Privacy Policy & HIPAA Compliance

1. HIPAA Compliance & Commitment

OrbixRCM is fully committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) and all regulations set forth by the U.S. Department of Health and Human Services (HHS). We recognize that the protection of Protected Health Information (PHI) is not just a legal requirement but a fundamental ethical obligation to our clients and their patients.

We implement and maintain strict physical, technical, and administrative safeguards designed to ensure the confidentiality, integrity, and availability of all Protected Health Information (PHI) entrusted to us. Our organization has established comprehensive privacy and security policies that exceed minimum HIPAA requirements.

2. Information We Collect

OrbixRCM collects only the minimum necessary information required to deliver our medical billing and revenue cycle management services. We do not collect unnecessary personal data and maintain strict limits on data collection.

Types of Information Collected:

• Provider Information: NPI (National Provider Identifier), Tax ID, license numbers, credentials, and practice demographics
• Patient Demographics: Name, date of birth, address, contact information, and insurance details
• Clinical Information: Diagnosis codes, procedure codes, and treatment dates necessary for billing purposes only
• Insurance Information: Policy numbers, group numbers, coverage details, and claim submission details
• Financial Data: Payment information, claim amounts, and reimbursement records

All information is collected only from authorized representatives of medical practices with whom we have signed Business Associate Agreements (BAAs). We do not collect information directly from patients, and patients' information is never used for purposes other than claims processing and billing.

3. Data Security & Protection Measures

OrbixRCM employs industry-leading security measures to protect all data from unauthorized access, modification, or destruction. Our security architecture is designed to prevent breaches and respond immediately to any security incidents.

Technical Safeguards:

• Encryption: All data at rest and in transit protected with AES-256 encryption
• Secure Servers: HIPAA-compliant cloud infrastructure with redundancy and backup systems
• Firewalls & Intrusion Detection: Multi-layer network protection with continuous monitoring
• Access Controls: Role-based access control (RBAC) with multi-factor authentication
• Audit Logs: Comprehensive logging of all system access and data modifications

Administrative Safeguards:

• Employee Training: Annual HIPAA privacy and security training for all staff
• Access Restrictions: PHI access limited to authorized personnel with documented need-to-know
• Termination Procedures: Immediate access revocation and data deletion upon employee termination
• Security Policies: Documented policies and procedures for all data handling

Physical Safeguards:

• Facility Security: Restricted access to all facilities with security badges and surveillance
• Server Room Security: Locked and monitored server rooms with limited access
• Device Management: Secure disposal of all electronic media containing PHI

4. Data Sharing & Privacy Practices

What We Do NOT Do:

• No Selling: We absolutely do NOT sell patient or practice data to any third parties
• No Marketing: We do NOT share data with marketers or pharmaceutical companies
• No Monetization: We do NOT use patient data for any commercial purpose other than billing
• No Unnecessary Sharing: We do NOT share PHI beyond what is required for claim processing

Limited Authorized Sharing:

OrbixRCM only shares PHI with entities that have a legitimate business purpose directly related to claims processing and reimbursement:

• Insurance Payers: Data shared only for claim adjudication and payment processing
• Clearinghouses: Data transmitted through HIPAA-compliant clearinghouses for claim submission
• Business Associates: Only those with signed BAAs and documented need for the data
• Legal/Compliance: Only when legally required by court order or regulatory mandate

5. Business Associate Agreement (BAA)

OrbixRCM is a HIPAA Business Associate and maintains signed Business Associate Agreements with all client medical practices. The BAA establishes the legal framework for handling PHI and defines our obligations and responsibilities.

By using OrbixRCM services, you agree to our standard Business Associate Agreement, which includes:

• Obligations to protect and not misuse PHI
• Security measures and safeguards implementation
• Breach notification procedures and timelines
• Subcontractor management and compliance requirements
• Data deletion and destruction procedures
• Audit and compliance verification rights

Custom BAAs and additional security addendums are available upon request. Organizations with specific security requirements or regulatory needs can work with our legal team to establish customized BAA terms.

6. Encryption & Data Protection Standards

All data maintained by OrbixRCM is protected using industry-standard encryption algorithms that meet or exceed HIPAA requirements:

• Data at Rest: AES-256 encryption for all stored data
• Data in Transit: TLS 1.2 or higher for all data transmission
• End-to-End Encryption: Secure encryption for all external communications
• Key Management: Secure key generation, storage, and rotation procedures
• HTTPS Only: All web interfaces use HTTPS with valid SSL/TLS certificates

7. Access Controls & User Management

Access to PHI is strictly limited to authorized personnel who have documented need for the information to perform their job duties. We implement multi-layered access controls:

• Authentication: Multi-factor authentication (MFA) for all user accounts
• Authorization: Role-based access control with minimum necessary permissions
• Accountability: User activity logging with non-repudiation capabilities
• Regular Audits: Quarterly review of user access and privilege verification
• Immediate Revocation: Instant access termination upon employment changes

8. Breach Notification Procedures

In the unlikely event of a security breach or unauthorized access to PHI, OrbixRCM will:

• Immediately investigate and contain the breach
• Notify affected parties within 60 days of discovery (or as required by law)
• Provide detailed breach notification including affected information and remedial actions
• Coordinate with regulatory bodies (HHS, OCR) as required
• Offer complimentary credit monitoring if personally identifiable information was compromised
• Implement corrective actions to prevent future incidents

Our Breach Response Plan is tested regularly to ensure we can respond quickly and effectively to any security incident.

9. Audit Controls & Compliance Monitoring

OrbixRCM maintains comprehensive audit controls and compliance monitoring systems:

• System Audit Logs: All access and modifications logged with timestamps
• Regular Audits: Internal audits conducted quarterly to verify HIPAA compliance
• Third-Party Audits: Annual independent security audits by certified firms
• Penetration Testing: Annual security assessments to identify vulnerabilities
• Client Audits: Client organizations may conduct periodic audits of our systems

Our compliance team monitors regulatory changes and adjusts our policies and procedures accordingly to maintain strict HIPAA compliance.

10. Data Retention & Deletion

OrbixRCM maintains data only for the period necessary to provide billing services and satisfy legal and regulatory retention requirements. Upon termination of our services:

• Client has the option to retrieve all data in a standard format
• All PHI is securely destroyed using certified data destruction methods
• Destruction is completed within 90 days of service termination
• Certificate of destruction is provided upon request