HIPAA Compliance Statement: Our Commitment to Protecting Your Health Information

HIPAA Compliance Commitment

We are committed to safeguarding your protected health information (PHI) and upholding personal health information privacy across all services. Our HIPAA compliance statement describes the safeguards, processes, and accountability measures we use to protect your data and honor your choices.

Our program aligns with the HIPAA Privacy Rule, HIPAA Security Rule, and applicable PHI disclosure regulations. We apply the minimum necessary standard, continuously assess risks, and require our workforce and partners to follow strict obligations designed to protect the confidentiality, integrity, and availability of PHI.

Our Compliance Program

• Governance led by designated privacy and security officers with clear lines of responsibility.
• Risk analyses and ongoing monitoring to address emerging threats and maintain appropriate safeguards.
• Business Associate Agreements that bind vendors to HIPAA requirements and our security expectations.
• Documented policies, workforce sanctions, and continuous improvement based on audits and assessments.
• Role-based HIPAA training requirements for employees and contractors, refreshed on a regular cadence.

Protected Health Information Overview

PHI is any information that relates to your health, care, or payment for care and can identify you. Examples include names, addresses, dates, medical record numbers, device identifiers, images, diagnoses, medications, lab results, and insurance details when linked to a person.

We restrict the use and sharing of PHI to protect personal health information privacy. Data that has been properly de-identified so that it cannot identify you is not considered PHI and may be used for quality improvement, analytics, or research in accordance with applicable rules.

What We Consider PHI

• Information created or received during treatment, payment, or healthcare operations that can identify you.
• Any combination of health data and identifiers, whether in paper, electronic, or oral form.

Use and Disclosure of PHI

We use and disclose PHI only as permitted by the HIPAA Privacy Rule and related PHI disclosure regulations. We apply the minimum necessary principle and verify identity and need-to-know before any access or disclosure.

Permitted Uses and Disclosures

• Treatment: Sharing information with your care team to coordinate and deliver care.
• Payment: Submitting claims, billing, and eligibility or coverage verification.
• Healthcare Operations: Quality improvement, audits, accreditation, and customer support.
• Public Interest and Legal Requirements: Public health reporting, health oversight, law enforcement requests, and other disclosures required by law.
• Business Associates: Vendors who support our services under Business Associate Agreements with appropriate safeguards.

Uses and Disclosures Requiring Your Authorization

• Most uses of psychotherapy notes, marketing communications, and sale of PHI.
• Any other use or disclosure not specifically permitted or required by law.

You may revoke an authorization in writing at any time, except to the extent we have already acted in reliance on it.

Data Security Measures

We implement layered administrative, technical, and physical safeguards consistent with the HIPAA Security Rule. Our controls are designed to prevent unauthorized access, reduce risk, and ensure the availability and integrity of PHI.

Technical Safeguards

• Encryption standards for healthcare applied to data in transit and at rest to mitigate interception and theft.
• Network segmentation, secure configurations, continuous vulnerability management, and timely patching.
• Endpoint hardening, device encryption, and remote wipe for portable media and mobile devices.
• Comprehensive logging, alerting, and audit trails to monitor access and detect anomalies.

Administrative and Physical Safeguards

• Security risk assessments, vendor due diligence, and documented incident response procedures.
• Disaster recovery, data backup, and tested business continuity plans to ensure availability.
• Facility access controls, visitor management, and secure storage and disposal of media.
• Ongoing workforce education aligned with HIPAA training requirements and job responsibilities.

Authorized Access Controls

We grant access to PHI based on role and legitimate business need. The goal is to limit exposure while enabling timely care and support for you.

• Role-based access control with least-privilege assignments and periodic access reviews.
• Strong authentication, including unique user IDs and multi-factor authentication where appropriate.
• Session timeouts, device lock policies, and restrictions on copying, downloading, or exporting PHI.
• Privileged access monitoring, separation of duties, and change management for systems that store or process PHI.
• Vendor access confined to defined scopes under Business Associate Agreements and monitored connections.

Patient Rights Under HIPAA

You have important patient data access rights under HIPAA. We provide tools and support so you can exercise these rights in a timely and secure manner.

• Right of Access: Obtain copies of your health information in paper or electronic form and direct it to a third party.
• Right to Amend: Request corrections to information you believe is incomplete or inaccurate.
• Right to an Accounting of Disclosures: Receive a list of certain disclosures we have made.
• Right to Request Restrictions: Ask us to limit certain uses or disclosures, where feasible.
• Right to Request Confidential Communications: Choose how and where we contact you.
• Right to Receive a Notice of Privacy Practices: Understand how your information may be used and disclosed.

We verify identity before fulfilling requests and respond within applicable timeframes. If we deny a request, we explain the reason and how you may appeal or submit a statement of disagreement.

Reporting Privacy Concerns

We take privacy concerns seriously and maintain privacy violation reporting procedures that encourage prompt reporting and protect you from retaliation. If you suspect misuse or unauthorized disclosure of PHI, report it immediately.

How to Report

• Contact our Privacy Office with the date, time, and description of the concern, including affected individuals if known.
• Use any available hotline or secure portal we provide, or submit a written report to our designated contact.
• We will investigate, mitigate any harm, and, when required, notify you and regulators under applicable breach notification rules.

Conclusion

Protecting your PHI is central to our mission. Through robust safeguards aligned with the HIPAA Security Rule, careful adherence to PHI disclosure regulations, and ongoing training, we work to keep your health information private, secure, and available when you need it.

FAQs

What is a HIPAA compliance statement?

A HIPAA compliance statement explains how an organization protects PHI under the HIPAA Privacy Rule and HIPAA Security Rule. It summarizes governance, safeguards, PHI disclosure regulations, workforce responsibilities, and how patients can exercise their rights.

How is PHI protected under HIPAA?

HIPAA requires administrative, technical, and physical safeguards, including access controls, encryption standards for healthcare, audit logging, workforce training, and incident response. Organizations must apply the minimum necessary standard and verify identity before using or disclosing PHI.

Who can access protected health information?

Only authorized individuals with a legitimate need-to-know may access PHI, such as your care team, billing personnel, and operations staff. Business associates may access PHI solely to perform contracted services under a Business Associate Agreement, and others only with your valid authorization or as required by law.

What are patient rights regarding their health information under HIPAA?

You can access and obtain copies of your records, request amendments, receive an accounting of certain disclosures, request restrictions, and ask for confidential communications. You are also entitled to a Notice of Privacy Practices and may report concerns without fear of retaliation.