HIPAA Compliance

As a Business Associate under HIPAA, VCom takes responsibility for protecting the confidentiality, integrity, and availability of all Protected Health Information (PHI) that we process on behalf of covered entities. We maintain comprehensive policies and procedures to ensure ongoing compliance with HIPAA Privacy, Security, and Breach Notification Rules.

• We execute Business Associate Agreements (BAAs) with all covered entity customers
• We maintain written HIPAA policies and procedures
• We conduct regular risk assessments and security audits
• We provide HIPAA training to all workforce members

We implement comprehensive administrative controls to protect PHI:

• Security Management: Documented security policies, regular risk analysis, and sanction policies for violations
• Workforce Security: Background checks, role-based access authorization, and termination procedures
• Information Access Management: Minimum necessary access policies and access authorization controls
• Security Awareness Training: Regular training programs covering PHI handling, security reminders, and incident reporting
• Contingency Planning: Data backup procedures, disaster recovery plans, and emergency mode operation plans

Our infrastructure is hosted on secure, HIPAA-compliant cloud platforms with robust physical security:

• SOC 2 Type II certified data centers
• 24/7 physical security monitoring and access controls
• Environmental controls including fire suppression and climate management
• Redundant power and network connectivity
• Secure media disposal procedures

We employ industry-leading technical security measures:

• Access Controls: Unique user identification, automatic logoff, and multi-factor authentication
• Audit Controls: Comprehensive logging of all system activity and access to PHI
• Integrity Controls: Mechanisms to authenticate PHI and detect unauthorized alterations
• Transmission Security: End-to-end encryption (TLS 1.3) for all data in transit
• Encryption at Rest: AES-256 encryption for all stored PHI

Our privacy practices align with HIPAA Privacy Rule requirements:

• PHI is only used and disclosed as permitted under HIPAA and as specified in our BAAs
• We implement the minimum necessary standard for all PHI access and disclosures
• We support patient rights including access, amendment, and accounting of disclosures
• We do not sell PHI or use it for marketing without authorization
• We maintain policies for handling requests for PHI restrictions

In the unlikely event of a security incident involving PHI:

• We maintain documented incident response procedures
• We will notify affected covered entities within the timeframes required by HIPAA
• We conduct thorough investigations to determine the scope and impact of any incident
• We implement corrective actions to prevent future occurrences
• We maintain documentation of all incidents and responses

We require Business Associate Agreements with all customers who are covered entities or business associates. Our BAA includes:

• Permitted uses and disclosures of PHI
• Safeguards we implement to protect PHI
• Breach notification obligations
• Requirements for subcontractors
• Termination provisions and PHI return/destruction

To request a BAA, please contact us at compliance@practicefront.com.

We maintain BAAs with all subcontractors who may have access to PHI, including:

• Cloud infrastructure providers
• Data backup and recovery services
• Security monitoring services

We carefully vet all subcontractors for HIPAA compliance and conduct ongoing due diligence.

We maintain our HIPAA compliance through:

• Annual security risk assessments
• Regular vulnerability scanning and penetration testing
• Continuous monitoring of security controls
• Periodic policy and procedure reviews
• Third-party security audits

For questions about our HIPAA compliance practices, to request a BAA, or to report a security concern, please contact our compliance team:

• Email: compliance@practicefront.com
• Security Concerns: security@practicefront.com