Compliance · HIPAA Privacy & Security

HIPAA Notice.

How AllMedex safeguards protected health information (PHI) when acting as a Business Associate to healthcare providers and practices — including the administrative, physical, and technical safeguards we apply.

AllMedex is committed to protecting the privacy and security of protected health information (“PHI“) entrusted to us by the healthcare providers and practices we serve. As a Business Associate under HIPAA, as amended by the HITECH Act and the Omnibus Rule, we follow strict standards for handling PHI.

EXPLORE OUR SERVICES

Two pillars. One accountable partner.

Privacy by default

PHI used only as needed to perform contracted services.

Security at every layer

Administrative, physical, and technical safeguards end-to-end.

Accountability

Signed BAAs, ongoing training, and a designated Privacy Officer.

1 . The six pain points killing your margins

Healthcare practices trust us with sensitive patient information every day. We treat that trust as the foundation of our business. Our HIPAA program is built around three principles:

  • Privacy by default — PHI is used and disclosed only as necessary to perform the services in our agreements, or as otherwise permitted or required by law.
  • Security at every layer — administrative, physical, and technical safeguards protect PHI throughout its lifecycle.
  • Accountability — documented policies, signed BAAs, ongoing training, vendor oversight, and a designated Privacy Officer responsible for compliance.

2 . Our role under HIPAA

HIPAA distinguishes between two main categories of regulated entities:

  • Covered Entities — healthcare providers, health plans, and clearinghouses that create or maintain PHI in the ordinary course of providing healthcare.
  • Business Associates — organizations that perform functions or services on behalf of a Covered Entity that involve the use or disclosure of PHI.

AllMedex is typically a Business Associate. When we provide medical billing, credentialing, payer enrollment, or revenue cycle management services, we operate under a written Business Associate Agreement (BAA) with each Covered Entity.

3 . What is PHI

Protected health information includes any individually identifiable health information transmitted or maintained in any form. Examples we routinely handle include:

  • Patient demographic information (name, date of birth, address, contact information)
  • Insurance and subscriber information
  • Diagnoses, procedure codes, and treatment information necessary for billing
  • Claim, payment, and remittance information
  • Authorization, eligibility, and benefits information
  • Provider and practice identifiers (NPI, taxonomy, license, DEA)

4 . Permitted uses & disclosures

We use and disclose PHI only as necessary to perform the services described in our agreement, or as otherwise permitted or required by law. Common permitted purposes include:

  • Treatment, payment, and healthcare operations — submitting claims, posting payments, working denials, and supporting day-to-day RCM activities.
  • Required by law — disclosures mandated by federal, state, or local law, court order, or lawful subpoena.
  • Our own management and administration — limited internal uses such as quality assurance, training, and auditing.
  • To subcontractors — only where bound by a written agreement requiring at least the same protections.

We do not sell PHI. We do not use or disclose PHI for marketing without authorization. We do not use PHI to train external machine learning or AI models.

5 . Minimum necessary

When using or disclosing PHI, we apply the minimum necessary standard: only the information reasonably needed to accomplish the intended purpose is accessed, used, or shared. Our access controls, role definitions, and workflow design are built around this principle.

6 . Safeguards we maintain

We implement administrative, physical, and technical safeguards in line with the HIPAA Security Rule.

Administrative safeguards

  • Designated Privacy Officer and Security Officer
  • Documented HIPAA Privacy and Security policies and procedures
  • Risk analysis and risk management program with documented mitigation
  • Workforce screening, onboarding, sanction policy, and termination procedures
  • Incident response and disaster recovery plans, tested periodically
  • Vendor risk reviews and signed Business Associate Agreements

Physical safeguards

  • Restricted access to facilities and workstations handling PHI
  • Clean-desk policy and secure storage of any printed materials
  • Secure disposal of paper and media containing PHI
  • Workstation use policies governing acceptable handling of PHI

Technical safeguards

  • Unique user IDs, role-based access controls, and least-privilege provisioning
  • Multi-factor authentication for systems containing PHI
  • Encryption of PHI in transit (TLS) and at rest where supported
  • Audit logging and monitoring of access to PHI
  • Automatic session timeouts and access reviews
  • Endpoint protection, patching, and configuration baselines

7 . Workforce training

Every member of our workforce who may come into contact with PHI completes HIPAA Privacy and Security training as part of onboarding and refreshes that training periodically. Training covers permitted uses and disclosures, minimum necessary, secure handling of PHI, password and device hygiene, social engineering, and incident reporting. Workforce members are bound by confidentiality agreements and a documented sanction policy.

8 . Subcontractors

Healthcare practices trust us with sensitive patient information every day. We treat that trust as the foundation of our business. Our HIPAA program is built around three principles:

  • Privacy by default — PHI is used and disclosed only as necessary to perform the services in our agreements, or as otherwise permitted or required by law.
  • Security at every layer — administrative, physical, and technical safeguards protect PHI throughout its lifecycle.
  • Accountability — documented policies, signed BAAs, ongoing training, vendor oversight, and a designated Privacy Officer responsible for compliance.

9 . Breach notification

In the event of a confirmed or suspected breach of unsecured PHI, AllMedex will:

  • Promptly investigate, contain, and document the incident
  • Notify the affected Covered Entity in accordance with the BAA and HIPAA Breach Notification Rule timelines
  • Provide the information needed for the Covered Entity to fulfill its own notification obligations
  • Cooperate with reasonable mitigation, remediation, and audit activity

In the event of a confirmed or suspected breach of unsecured PHI, AllMedex will:

  • Promptly investigate, contain, and document the incident
  • Notify the affected Covered Entity in accordance with the BAA and HIPAA Breach Notification Rule timelines
  • Provide the information needed for the Covered Entity to fulfill its own notification obligations
  • Cooperate with reasonable mitigation, remediation, and audit activity

Suspect a security or privacy incident involving PHI we handle?

Contact our Privacy Officer immediately using the details below.

10 . Patient rights

HIPAA gives patients several rights regarding their PHI. These rights are exercised through the Covered Entity (your healthcare provider or practice), which is the legal custodian of the medical record. These generally include:

  • Right to access and obtain a copy of PHI in a designated record set
  • Right to request an amendment to PHI believed to be inaccurate or incomplete
  • Right to an accounting of certain disclosures of PHI
  • Right to request restrictions on certain uses and disclosures
  • Right to request confidential communications by alternative means or location
  • Right to receive a paper copy of the Notice of Privacy Practices on request
  • Right to file a complaint without fear of retaliation

Contact our Privacy Officer

For HIPAA questions, BAA requests, audit support, or to report a privacy or security concern: