HIPAA Compliance

1. Business Associate Agreement

As a Business Associate under HIPAA, Patientevity LLC creates, receives, maintains, and transmits Protected Health Information on behalf of Covered Entities (healthcare organizations, practices, and providers) through the Patientevity EHR platform.

Our Business Associate Agreement (BAA) establishes our obligations, including:

• Not using or disclosing PHI other than as permitted by the BAA or as required by law
• Using appropriate safeguards and complying with the HIPAA Security Rule with respect to ePHI
• Reporting any unauthorized use or disclosure of PHI, including Breaches and Security Incidents
• Ensuring subcontractors agree to the same restrictions and requirements
• Making internal practices, books, and records available to the Secretary of HHS for compliance audits

Permitted Uses and Disclosures

We may use or disclose PHI only as follows:

• As necessary to perform services including hosting electronic health records, processing clinical data, providing telehealth services, managing billing and claims, and supporting practice management
• As required by law
• For proper management and administration of the Business Associate
• To provide Data Aggregation services as permitted by 45 CFR §164.504(e)(2)(i)(B)
• To de-identify PHI in accordance with 45 CFR §164.514(a)-(c)

2. Technical Safeguards

We implement comprehensive technical safeguards to protect the confidentiality, integrity, and availability of all ePHI:

3. Administrative Safeguards

Our administrative safeguards complement our technical measures:

• Employee Training: All employees receive comprehensive HIPAA security and privacy training upon hire and annually thereafter
• Risk Assessments: Regular security risk assessments and vulnerability scanning to identify and address potential threats
• Policies and Procedures: Comprehensive written policies governing the use, access, and disclosure of PHI
• Incident Response: Documented incident response procedures for security events and breaches
• Access Management: Formal processes for granting, modifying, and revoking access to systems containing PHI

4. Physical Safeguards

All data is hosted in secure, SOC 2 compliant data center facilities that maintain:

• 24/7 physical security and surveillance
• Biometric and multi-factor access controls for facility entry
• Environmental controls (fire suppression, climate management, redundant power)
• Visitor access logs and escort requirements

5. Breach Notification

In the event of a Breach of Unsecured PHI, Patientevity LLC will notify the Covered Entity without unreasonable delay and in no case later than thirty (30) calendar days after discovery of the Breach.

The notification will include, to the extent possible:

• The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
• A description of the nature of the Breach, including the types of Unsecured PHI involved
• A description of what we are doing to investigate the Breach, mitigate harm, and protect against further Breaches
• Contact procedures for individuals to ask questions or learn additional information

We will also report any unauthorized use or disclosure of PHI of which we become aware within ten (10) business days of discovery, and cooperate fully in meeting obligations under the Breach Notification Rule.

6. Patient Rights

We support Covered Entities in fulfilling patient rights under HIPAA:

• Right to Access: We make PHI in a Designated Record Set available to the Covered Entity or, as directed, to an Individual within fifteen (15) business days. The Covered Entity has the ability to export all PHI through the platform's data export functionality at any time.
• Right to Amendment: We process amendments to PHI in a Designated Record Set as directed by the Covered Entity within fifteen (15) business days of the request.
• Right to Accounting of Disclosures: We maintain an automated audit trail of all disclosures of PHI, including the date, recipient, description of PHI disclosed, and purpose. These records are maintained for a period of six (6) years.

7. Subcontractor Compliance

In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), we ensure that any subcontractors that create, receive, maintain, or transmit PHI on our behalf agree in writing to the same restrictions, conditions, and requirements that apply to us.

We maintain a current list of subcontractors that have access to PHI and make this list available to Covered Entities upon request. Patientevity LLC remains responsible for the acts and omissions of its subcontractors to the same extent as if performed by us directly.

8. Data Retention

We maintain automated audit trails of all PHI disclosures for a period of six (6) years from the date of the disclosure, in compliance with HIPAA requirements.

Upon termination of the service agreement, at the Covered Entity's election, we will either return all PHI in a commonly used electronic format within thirty (30) days or destroy all PHI and certify such destruction in writing.

If return or destruction of all PHI is not feasible, we will retain only the minimum necessary PHI, continue to extend the protections of our BAA to such information, and limit further uses and disclosures.

9. Contact for HIPAA Inquiries

For questions about our HIPAA compliance practices, to request a copy of our Business Associate Agreement, or to report a security concern, please contact: