Legal

HIPAA Compliance

Last updated: January 7, 2025

Effective Date: January 7, 2025

1. Our Commitment to HIPAA Compliance

AveeCare LLC ("AveeCare," "we," "us," or "our") is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all applicable federal and state regulations.

As a technology platform serving home care, home healthcare, hospice, and disability care agencies, we act as a Business Associate under HIPAA when we create, receive, maintain, or transmit PHI on behalf of our customers (Covered Entities).

This document describes our HIPAA compliance program, the safeguards we implement to protect PHI, and our commitments as a Business Associate.

HIPAA Compliant

Full compliance with Privacy Rule, Security Rule, and Breach Notification Rule

AES-256 Encryption

Enterprise-grade encryption for data at rest and in transit

SOC 2 Type II

Hosted on AWS infrastructure with SOC 2 Type II certification

BAA Available

Business Associate Agreement provided to all covered entity customers

2. Business Associate Agreement (BAA)

We provide a Business Associate Agreement to all customers who are HIPAA Covered Entities or Business Associates. Our BAA:

  • Defines the permitted and required uses and disclosures of PHI
  • Establishes safeguards to prevent unauthorized use or disclosure
  • Requires reporting of unauthorized uses, disclosures, and security incidents
  • Requires subcontractors who handle PHI to sign BAAs
  • Provides for return or destruction of PHI upon termination
  • Permits the Covered Entity to audit our compliance
  • Commits to breach notification within required timeframes

Request a BAA: To obtain a Business Associate Agreement, please contact us at legal@aveecare.com or request one during your account setup process. A BAA must be executed before your organization inputs PHI into our platform.

3. HIPAA Privacy Rule Compliance

We implement policies and procedures to ensure compliance with the HIPAA Privacy Rule:

3.1 Minimum Necessary Standard

  • Our role-based access control (RBAC) system limits access to PHI based on job function
  • Users can only access the minimum PHI necessary for their assigned tasks
  • Administrators can configure granular permissions for each user role
  • System features are designed to request and display only necessary information

3.2 Use and Disclosure Limitations

  • We only use PHI as permitted by our BAA and applicable law
  • PHI is used solely to provide services to our customers
  • We do not sell PHI or use it for marketing purposes
  • De-identified data may be used for product improvement in compliance with HIPAA de-identification standards

3.3 Individual Rights

Our platform supports the exercise of individual HIPAA rights by providing features that enable our customers (Covered Entities) to:

  • Provide individuals with access to their PHI upon request
  • Make amendments to PHI as requested
  • Generate accountings of disclosures
  • Apply restrictions requested by individuals
  • Export patient data in standard formats

4. HIPAA Security Rule Compliance

We implement comprehensive administrative, physical, and technical safeguards as required by the HIPAA Security Rule:

4.1 Administrative Safeguards

Security Management Process

  • Designated Security Officer responsible for HIPAA security compliance
  • Designated Privacy Officer responsible for HIPAA privacy compliance
  • Regular risk assessments identifying vulnerabilities and threats
  • Risk management policies to reduce identified risks
  • Sanction policy for workforce members who violate policies
  • Regular review and audit of security measures

Workforce Security

  • Background checks for all employees with access to PHI
  • Role-based authorization procedures
  • Termination procedures including immediate access revocation
  • Annual HIPAA training for all workforce members
  • Confidentiality agreements for all employees

Information Access Management

  • Access authorization policies and procedures
  • Principle of least privilege for system access
  • Regular access reviews and certification
  • Documented procedures for access establishment and modification

4.2 Physical Safeguards

Facility and Workstation Security

  • AWS Data Centers: Our infrastructure is hosted on Amazon Web Services, which maintains SOC 2 Type II, ISO 27001, and HIPAA compliance
  • Physical access controls including biometric authentication and 24/7 security
  • Environmental controls (fire suppression, climate control, backup power)
  • Workstation use policies for remote employees
  • Mobile device management for company devices
  • Secure disposal procedures for media containing PHI

4.3 Technical Safeguards

Access Controls

  • Unique user identification for all system users
  • Strong password requirements (minimum length, complexity, expiration)
  • Multi-factor authentication (MFA) support and recommendation
  • Automatic logoff after inactivity period
  • Role-based access control (RBAC) with configurable permissions
  • Emergency access procedures for break-glass scenarios

Audit Controls

  • Comprehensive audit logging of all system activity
  • Logging of all access to PHI including who, what, when, and from where
  • Tamper-evident audit logs that cannot be modified or deleted
  • Audit log retention for minimum of 6 years
  • Regular audit log review and anomaly detection
  • Real-time alerting for suspicious activities

Encryption and Integrity

  • Data at Rest: AES-256 encryption for all stored data
  • Data in Transit: TLS 1.2+ encryption for all network communications
  • Database Encryption: Encrypted database storage with key management
  • Backup Encryption: All backups encrypted with separate keys
  • Integrity verification mechanisms to detect unauthorized modifications
  • Secure key management with regular key rotation

Transmission Security

  • HTTPS enforced for all web communications
  • Secure API endpoints with authentication
  • Certificate pinning in mobile applications
  • Secure messaging for in-app communications

5. Breach Notification

We maintain comprehensive breach detection, response, and notification procedures:

5.1 Breach Detection

  • 24/7 security monitoring and intrusion detection systems
  • Real-time alerting for potential security incidents
  • Automated anomaly detection and threat intelligence
  • Regular vulnerability scanning and penetration testing
  • Employee reporting mechanisms for suspected incidents

5.2 Incident Response

  • Documented incident response plan with defined roles and procedures
  • Incident response team with 24/7 availability
  • Containment, eradication, and recovery procedures
  • Root cause analysis and remediation
  • Post-incident review and improvements

5.3 Notification Procedures

Breach Notification Commitment:

  • We will notify affected Covered Entities of any breach of unsecured PHI without unreasonable delay, and in no case later than 60 days after discovery
  • Notification will include identification of affected individuals, description of the breach, types of information involved, and steps taken
  • We will cooperate with Covered Entities in their notification obligations to individuals and HHS
  • We maintain documentation of all breaches and notifications for 6 years

6. AI Features and PHI

Our platform includes artificial intelligence features that may process PHI. We maintain the following safeguards for AI-related processing:

6.1 AI Processing Safeguards

  • Secure Processing: All AI processing of PHI occurs within our secure, HIPAA-compliant infrastructure
  • Access Controls: AI features respect the same role-based access controls as other system features
  • Audit Logging: All AI interactions involving PHI are logged in our audit system
  • Data Minimization: AI models process only the minimum necessary PHI for the requested function
  • No External Sharing: PHI is not shared with external AI services without a BAA

6.2 AI Training Data

  • We do not use identifiable PHI to train AI models without explicit authorization
  • Any data used for model improvement is de-identified according to HIPAA Safe Harbor or Expert Determination methods
  • Customers can opt out of having their de-identified data used for model improvement

6.3 AI Limitations Disclosure

Important: AI-generated content, including reports, recommendations, and documentation, is provided as a tool to assist healthcare professionals. All AI outputs involving clinical information should be reviewed and verified by qualified personnel before use. AI features do not provide medical advice and should not replace professional clinical judgment.

7. EVV and Regulatory Compliance

Our Electronic Visit Verification (EVV) features are designed to comply with the 21st Century Cures Act and Arizona AHCCCS requirements while maintaining HIPAA compliance:

  • Data Collection: EVV data is collected with appropriate consent and disclosure
  • Minimum Necessary: Only required EVV data elements are collected and transmitted
  • Secure Transmission: EVV data is transmitted to state aggregators using secure, encrypted connections
  • Access Controls: EVV data is subject to the same access controls as other PHI
  • Audit Trail: All EVV transactions are logged for compliance and audit purposes

8. Subcontractors and Third Parties

We carefully vet all subcontractors who may have access to PHI:

  • BAA Requirements: All subcontractors who create, receive, maintain, or transmit PHI sign a Business Associate Agreement
  • Security Assessment: Subcontractors undergo security assessment before engagement
  • Ongoing Monitoring: We monitor subcontractor compliance and security practices
  • Limited Access: Subcontractors receive only the minimum necessary access for their function

Key Subcontractors

  • Amazon Web Services (AWS): Cloud infrastructure provider with HIPAA BAA
  • Payment Processors: PCI-DSS compliant processors (do not have access to PHI)

9. Risk Assessment and Management

We conduct regular risk assessments as required by the HIPAA Security Rule:

  • Annual Risk Assessment: Comprehensive assessment of threats, vulnerabilities, and risks to PHI
  • Continuous Monitoring: Ongoing assessment of security posture and emerging threats
  • Penetration Testing: Annual third-party penetration testing of our systems
  • Vulnerability Scanning: Regular automated scanning of infrastructure and applications
  • Risk Mitigation: Documented risk management plans with prioritized remediation
  • Board Reporting: Regular security and compliance reporting to leadership

10. Training and Awareness

All AveeCare workforce members receive comprehensive training:

  • Initial Training: HIPAA privacy and security training during onboarding
  • Annual Refresher: Mandatory annual training on HIPAA requirements and company policies
  • Role-Specific Training: Additional training for roles with elevated access or responsibilities
  • Security Awareness: Ongoing security awareness including phishing simulations
  • Policy Updates: Training on policy changes and new requirements
  • Documentation: Training completion records maintained for 6 years

11. Customer Responsibilities

While AveeCare maintains robust security and compliance measures, our customers (Covered Entities) also have important responsibilities:

  • Execute BAA: Ensure a Business Associate Agreement is in place before inputting PHI
  • User Management: Properly configure user access and promptly remove terminated users
  • Training: Train your workforce on proper use of the platform and handling of PHI
  • Strong Authentication: Enable and require MFA for your users
  • Incident Reporting: Promptly report any suspected security incidents
  • Compliance: Maintain your own HIPAA compliance program
  • Patient Rights: Fulfill patient requests for access, amendment, and accounting of disclosures
  • Consent: Obtain appropriate patient consents and authorizations

12. Certifications and Attestations

Our compliance program includes the following certifications and attestations:

Infrastructure (AWS)

  • SOC 2 Type II
  • ISO 27001
  • HIPAA Eligible
  • FedRAMP

AveeCare Platform

  • Annual HIPAA Risk Assessment
  • Annual Penetration Testing
  • Business Associate Agreements
  • Documented Policies and Procedures

13. Contact Information

For questions about our HIPAA compliance program or to report a security concern:

AveeCare LLC

Privacy Officer / Security Officer

Phoenix, Arizona, United States

HIPAA Compliance: compliance@aveecare.com

Security Incidents: security@aveecare.com

Legal: legal@aveecare.com

Report Security Incidents: If you believe there has been unauthorized access to PHI or a security incident, please report it immediately to security@aveecare.com or call our security hotline. Prompt reporting helps us respond quickly and minimize any potential impact.

14. Related Documents

Please also review our other legal documents: