HIPAA Compliance

Our Commitment to HIPAA Compliance

Better Balance, Inc. ("Better Balance," "we," "us," or "our") is committed to maintaining the highest standards of security and privacy for Protected Health Information (PHI). As a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), we have implemented comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.

This HIPAA Compliance page outlines our commitment to compliance with HIPAA regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

1. HIPAA Overview

HIPAA is a federal law that establishes national standards for protecting the privacy and security of individually identifiable health information. Key components include:

• Privacy Rule: Establishes standards for the use and disclosure of PHI
• Security Rule: Establishes standards for protecting electronic PHI (ePHI)
• Breach Notification Rule: Requires notification of breaches of unsecured PHI
• HITECH Act: Strengthens HIPAA enforcement and extends requirements to Business Associates

2. Our Role as a Business Associate

Better Balance serves as a Business Associate to healthcare providers (Covered Entities) who use our Services. As a Business Associate, we:

• Create, receive, maintain, or transmit PHI on behalf of Covered Entities
• Execute Business Associate Agreements (BAAs) with all Covered Entity customers
• Comply with applicable requirements of HIPAA and the HITECH Act
• Ensure our subcontractors also comply with HIPAA requirements
• Implement appropriate safeguards to protect PHI
• Report security incidents and breaches as required by law

3. Business Associate Agreements (BAAs)

Before accessing our Services, all healthcare provider customers must execute a Business Associate Agreement with Better Balance. Our BAA:

• Defines the permitted and required uses and disclosures of PHI
• Establishes our obligations to implement appropriate safeguards
• Requires us to report security incidents and breaches
• Obligates us to make PHI available to individuals upon request
• Requires us to return or destroy PHI upon termination of the relationship
• Authorizes termination if we breach material terms of the BAA

Healthcare providers interested in our Services can request a BAA during the onboarding process.

4. Administrative Safeguards

We have implemented comprehensive administrative safeguards to protect PHI:

4.1 Security Management Process

• Regular risk assessments to identify threats and vulnerabilities
• Risk management strategies to reduce risks to acceptable levels
• Sanction policies for workforce members who violate security policies
• Information system activity review and monitoring

4.2 Workforce Security

• Background checks and employment verification for all personnel
• Confidentiality agreements signed by all employees and contractors
• Role-based access controls limiting PHI access to authorized personnel only
• Formal termination procedures to revoke access immediately upon departure

4.3 Training and Awareness

• Mandatory HIPAA and security training for all workforce members
• Annual refresher training and updates on policy changes
• Regular security awareness communications and phishing simulations
• Specialized training for incident response team members

4.4 Security Policies and Procedures

• Comprehensive written policies and procedures for HIPAA compliance
• Incident response and breach notification procedures
• Business continuity and disaster recovery plans
• Regular policy reviews and updates to address new threats and regulations

4.5 Business Associate Management

• BAAs executed with all subcontractors who access PHI
• Due diligence assessments of third-party security practices
• Ongoing monitoring of subcontractor compliance

5. Physical Safeguards

We implement physical security measures to protect our facilities and equipment:

5.1 Facility Access Controls

• Secure office facilities with controlled access (badge/key card systems)
• Visitor management and sign-in procedures
• 24/7 security monitoring and video surveillance
• Secure disposal of physical media containing PHI

5.2 Workstation Security

• Workstation use policies defining authorized access and usage
• Automatic screen locks after periods of inactivity
• Encrypted hard drives on all devices with PHI access
• Prohibition of storing PHI on personal or non-encrypted devices

5.3 Data Center Security

• HIPAA-compliant, SSAE 18 SOC 2 Type II certified data centers
• Multi-factor physical access controls and biometric authentication
• Environmental controls (fire suppression, climate control, power redundancy)
• 24/7 security staff and video surveillance

6. Technical Safeguards

We employ robust technical safeguards to protect ePHI:

