How we handle your patients' data.

Before any PHI moves between us, we sign a Business Associate Agreement. The BAA documents what we're allowed to do with your data, what we're required to safeguard, how we report incidents, and what happens when our engagement ends.

We also maintain downstream BAAs with the vendors in our stack that ever touch PHI (claims clearinghouse, EHR/practice-management integrations, cloud storage). You can request the list during onboarding.

Everyone on the team — US partners and supporting staff — completes HIPAA Privacy and Security training before they're given any access, and refreshes it annually. Training covers minimum-necessary use, secure handling of PHI, phishing/social engineering, and incident reporting.

We keep training records on file and can share completion certificates if your auditor or payer asks for them.

Access to PHI is scoped to the specific accounts, payers, and tools each person needs to do their job — nothing more. Multi-factor authentication is enforced on every account that can reach PHI, with no exceptions for "just this one time."

When someone joins your account, we add them. When they roll off, access is revoked the same day and we confirm removal back to you.

Everything moves over TLS. Data sitting in our systems and our backups is encrypted at rest by default. We don't email unencrypted PHI; secure portals or your EHR are the only acceptable channels.

Every time someone opens, edits, or exports a record, that action is logged — who, what, when, and from where. Logs are retained, reviewable, and used for both routine spot-checks and any incident investigation.

If you ever want to know who looked at a specific chart on a specific day, we can answer that question.

We maintain a written incident response plan: how we detect, contain, investigate, and document anything that looks like unauthorized access or a security event. The plan names who does what, on what timeline, and how we notify you.

If a breach affecting your PHI ever occurred, you'd hear from us promptly and in writing — well inside the HIPAA notification window — with the facts, the scope, and the remediation we've taken. You should never have to find out from somewhere else first.

If you'd like to review our BAA template, ask about specific safeguards, or run a vendor security review before signing, email billing4aba@gmail.com. We'll send what you need.