Compliance

HIPAA Compliance

Our commitment to protecting patient health information and ensuring full compliance with HIPAA regulations.

Effective: January 1, 2026 · Last updated: January 1, 2026

At EzCure Solutions, we take the security and privacy of patient health information seriously. We are fully committed to complying with the Health Insurance Portability and Accountability Act (HIPAA) and its Privacy, Security, and Breach Notification Rules. This page outlines our HIPAA compliance framework and how we protect the Protected Health Information (PHI) entrusted to us by our clients.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to establish national standards for the protection of sensitive patient health information. HIPAA consists of several key rules:

  • Privacy Rule: Sets standards for the use and disclosure of Protected Health Information (PHI) by covered entities and their business associates.
  • Security Rule: Establishes administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).
  • Breach Notification Rule: Requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media, of breaches of unsecured PHI.
  • Enforcement Rule: Provides for investigations, penalties, and procedures for violations of HIPAA rules.

Compliance with HIPAA is not just a legal obligation; it is a fundamental part of our commitment to protecting patient privacy and earning the trust of our healthcare partners.

Protected Health Information (PHI) is any information in a patient's medical record that can be used to identify an individual and that relates to their past, present, or future physical or mental health condition, treatment, or payment. This includes:

  • Names, addresses, dates of birth, and Social Security numbers.
  • Medical records, lab results, and test reports.
  • Treatment plans, diagnoses, and prognosis.
  • Billing and payment information.
  • Any other information that could identify a patient, including photos and biometric data.

When we receive PHI from our clients, we treat it with the highest level of confidentiality. We limit its use to the specific purposes outlined in our Business Associate Agreement (BAA) – namely, to provide billing, credentialing, and denial management services. We never use PHI for marketing or any other non‑contractual purposes.

EzCure Solutions has implemented a comprehensive compliance program that encompasses the following elements:

  • Designated Privacy and Security Officers: Our Privacy Officer is Ahsan Kazmi, who oversees all HIPAA‑related matters. All staff are trained on their roles and responsibilities.
  • Written Policies and Procedures: We have documented policies for the use, disclosure, and protection of PHI, covering all aspects of HIPAA compliance, including incident response and breach reporting.
  • Risk Management: We conduct regular risk assessments to identify vulnerabilities in our systems and processes, and we implement corrective measures.
  • Vendor Management: Any third‑party vendors who handle PHI on our behalf are required to sign BAAs and demonstrate their own compliance with HIPAA.

Under HIPAA, a Business Associate (BA) is any person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity. EzCure Solutions is a Business Associate to our healthcare practice clients, and we sign a Business Associate Agreement (BAA) with every client.

Our BAA includes the following key provisions:

  • Permitted uses and disclosures of PHI (limited to the contracted services).
  • Obligations to safeguard PHI with appropriate administrative, physical, and technical safeguards.
  • Reporting of any security incidents or breaches to the client within the required timeframe.
  • Compliance with the HIPAA Security Rule for ePHI.
  • Right of the client to request and receive an accounting of disclosures.
  • Obligation to return or destroy PHI upon termination of the agreement.

We are fully committed to upholding the terms of our BAA with every client, and we regularly review our processes to ensure compliance.

We implement a multi‑layered security strategy to protect ePHI against unauthorized access, alteration, destruction, or disclosure:

Technical Safeguards

  • Encryption: All ePHI is encrypted both at rest (in databases and storage systems) and in transit (using TLS/SSL for data transmissions).
  • Access Controls: Role‑based access controls ensure that only authorized personnel can access PHI, and only to the extent necessary for their job functions.
  • Audit Logs: All access to PHI is logged and regularly audited to detect any anomalous activity.
  • Secure Transmission: We use secure file transfer protocols and encrypted email for any communications involving PHI.

Physical Safeguards

  • All servers and infrastructure are housed in secure data centers with 24/7 monitoring, biometric access controls, and environmental controls.
  • Workstations and devices used to access PHI are physically secured and protected against theft or unauthorized access.
  • We enforce clean‑desk policies and secure disposal of paper records containing PHI.

Administrative Safeguards

  • We maintain written policies and procedures for workforce training, disaster recovery, and emergency preparedness.
  • All employees undergo comprehensive HIPAA training upon hire and annually thereafter.
  • We enforce non‑disclosure agreements and sanctions for violations of our policies.

