Our Commitment to HIPAA Compliance
Complegal is committed to maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. We understand the importance of protecting protected health information (PHI) and have implemented comprehensive safeguards to ensure the confidentiality, integrity, and availability of all PHI we handle.
HIPAA Privacy Rule
Our Privacy Rule compliance includes:
- Minimum necessary standard: We only access and use the minimum amount of PHI necessary to provide our services
- Business Associate Agreements: We maintain BAAs with all third-party service providers who handle PHI
- Notice of Privacy Practices: We provide clear notice about how PHI may be used and disclosed
- Individual rights: We respect and facilitate your rights to access, amend, and request restrictions on your PHI
- Authorization: We obtain appropriate authorization before using or disclosing PHI for non-essential purposes
HIPAA Security Rule
Our Security Rule compliance includes implementation of:
Administrative Safeguards
- Security management process and risk assessment
- Assigned security responsibility and training
- Security policies and procedures
- Contingency planning and backup procedures
- Business associate agreements and oversight
Physical Safeguards
- Facility access controls and visitor logs
- Workstation security and device controls
- Secure data centers with 24/7 monitoring
- Media disposal and re-use procedures
Technical Safeguards
- Access control and authentication (MFA available)
- Audit controls and logging
- Encryption of data in transit (TLS 1.3)
- Encryption of data at rest (AES-256)
- Transmission security and integrity controls
Breach Notification Rule
In the event of a breach of unsecured PHI, we will:
- Notify affected individuals without unreasonable delay (no later than 60 days)
- Notify the U.S. Department of Health and Human Services for breaches affecting 500+ individuals
- Provide breach notification to prominent media outlets for large breaches
- Document all breach notifications and maintain breach logs
Data Encryption
All PHI is encrypted using industry-standard encryption protocols:
- In Transit: TLS 1.3 with perfect forward secrecy
- At Rest: AES-256 encryption for stored data
- Database: Transparent data encryption with managed keys
- Backups: Encrypted backups with secure key management
Access Controls
We implement strict access controls to ensure only authorized personnel can access PHI:
- Role-based access control (RBAC) with least privilege principle
- Multi-factor authentication (MFA) for all administrative access
- Regular access reviews and privilege audits
- Session timeouts and automatic lockouts
- IP whitelisting for administrative systems
Security Audits and Assessments
We regularly assess our security posture through:
- Annual third-party security assessments
- Quarterly vulnerability scans and penetration testing
- Continuous security monitoring and threat detection
- Regular security training for all employees
- Incident response planning and drills
Business Associate Agreements
We maintain signed Business Associate Agreements with all third-party service providers who may have access to PHI, including:
- Cloud infrastructure providers
- AI and machine learning service providers
- File storage and document management services
- Support and maintenance vendors
- Any other vendor with potential PHI access
Employee Training
All employees with access to PHI receive:
- Initial HIPAA security and privacy training upon hire
- Annual refresher training on HIPAA requirements
- Role-specific training based on job responsibilities
- Security awareness training on phishing and social engineering
- Documentation of all training completion
Contact for HIPAA Matters
For HIPAA-related inquiries, concerns, or to report a potential breach, please contact our HIPAA Privacy Officer:
Email: hipaa@wcpdr.com
For breach notifications: breach@wcpdr.com