HIPAA Compliance

1. HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of sensitive patient health information. As a healthcare technology provider, AssistCare is classified as a Business Associate and adheres to all applicable HIPAA requirements.

Key HIPAA Rules We Follow

Privacy Rule: Establishes standards for the protection of individuals' medical records and personal health information
Security Rule: Sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards
Breach Notification Rule: Requires notification following a breach of unsecured PHI
Enforcement Rule: Contains provisions relating to compliance and investigations

2. Our Commitment to Compliance

AssistCare is deeply committed to maintaining the highest standards of HIPAA compliance. We understand that healthcare organizations trust us with their most sensitive data, and we take that responsibility seriously.

Our Compliance Commitments

Maintain comprehensive HIPAA policies and procedures
Conduct annual risk assessments and security audits
Provide ongoing HIPAA training to all employees
Implement industry-leading security controls
Execute Business Associate Agreements with all covered entities
Maintain detailed documentation of all compliance activities
Continuously monitor and improve our security posture
Respond promptly to any security incidents or breaches

3. Security Safeguards

HIPAA requires three types of safeguards to protect PHI: administrative, physical, and technical. AssistCare implements comprehensive controls in all three categories.

Administrative Safeguards

Policies, procedures, and workforce training programs that manage the selection, development, and maintenance of security measures.

Physical Safeguards

Physical measures, policies, and procedures to protect electronic systems and buildings from natural and environmental hazards and unauthorized access.

Technical Safeguards

Technology and related policies that protect ePHI and control access to it, including encryption, access controls, and audit controls.

Specific Security Measures

Risk Analysis: Regular comprehensive risk assessments to identify vulnerabilities
Workforce Security: Background checks and security clearance for all employees
Information Access Management: Role-based access controls and least privilege principles
Security Awareness Training: Mandatory annual HIPAA training for all staff
Security Incident Procedures: Documented incident response and management plans
Contingency Planning: Data backup, disaster recovery, and emergency mode procedures

4. Protected Health Information (PHI) Handling

We implement strict controls over how PHI is collected, stored, transmitted, and disposed of throughout its lifecycle in our systems.

What Constitutes PHI?

Protected Health Information includes any individually identifiable health information, such as:

Patient names, addresses, and contact information
Social Security numbers and medical record numbers
Dates of birth, admission, discharge, and death
Health conditions, diagnoses, and treatment information
Insurance and billing information
Photos and biometric identifiers

PHI Lifecycle Management

Collection: PHI is collected only as necessary for treatment, payment, or healthcare operations
Storage: All PHI is stored in encrypted databases with strict access controls
Transmission: PHI is transmitted only over encrypted channels (TLS 1.2+)
Use: PHI is used only for its intended purpose with minimum necessary standards
Disclosure: PHI is disclosed only as permitted by HIPAA or with patient authorization
Disposal: PHI is securely destroyed when no longer needed using approved methods

5. Access Controls

AssistCare implements robust access control mechanisms to ensure that only authorized individuals can access PHI, and only to the extent necessary for their job functions.

Access Control Features

Unique User Identification: Every user has a unique identifier for tracking and accountability
Role-Based Access Control (RBAC): Access permissions based on job function and need-to-know
Multi-Factor Authentication (MFA): Required for all users accessing PHI
Automatic Session Timeout: Sessions automatically terminate after periods of inactivity
Emergency Access Procedures: Documented procedures for accessing PHI in emergencies
Password Requirements: Strong password policies with regular rotation requirements
Account Lockout: Automatic lockout after failed login attempts

6. Data Encryption

Encryption is a cornerstone of our security strategy. We employ industry-standard encryption to protect PHI both at rest and in transit.

Encryption Standards

Data at Rest: AES-256 encryption for all stored PHI
Data in Transit: TLS 1.2 or higher for all data transmission
Database Encryption: Transparent Data Encryption (TDE) for database files
Backup Encryption: All backups are encrypted using the same standards
Key Management: Hardware Security Modules (HSMs) for encryption key storage
End-to-End Encryption: Available for sensitive communications

7. Audit Trails & Logging

Comprehensive audit logging enables us to track all access to and modifications of PHI, supporting both security monitoring and compliance verification.

What We Log

User login and logout events
All access to PHI (view, create, modify, delete)
Failed access attempts
Changes to user permissions
System configuration changes
Data exports and downloads
Security-relevant events

Audit logs are retained for a minimum of six years as required by HIPAA. Logs are protected against tampering and unauthorized access, and are regularly reviewed for suspicious activity.

8. Business Associate Agreements

As a Business Associate, AssistCare enters into Business Associate Agreements (BAAs) with all Covered Entities we serve. These agreements establish our obligations for protecting PHI.

Our BAA Commitments

Use and disclose PHI only as permitted by the agreement and HIPAA
Implement appropriate safeguards to protect PHI
Report any security incidents or breaches
Ensure subcontractors agree to the same obligations
Make PHI available for individual access requests
Make PHI available for amendments when appropriate
Provide accounting of disclosures when required
Return or destroy PHI upon termination of the agreement

To request a BAA or if you have questions about our Business Associate relationships, please contact our compliance team.

9. Breach Notification Procedures

In the unlikely event of a security breach involving PHI, AssistCare follows strict notification procedures as required by the HIPAA Breach Notification Rule.

A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA that compromises the security or privacy of the PHI.

Breach Response Timeline

Immediate - Discovery & Containment

Identify and contain the breach, preserve evidence, and begin investigation.

Within 24 Hours - Initial Assessment

Conduct preliminary risk assessment and notify internal stakeholders.

Within 60 Days - Covered Entity Notification

Notify affected Covered Entities with breach details and remediation steps.

Ongoing - Remediation & Prevention

Implement corrective actions and update security measures to prevent recurrence.

10. Employee Training & Awareness

All AssistCare employees receive comprehensive HIPAA training as part of our commitment to maintaining a culture of compliance and security awareness.

Training Program Components

New Hire Training: Comprehensive HIPAA training during onboarding
Annual Refresher Training: Mandatory yearly training for all employees
Role-Specific Training: Additional training based on job function and PHI access
Security Awareness: Regular communications about security best practices
Phishing Simulations: Periodic tests to assess and improve awareness
Incident Response Training: Training on recognizing and reporting security incidents
Policy Updates: Training on new policies and regulatory changes

11. Your Responsibilities

While AssistCare implements robust security measures, HIPAA compliance is a shared responsibility. As a user of our platform, you also have obligations to protect PHI.

User Responsibilities

Protect your login credentials and never share passwords
Use strong, unique passwords and enable multi-factor authentication
Access PHI only when necessary for your job duties
Log out of sessions when not in use
Report any suspected security incidents immediately
Follow your organization's HIPAA policies and procedures
Complete all required HIPAA training
Use secure networks when accessing PHI
Never access PHI from public or unsecured computers

12. Contact Our Compliance Team

If you have questions about our HIPAA compliance program, need to request a Business Associate Agreement, or want to report a security concern, please contact our dedicated compliance team.