Despite our rigorous safeguards, we recognize that no system is completely immune from potential breaches. We have established a robust incident response plan:

  • Detection: We use continuous monitoring and alerting systems to detect potential security incidents involving PHI.
  • Investigation: Our security team immediately investigates any suspected breach or unauthorized access.
  • Containment: We take steps to contain the incident and prevent further exposure of PHI.
  • Notification: If a breach of unsecured PHI is confirmed, we notify affected individuals, the client, and the Office for Civil Rights (OCR) within the timeframes required by HIPAA (generally within 60 days).
  • Remediation: We implement corrective actions to prevent recurrence of the incident.

We maintain a written breach notification policy that outlines these procedures in detail, and we test our incident response plan regularly.

Our employees are our first line of defense in protecting PHI. We provide comprehensive training on HIPAA compliance, including:

  • Understanding what constitutes PHI and the importance of its protection.
  • Proper handling of PHI in both paper and electronic formats.
  • Recognizing and reporting potential security risks or violations.
  • Password security, email encryption, and safe browsing practices.
  • Procedures for verifying identity before disclosing PHI over the phone or in person.

Training is provided to all new hires and updated annually. We also conduct regular phishing simulations and security awareness campaigns to keep our staff vigilant.

HIPAA grants patients important rights regarding their health information. While we are a Business Associate and not a Covered Entity, we support our clients in honoring these rights, which include:

  • Right to Access: Patients have the right to request copies of their PHI held by the practice.
  • Right to Amend: Patients can request corrections to inaccurate or incomplete information in their records.
  • Right to Accounting of Disclosures: Patients can request a list of entities to whom their PHI has been disclosed.
  • Right to Request Restrictions: Patients can request limitations on how their PHI is used or disclosed.
  • Right to Confidential Communications: Patients can request that communications be sent to an alternate address or via alternate means.

We assist our clients in fulfilling these requests as needed and ensure that our systems accommodate the necessary restrictions.

We believe in continuous improvement and proactive compliance. We conduct regular internal and external audits of our systems and processes, including:

  • Internal Audits: We review access logs, security configurations, and policy adherence on a quarterly basis.
  • Penetration Testing: We engage independent third‑party security firms to conduct penetration tests and vulnerability assessments at least annually.
  • Risk Assessments: We perform comprehensive risk assessments to identify potential threats and vulnerabilities.
  • Remediation Tracking: Any findings are tracked to resolution, with regular updates to senior management.

We maintain detailed records of all audits and risk assessments in accordance with HIPAA documentation requirements.

If you have any questions, concerns, or complaints about our HIPAA compliance or how we handle PHI, please contact our Privacy Officer:

Privacy Officer

Name: Ahsan Kazmi

Email: a.kazmi@ezcuresolutions.com

We respond to all privacy inquiries within 5 business days.

You also have the right to file a complaint with the Office for Civil Rights (OCR) if you believe your privacy rights have been violated. For more information, visit the HHS OCR website.

This HIPAA Compliance statement is effective as of January 1, 2026 and supersedes all prior versions. We review and update our compliance practices regularly to reflect changes in regulations and industry best practices.

Quick Answers

Common HIPAA Compliance Questions

Do you sign a Business Associate Agreement (BAA)?

Yes. We sign a BAA with every client before handling any PHI. Our BAA is compliant with HIPAA and includes all required provisions.

How do you protect patient data?

We use encryption, role‑based access controls, secure file transfer protocols, and regular security audits. We also have a comprehensive incident response plan.

Do you train your employees on HIPAA?

Absolutely. All employees undergo HIPAA training upon hire and annually thereafter. We also conduct regular security awareness campaigns.

What happens if there is a data breach?

We have a clear incident response plan. We will notify affected individuals, our client, and the OCR within the required timeframes. We also investigate and remediate the issue.

Can I request a copy of your HIPAA policies?

Yes, we are happy to share our compliance policies with prospective clients. Please contact our Privacy Officer for more information.

Have More Questions About HIPAA Compliance?

Our Privacy Officer is available to address any concerns about how we protect patient health information.

📧 a.kazmi@ezcuresolutions.com