings back into training and risk analysis.

Subcontractor & Vendor Due Diligence

Any subcontractor, software vendor, or cloud service that creates, receives, maintains, or transmits PHI on our behalf is evaluated before engagement. Due diligence includes review of security documentation (e.g., SOC 2 Type II reports, HITRUST certifications where available), execution of a downstream BAA, and ongoing monitoring for security events, sub-processor changes, and contract renewals.

Annual Risk Assessment

Consistent with 45 CFR 164.308(a)(1)(ii)(A), we conduct a documented security risk analysis at least annually and whenever a material change -- new system, new service line, or significant workforce change -- warrants reassessment. Findings are tracked through remediation with assigned owners, target dates, and verification steps. Internal policy reviews run on the same annual cadence, with ad-hoc updates whenever federal or state regulations change.

Minimum Necessary Standard

We request, use, and disclose only the minimum PHI necessary to accomplish each billing, coding, or revenue cycle task. Standard workflows (claim submission, payment posting, denial work) are mapped to specific PHI data elements, and deviations require documented justification.

Questions

For questions about our HIPAA compliance practices, to request a copy of our BAA, or to report a suspected privacy or security concern, contact our Privacy Officer at privacy@medprecisionbilling.com or call 1-800-MED-PREC.