HIPAA Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to improve the efficiency of the healthcare industry while ensuring the security and confidentiality of patient health information. HIPAA generally applies to “covered entities” (including any healthcare provider) and “business associates” (any third party engaged by a covered entity to help carry out its healthcare activities and functions). Thus, under HIPAA, you are a covered entity and Samara Well Inc. is your business associate.

GENERAL COMPLIANCE

HIPAA privacy regulations require that you and your business associates develop and follow procedures that ensure the confidentiality and security of your patients’ protected health information (PHI) whenever it is transferred, received, handled, or shared. This requirement applies to all forms of PHI, whether on paper, in oral communications, or in electronic format. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.

As your business associate, Samara Well Inc. follows detailed policies governing the protection of your patients’ PHI, including employing administrative, physical, and technical safeguards as required by HIPAA rules and regulations. You can be confident that we will protect your patient data to help you stay compliant.

Cloud-Based Security

Cloud-based platforms, when fortified with robust security protocols, do not exhibit a heightened vulnerability to data breaches compared to on-site data storage solutions. Indeed, their security posture can be superior due to continuous expert surveillance. Smaller enterprises, such as outpatient healthcare practices, often lack the financial resources to employ dedicated personnel for server security management. Samara Well's encrypted data undergoes perpetual monitoring by specialists committed to safeguarding data integrity. Opting for Samara Well can mitigate the complexities associated with adhering to HIPAA regulatory mandates.

Administrative Safeguards

• Risk Assessment: We conduct regular risk analyses to identify potential vulnerabilities in our systems and processes.
• Staff Training: All employees and contractors receive comprehensive HIPAA training upon hiring and annually thereafter.
• Business Associate Agreements: We maintain appropriate Business Associate Agreements (BAAs) with all third parties that have access to PHI.
• Sanction Policy: We enforce disciplinary actions for employees who fail to comply with privacy policies.
• Incident Response Plan: We maintain and regularly test a detailed breach notification and incident response protocol.

Technical Safeguards

• Access Controls: Our platform implements role-based access controls, requiring unique user identification and strong authentication.
• Audit Controls: We maintain detailed audit trails for all PHI access, modification, and transmission.
• Integrity Controls: We employ mechanisms to confirm that PHI has not been improperly altered or destroyed.
• Transmission Security: All data transmission is secured using industry-standard encryption protocols.
• Authentication: Multi-factor authentication is required for all system access containing PHI.
• Emergency Access: Procedures are in place for obtaining necessary PHI during emergencies.

EHR Integration Security

• Secure Bi-directional Synchronization: Our EHR integration features implement additional security layers to ensure PHI security during data exchange.
• Minimum Necessary Access: We adhere to the minimum necessary standard, ensuring access to PHI is limited to only what is required for specific functions.

Breach Notification Procedures

In the unlikely event of a breach, Samara Well Inc. follows these notification procedures:

1. Internal Investigation: Immediate assessment of the nature and extent of the breach
2. Containment: Prompt action to limit the breach's scope and impact
3. Notification to Covered Entities: Notification within 60 days of discovery (or as required by BAAs)
4. Documentation: Comprehensive documentation of the breach and response actions
5. Remediation: Implementation of corrective actions to prevent similar breaches

Compliance Updates

This HIPAA Compliance Statement is reviewed and updated annually or whenever there are significant changes to HIPAA regulations or our data processing activities. The current version was last updated on April 28, 2025.