HIPAA Notice

01When HIPAA applies to our service

HIPAA applies when our customer is a covered entity (e.g., a Medicare Advantage plan) or another business associate, and PHI flows through the service. For independent agents and agencies that are not covered entities, HIPAA may not apply directly, but state privacy laws and CMS rules typically still do.

02Business Associate Agreements (BAA)

• ·A signed BAA is required before PHI is processed by the service.
• ·BAAs are available for FMOs and carrier customers on request.
• ·Our standard BAA addresses permitted uses, safeguards, subcontractor flow-down, breach notification, and termination obligations consistent with 45 CFR §§ 164.502, 164.504, 164.314, and 164.410.

03Permitted uses and disclosures of PHI

• ·To perform services described in the underlying agreement, including compliance, retention, and call-analysis features.
• ·For our own management, administration, and legal responsibilities.
• ·For data aggregation services as defined under 45 CFR § 164.501, only as expressly permitted by the BAA.
• ·For required by law disclosures (e.g., subpoenas, lawful court orders).
• ·We do not sell PHI and will not use PHI for marketing without specific authorization where required.

04Safeguards

• ·Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
• ·Role-based access controls and least-privilege provisioning.
• ·Detailed audit logging of PHI access and administrative activity.
• ·Workforce training on HIPAA Privacy and Security Rule requirements.
• ·Regular risk analysis and risk-management activities consistent with the Security Rule.
• ·Documented incident-response and contingency plans.

05Subcontractors

Subcontractors that may have access to PHI are bound by written agreements with restrictions and conditions at least as protective as those in our BAA with the covered entity. A current list of HIPAA-impacting subprocessors is available to customers on request.

06Breach notification

In the event of a Breach of Unsecured PHI, we will notify the affected covered entity or upstream business associate without unreasonable delay and in any event within the timeframe required by the BAA — and not later than 60 calendar days after discovery, consistent with 45 CFR § 164.410. Notification will include the information required by 45 CFR § 164.410(c) to the extent known.

07Beneficiary rights

Individuals seeking access, amendment, accounting of disclosures, or restrictions on the use of their PHI should contact the covered entity (typically the Medicare Advantage plan or provider organization). We will support covered-entity requests under the BAA.

08Minimum necessary

We follow the minimum-necessary standard for PHI access and disclosure under 45 CFR § 164.502(b), and configure the service so that workforce members access only the PHI required to perform their role.

09Retention and return or destruction

Upon termination of the underlying agreement, we will return or destroy PHI as required by the BAA, or, where return or destruction is not feasible, extend the protections of the BAA to the retained PHI and limit further use and disclosure to the purposes that make return or destruction infeasible.

10Questions or complaints

You may contact our HIPAA Privacy Officer using the email below. Individuals also have the right to file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights.