HIPAA Compliance & Business Associate Agreement

Our role under HIPAA

When a covered entity (your practice, hospital, or clinic) engages ASP-RCM for revenue cycle services, we act as a Business Associate under 45 CFR §160.103. That means we handle Protected Health Information on your behalf. to bill claims, post payments, work AR, manage credentialing, and report on performance. and we are directly liable to HHS for HIPAA Privacy and Security Rule compliance.

Business Associate Agreement (BAA)

A signed BAA is a precondition of every client engagement that involves PHI. Our standard BAA covers all required elements under 45 CFR §164.504(e):

• Permitted and required uses and disclosures of PHI
• Prohibitions on use or disclosure beyond what's contracted or required by law
• Safeguard requirements (administrative, physical, technical) that meet the Security Rule
• Breach notification obligations and timelines
• Subcontractor flow-down (we sign BAAs with every subprocessor that touches PHI)
• Rights of access, amendment, and accounting of disclosures on individuals' behalf
• Return or destruction of PHI at contract termination

We accept your BAA template or provide ours. Either path closes in days, not weeks.

Privacy Rule controls

• Minimum necessary. Workforce members access only the PHI required for the specific task. Role-based access enforced in every system.
• Authorization tracking. Disclosures outside of TPO (treatment, payment, operations) require your written authorization, logged in our case file.
• Patient rights support. Access requests, amendment requests, and accountings of disclosures routed to your designated Privacy Officer within 24 business hours.

Security Rule controls

Full administrative, physical, and technical safeguards under 45 CFR §164.308–§164.312:

• Encryption. AES-256 at rest. TLS 1.2+ in transit. No PHI ever transits unencrypted email.
• Access control. Unique user IDs, MFA on all PHI systems, automatic logoff, role-based authorization.
• Audit controls. Every read, write, export, and login logged. Logs retained 6+ years and reviewed for anomalies.
• Integrity controls. Hash verification, write-once audit logs, change-management gates on production systems.
• Transmission security. SFTP or direct EDI clearinghouse for 837/835 traffic. No PHI over public messaging.
• Workforce training. HIPAA training at hire and annually. Role-specific refreshers for billing, coding, and credentialing teams.
• Incident response. 24/7 SOC, documented IR runbooks, annual tabletop exercises.

Breach notification

If we discover a breach of unsecured PHI, we notify the affected covered entity within 5 business days of discovery. well inside the 60-day Privacy Rule maximum. Notification includes scope, individuals affected, the PHI involved, and the remediation steps in motion. We support your downstream notifications to individuals, HHS, and (where applicable) media.

Subprocessors and HITECH flow-down

Any subcontractor that creates, receives, maintains, or transmits PHI on our behalf signs a BAA with the same requirements as our agreement with you. Our current subprocessor list is published at /subprocessors and updated when it changes.

Certifications underpinning our HIPAA program

• SOC 2 Type 2. annual audit, all five Trust Services Criteria.
• ISO 27001:2013. certified ISMS, surveillance audits.
• HITECH. Subtitle D Privacy and Security provisions in scope.
• HITRUST CSF. assessment in progress; target completion noted on /security.

Requesting our BAA, or asking questions

To request a copy of our standard BAA, our latest SOC 2 Type 2 report, or our HIPAA Security Risk Analysis summary, email [email protected]. PHI must never be sent in the body of an email. use the secure portal we'll provision during onboarding.

This page is a summary of our HIPAA program for prospective and current clients. It is not legal advice and does not modify any executed BAA between ASP-RCM Solutions and your organization. The BAA controls.