HIPAA Compliance

Vitalitek is committed to ensuring the confidentiality, integrity, and availability of all Protected Health Information (PHI) that is created, received, maintained, or transmitted through our platform. This page outlines our compliance with the Health Insurance Portability and Accountability Act (HIPAA) and related regulations.

1. Our HIPAA Commitment

As a Business Associate under HIPAA, Vitalitek maintains a comprehensive compliance program that addresses the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. We execute Business Associate Agreements (BAAs) with all covered entity customers.

2. Administrative Safeguards

We implement the following administrative safeguards to protect PHI:

• Security Management Process: Regular risk assessments and risk management policies to identify and mitigate potential threats to PHI
• Workforce Training: All employees receive HIPAA awareness training upon hiring and annually thereafter
• Access Management: Role-based access controls ensure that workforce members only access PHI necessary for their job functions
• Incident Response: Documented procedures for identifying, responding to, and reporting security incidents
• Contingency Planning: Data backup, disaster recovery, and emergency operations plans to ensure continuity of PHI access

3. Physical Safeguards

Our infrastructure security measures include:

• Cloud Infrastructure: Hosted on HIPAA-eligible cloud services with SOC 2 Type II certification
• Facility Access Controls: Physical access to data centers is restricted and monitored 24/7
• Workstation Security: Policies governing the use and physical security of workstations that access PHI
• Device and Media Controls: Procedures for the disposal and re-use of electronic media containing PHI

4. Technical Safeguards

We employ robust technical controls to secure PHI:

• Encryption: All PHI is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Access Controls: Multi-tenant data isolation ensures each organization's data is logically separated at the database level
• Authentication: Secure authentication via Google OAuth with domain-restricted access for organization members
• Credential Protection: API keys and integration credentials are encrypted using Fernet symmetric encryption
• Audit Logging: Comprehensive audit trails track access to and modifications of PHI
• Automatic Session Management: Sessions expire after periods of inactivity to prevent unauthorized access

5. Data Handling Practices

Minimum Necessary Standard

We apply the minimum necessary standard when using or disclosing PHI, limiting access to only the information needed to accomplish the intended purpose.

De-identification

When PHI is used for analytics or product improvement, it is de-identified in accordance with HIPAA de-identification standards (Safe Harbor method).

Data Retention

PHI is retained in accordance with applicable federal and state regulations. Superbill records and associated patient data are maintained for the minimum period required by law, after which they are securely disposed of.

6. Business Associate Agreements

Vitalitek enters into Business Associate Agreements (BAAs) with:

• All covered entity customers who use our platform to process PHI
• Our subcontractors and service providers who may have access to PHI
• Cloud infrastructure and hosting providers

7. Breach Notification

In the event of a breach of unsecured PHI, Vitalitek will:

• Notify affected covered entities without unreasonable delay and no later than 60 days after discovery of the breach
• Provide detailed information about the breach, including the nature of the PHI involved and recommended mitigation steps
• Cooperate fully with covered entities in their breach notification obligations to affected individuals and the HHS Secretary

8. Third-Party Integrations

Our integrations with Boulevard, Qualiphy, and GoHighLevel are configured to transmit only the minimum necessary PHI required for each workflow. All data transmission between systems uses encrypted channels, and integration credentials are stored using Fernet encryption.

9. Ongoing Compliance

We maintain our HIPAA compliance through:

• Annual risk assessments and security audits
• Regular review and updates to policies and procedures
• Continuous monitoring of system access and security events
• Periodic penetration testing by independent security firms
• Ongoing workforce training and compliance education