6.1 Access Control

• Unique user IDs for each person with access to ePHI
• Multi-factor authentication (MFA) required for all system access
• Role-based access controls (RBAC) limiting access to minimum necessary PHI
• Automatic logoff after periods of inactivity
• Emergency access procedures for authorized personnel

6.2 Encryption

• AES-256 encryption for data at rest
• TLS 1.2 or higher encryption for data in transit
• Encrypted backups stored in geographically distributed locations
• Encryption of PHI on all mobile devices and removable media

6.3 Audit Controls

• Comprehensive audit logging of all system access and PHI activity
• Regular review of audit logs to detect unauthorized access or anomalies
• Tamper-proof audit trails with integrity verification
• Retention of audit logs for a minimum of 6 years

6.4 Integrity Controls

• Mechanisms to protect ePHI from improper alteration or destruction
• Data validation and error-checking procedures
• Version control and change tracking for PHI
• Digital signatures to authenticate data integrity

6.5 Transmission Security

• Encrypted connections (HTTPS/TLS) for all data transmissions
• Secure APIs with authentication and authorization controls
• Virtual Private Networks (VPNs) for remote access
• Protection against man-in-the-middle and eavesdropping attacks

7. Breach Notification

In the event of a breach of unsecured PHI, we will:

• Promptly investigate the incident to determine the scope and nature of the breach
• Notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery
• Provide detailed information about the breach, including the date of discovery, a description of the PHI involved, identification of affected individuals (if known), steps taken to mitigate harm, and contact information
• Cooperate with Covered Entities in meeting their breach notification obligations to affected individuals and the Department of Health and Human Services (HHS)
• Take corrective action to prevent future breaches
• Document all breaches and response activities

8. Patient Rights Under HIPAA

As a Business Associate, we support Covered Entities in fulfilling patients' rights under HIPAA:

• Right to Access: We provide Covered Entities with PHI upon request to enable patient access
• Right to Amend: We assist Covered Entities in amending inaccurate or incomplete PHI
• Right to an Accounting of Disclosures: We maintain records of disclosures and provide information to Covered Entities upon request
• Right to Request Restrictions: We cooperate with Covered Entities in honoring patient-requested restrictions on PHI use and disclosure
• Right to Confidential Communications: We support alternative communication methods as directed by Covered Entities

Patients should contact their healthcare provider (the Covered Entity) to exercise these rights. We will cooperate with Covered Entities to fulfill these requests within the required timeframes.

9. Data Backup and Disaster Recovery

We maintain comprehensive business continuity and disaster recovery plans:

• Automated daily encrypted backups stored in geographically distributed locations
• Regular testing of backup and recovery procedures
• Redundant systems and failover capabilities for high availability
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) defined and tested
• Documented disaster recovery procedures and emergency response plans
• Annual disaster recovery drills and plan updates

10. Third-Party Security Assessments and Certifications

We undergo regular independent security assessments to validate our compliance:

• Annual HIPAA security assessments by qualified independent auditors
• SOC 2 Type II audits conducted by reputable third-party firms
• Penetration testing and vulnerability assessments performed quarterly
• Infrastructure hosted on HIPAA-compliant, certified cloud platforms
• Regular review and validation of security controls against NIST Cybersecurity Framework

Copies of our security certifications and audit reports are available to Covered Entity customers upon request and execution of appropriate non-disclosure agreements.

11. Continuous Improvement

We are committed to continuously improving our security and compliance posture:

• Regular monitoring of emerging security threats and vulnerabilities
• Participation in healthcare cybersecurity information sharing networks
• Staying current with evolving HIPAA guidance and regulations
• Implementing security updates and patches promptly
• Soliciting feedback from customers and security experts
• Investing in advanced security technologies and tools

12. Contact Our HIPAA Privacy Officer

If you have questions about our HIPAA compliance practices, wish to report a security incident, or need to request a Business Associate Agreement, please contact our HIPAA Privacy Officer: