Clinic Connect
HIPAA Compliance

HIPAA Statement

Last updated: January 1, 2025

Clinic Connect is committed to protecting the privacy and security of your patients' health information in full compliance with HIPAA regulations.

1. Our HIPAA Commitment

Clinic Connect, Inc. ("Clinic Connect," "we," "us," or "our") is committed to maintaining the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implementing regulations.

As a Business Associate under HIPAA, we understand our responsibilities in handling PHI and have implemented comprehensive administrative, physical, and technical safeguards to protect this sensitive information.

2. Business Associate Agreement

When you use Clinic Connect's services, we enter into a Business Associate Agreement (BAA) with your covered entity. This agreement establishes:

  • Our permitted uses and disclosures of PHI
  • Our obligations to safeguard PHI
  • Requirements for reporting security incidents
  • Procedures for returning or destroying PHI upon termination
  • Compliance monitoring and audit requirements

3. Administrative Safeguards

We have implemented comprehensive administrative safeguards to protect PHI:

3.1 Security Officer

We have designated a Security Officer responsible for developing and implementing our security policies and procedures.

3.2 Workforce Training

All employees receive mandatory HIPAA training upon hire and annual refresher training. We maintain records of all training activities.

3.3 Access Management

We implement procedures to authorize access to PHI based on job responsibilities and the principle of minimum necessary access.

3.4 Incident Response

We have established procedures to identify, respond to, and document security incidents, including potential breaches of PHI.

4. Physical Safeguards

Our physical safeguards protect PHI from unauthorized physical access:

  • Facility Access Controls: Restricted access to data centers with biometric authentication
  • Workstation Use: Policies governing the proper use of workstations accessing PHI
  • Device Controls: Procedures for receipt and removal of hardware and media containing PHI
  • Environmental Controls: Protection against environmental hazards and unauthorized access

5. Technical Safeguards

We employ robust technical safeguards to protect electronic PHI (ePHI):

5.1 Access Control

  • Unique user identification for each user
  • Multi-factor authentication requirements
  • Role-based access controls
  • Automatic logoff procedures

5.2 Audit Controls

We maintain comprehensive audit logs that record all access to and modifications of ePHI, including user identity, time stamps, and actions performed.

5.3 Integrity

We implement controls to ensure ePHI is not improperly altered or destroyed, including checksums and version control systems.

5.4 Transmission Security

All ePHI transmission is protected using industry-standard encryption protocols (TLS 1.3) to prevent unauthorized access during transmission.

6. Encryption and Data Protection

We implement comprehensive encryption measures to protect PHI:

  • Data at Rest: AES-256 encryption for all stored PHI
  • Data in Transit: TLS 1.3 encryption for all data transmission
  • Database Encryption: Encrypted database storage with secure key management
  • Backup Encryption: All backup data is encrypted using the same standards

7. Risk Assessment and Management

We conduct regular risk assessments to identify potential threats to PHI and implement appropriate safeguards:

  • Annual comprehensive risk assessments
  • Quarterly security vulnerability scans
  • Penetration testing by third-party security firms
  • Continuous monitoring of security controls
  • Regular updates to security policies and procedures

8. Breach Notification Procedures

In the unlikely event of a security incident involving PHI, we have established procedures to:

  • Immediately investigate and contain the incident
  • Assess the scope and impact of the breach
  • Notify affected covered entities within 60 days as required by HIPAA
  • Provide detailed incident reports and remediation plans
  • Implement additional safeguards to prevent future incidents

9. Third-Party Vendors and Subcontractors

When we engage third-party vendors who may have access to PHI, we ensure they meet our strict security standards:

  • Execution of Business Associate Agreements with all subcontractors
  • Due diligence reviews of vendor security practices
  • Regular monitoring and auditing of vendor compliance
  • Requirement for equivalent security safeguards

10. Data Retention and Disposal

We maintain PHI only as long as necessary to provide our services and comply with legal requirements:

  • PHI retention periods align with healthcare record retention requirements
  • Secure deletion procedures ensure PHI cannot be recovered
  • Certificate of destruction provided upon data disposal
  • Media sanitization follows NIST 800-88 guidelines

11. Compliance Monitoring and Auditing

We maintain ongoing compliance through:

  • Regular internal security audits
  • Annual third-party HIPAA compliance assessments
  • SOC 2 Type II audits of our security controls
  • Continuous monitoring of access logs and system activities
  • Regular policy reviews and updates

12. Patient Rights

While patients' HIPAA rights are primarily exercised through their healthcare providers, we support covered entities in honoring these rights, including:

  • Right of access to their PHI
  • Right to request amendments to their PHI
  • Right to an accounting of disclosures
  • Right to request restrictions on use and disclosure

13. Updates to This Statement

We may update this HIPAA Statement to reflect changes in our practices or applicable regulations. We will provide notice of material changes to covered entities and post updates on our website.