HIPAA Statement

Our Commitment to HIPAA Compliance

At Auditable.cloud, we understand the critical importance of protecting Protected Health Information (PHI) and maintaining compliance with healthcare regulations. Our platform is specifically designed to help insurance agents and healthcare organizations meet their HIPAA obligations while efficiently managing their operations.

This statement outlines our approach to HIPAA compliance and the measures we take to protect PHI across all our services: calls.guru, ptc.guru, soa.guru, and intakeIQ.app.

Business Associate Agreement

As a provider of services that may involve the creation, receipt, maintenance, or transmission of PHI, we function as a Business Associate under HIPAA. We enter into Business Associate Agreements (BAAs) with Covered Entities and other Business Associates who use our platform.

Our BAA addresses all requirements specified by HIPAA, including:

• Permitted and required uses and disclosures of PHI
• Prohibitions on unauthorized uses or disclosures
• Implementation of appropriate safeguards
• Reporting obligations for security incidents and breaches
• Obligations to mitigate harmful effects of violations
• Compliance with the HIPAA Privacy Rule
• Provisions for termination and return or destruction of PHI

To request a BAA, please contact our compliance team at hipaa@auditable.cloud.

Technical Safeguards

We implement comprehensive technical safeguards to protect PHI in accordance with the HIPAA Security Rule:

• Encryption: All PHI is encrypted both in transit (using TLS 1.3) and at rest (using AES-256 encryption).
• Access Controls: We employ role-based access controls, multi-factor authentication, and automatic session timeouts to ensure only authorized users can access PHI.
• Audit Controls: Our platform maintains detailed audit logs of all user activities related to PHI, including access, modification, and transmission.
• Integrity Controls: We use checksums and other mechanisms to ensure that PHI is not improperly altered or destroyed.
• Transmission Security: All data transmissions containing PHI are encrypted and protected against unauthorized access.
• Secure Development: Our software development lifecycle incorporates security at every stage, including regular code reviews and security testing.

Physical Safeguards

We maintain physical safeguards to protect our systems and the PHI they contain:

• Secure Data Centers: Our infrastructure is hosted in SOC 2 Type II certified data centers with 24/7 security, environmental controls, and redundant power systems.
• Facility Access Controls: Physical access to our offices and equipment is restricted to authorized personnel.
• Workstation Security: All workstations used to access PHI are secured with disk encryption, automatic screen locks, and anti-malware protection.
• Device and Media Controls: We maintain strict procedures for the receipt and removal of hardware and electronic media containing PHI.

Administrative Safeguards

Our administrative safeguards include:

• Security Management Process: We conduct regular risk assessments and implement security measures to reduce risks and vulnerabilities to PHI.
• Security Personnel: We have designated a HIPAA Compliance Officer responsible for developing and implementing our security policies and procedures.
• Information Access Management: We have established procedures for authorizing access to PHI and regularly review access privileges.
• Workforce Training: All employees receive comprehensive HIPAA training upon hiring and annually thereafter.
• Contingency Planning: We maintain data backup, disaster recovery, and emergency mode operation plans to ensure the availability of PHI during emergencies.
• Evaluation: We regularly evaluate our security measures to ensure they remain effective in protecting PHI.

Breach Notification

In the unlikely event of a breach of unsecured PHI, we have established procedures to comply with HIPAA's Breach Notification Rule:

• Prompt notification to affected Covered Entities or Business Associates following the discovery of a breach
• Assistance to Covered Entities in notifying affected individuals, the Secretary of HHS, and, when appropriate, the media
• Thorough documentation of breach investigations and risk assessments
• Implementation of measures to mitigate harm and prevent future breaches

Compliance Validation

To validate our HIPAA compliance, we engage in regular third-party assessments and certifications:

• Annual HIPAA security risk assessments conducted by independent auditors
• Regular penetration testing and vulnerability assessments
• SOC 2 Type II audits covering security, availability, and confidentiality
• Compliance with NIST Cybersecurity Framework

Documentation of these assessments is available to customers upon request, subject to confidentiality requirements.

Service-Specific Compliance Measures

Each of our services incorporates specific HIPAA compliance features:

Your Responsibilities

While we provide a HIPAA-compliant platform, our customers also have responsibilities in maintaining HIPAA compliance:

• Ensuring proper user access management within your organization
• Obtaining appropriate consents and authorizations from individuals
• Using the platform in accordance with your privacy policies and procedures
• Promptly reporting any suspected security incidents or breaches
• Maintaining your own HIPAA compliance program

We provide resources and guidance to help you fulfill these responsibilities, but ultimate compliance remains a shared obligation.

Contact Our Compliance Team

If you have questions about our HIPAA compliance program or need assistance with compliance matters, please contact our dedicated compliance team:

Email: hipaa@auditable.cloud
Phone: (555) 123-4567 ext. 2