HIPAA Compliance

Our Commitment to HIPAA Compliance

Patient XP is fully committed to maintaining the highest standards of privacy and security for protected health information (PHI). We comply with all applicable requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, including the Privacy Rule, Security Rule, and Breach Notification Rule.

What is HIPAA?

HIPAA is a federal law that establishes national standards to protect patients' medical records and other personal health information. It applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.

Administrative Safeguards

We implement comprehensive administrative safeguards including:

• Designation of a HIPAA Security Officer and Privacy Officer
• Regular workforce training on HIPAA requirements
• Access management procedures and controls
• Workforce clearance procedures and background checks
• Regular risk assessments and management
• Business Associate Agreements (BAAs) with all vendors
• Incident response and breach notification procedures
• Contingency planning and data backup procedures

Physical Safeguards

Our physical safeguards protect against unauthorized physical access:

• Facility access controls with badge systems
• Workstation security policies
• Device and media controls
• Secure disposal of PHI and electronic media
• 24/7 monitoring of data center facilities
• Environmental controls in server locations

Technical Safeguards

We employ state-of-the-art technical safeguards:

• Unique user identification and strong password requirements
• Automatic logoff and session timeout features
• Encryption of PHI at rest and in transit (AES-256)
• Audit logs and monitoring systems
• Integrity controls to ensure PHI is not improperly altered
• Transmission security with TLS 1.3 protocols
• Multi-factor authentication (MFA) for all users
• Regular security patches and updates

Patient Rights Under HIPAA

As a patient, you have the following rights regarding your PHI:

• Right to Access: Request copies of your health records
• Right to Amend: Request corrections to your health information
• Right to an Accounting: Request a list of disclosures of your PHI
• Right to Request Restrictions: Limit how we use or share your PHI
• Right to Confidential Communications: Choose how we contact you
• Right to a Paper Copy: Receive a paper copy of our Notice of Privacy Practices
• Right to File a Complaint: File a complaint if you believe your rights have been violated

Breach Notification

In the unlikely event of a breach of unsecured PHI, we will:

• Notify affected individuals within 60 days of discovery
• Provide details about what happened and what information was involved
• Describe steps we are taking to investigate and mitigate harm
• Provide contact information for questions and concerns
• Notify the Department of Health and Human Services
• Notify prominent media outlets for breaches affecting 500+ individuals

Third-Party Compliance

All third-party vendors and business associates who handle PHI on our behalf are required to:

• Sign Business Associate Agreements (BAAs)
• Implement appropriate safeguards for PHI
• Report any breaches or security incidents
• Ensure their subcontractors also comply with HIPAA
• Allow for audits and assessments of their practices

Regular Audits and Assessments

We conduct regular compliance activities including:

• Annual HIPAA risk assessments
• Quarterly security audits
• Penetration testing by third-party security firms
• Regular review and update of policies and procedures
• Ongoing monitoring of access logs and system activity

Questions or Complaints

If you have questions about our HIPAA compliance or wish to file a complaint:

You may also file a complaint with the U.S. Department of Health and Human Services:

Certifications and Compliance