Back to Home

HIPAA Compliance

Last Updated: February 25, 2026

Our HIPAA Compliance Commitments

HIPAA Security Rule

Administrative, physical, and technical safeguards to protect ePHI

Encryption Standards

AES-256 encryption at rest and TLS 1.3 in transit

Business Associate Agreements

BAAs provided to all customers handling PHI

Audit Logging

Comprehensive logging of all PHI access and modifications

Breach Notification

Rapid response and notification protocols in place

Secure Infrastructure

HIPAA-compliant data centers and cloud services

HIPAA Compliant Platform for Healthcare Professionals

Practice ROI is designed from the ground up to meet HIPAA requirements for protecting Protected Health Information (PHI). We implement comprehensive administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of your patient data.

As your Business Associate, we take our HIPAA obligations seriously and are committed to transparency about our compliance measures.

1. Our Commitment to HIPAA Compliance

At Practice ROI, we understand the critical importance of protecting Protected Health Information (PHI). As a Business Associate providing services to covered entities in the healthcare industry, we are committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

This page outlines our HIPAA compliance measures, your responsibilities as a covered entity, and how we work together to protect patient information.

2. Business Associate Agreement (BAA)

2.1 BAA Requirement

Under HIPAA, a Business Associate Agreement is required before any PHI can be shared with Practice ROI. We provide a comprehensive BAA to all customers who::

  • Store patient referral information containing PHI
  • Send marketing communications containing patient identifiers
  • Track patient interactions through our communication tools
  • Use our platform to process any information covered under HIPAA

2.2 What Our BAA Covers

  • Our obligations to safeguard PHI
  • Permitted and required uses of PHI
  • Data breach notification procedures
  • Subcontractor requirements
  • Audit rights and documentation
  • Term and termination conditions

2.3 How to Request a BAA

To request a Business Associate Agreement, please contact our compliance team at hipaa@practiceroi.com or through your account manager.

3. Technical Safeguards

3.1 Encryption

  • Data at Rest: AES-256 encryption for all stored data
  • Data in Transit: TLS 1.3 for all data transmission
  • Backup Encryption: All backups are encrypted with the same standards
  • Key Management: Secure key rotation and management procedures

3.2 Access Controls

  • Unique user identification for all system users
  • Automatic logoff after period of inactivity
  • Role-based access control (RBAC) limiting data access
  • Multi-factor authentication (MFA) available for all accounts
  • Emergency access procedures for critical situations

3.3 Audit Controls

  • Comprehensive logging of all system activity
  • PHI access tracking and monitoring
  • Audit logs retained for minimum 6 years
  • Regular review of audit logs for suspicious activity
  • Tamper-proof audit trail mechanisms

3.4 Integrity Controls

  • Mechanisms to ensure data is not improperly altered or destroyed
  • Digital signatures and checksums for data verification
  • Version control and change tracking
  • Validation of data transmission accuracy

3.5 Transmission Security

  • End-to-end encryption for all PHI transmission
  • Secure messaging protocols
  • Network segmentation and firewalls
  • Intrusion detection and prevention systems

4. Physical Safeguards

4.1 Facility Access Controls

  • Data hosted in SOC 2 Type II certified data centers
  • 24/7 physical security with surveillance
  • Biometric and badge-based access controls
  • Visitor logging and escort requirements
  • Regular physical security audits

4.2 Workstation and Device Security

  • Secure workstation configurations
  • Screen privacy filters and automatic lock screens
  • Encrypted laptops and mobile devices
  • Device management and tracking
  • Secure disposal of physical media

5. Administrative Safeguards

5.1 Security Management Process

  • Risk analysis and risk management procedures
  • Sanction policy for security violations
  • Regular security reviews and updates
  • Information system activity review

5.2 Workforce Security

  • Background checks for all employees with PHI access
  • Signed confidentiality agreements
  • HIPAA training for all relevant personnel

  • Annual security awareness training
  • Immediate access termination upon employee departure

5.3 Security Incident Procedures

  • Incident response plan and team
  • Breach detection and analysis procedures
  • Containment and mitigation strategies

  • Documentation and reporting requirements
  • Post-incident review and improvements

5.4 Contingency Planning

  • Data backup and disaster recovery plans
  • Emergency mode operation procedures
  • Regular testing of backup and recovery systems
  • Business continuity planning

6. Breach Notification Procedures

In the unlikely event of a breach of unsecured PHI, Practice ROI will:
  • Notify affected customers within 24 hours of discovery
  • Provide details about the breach, including what PHI was involved
  • Describe steps we are taking to investigate and mitigate
  • Assist with required notifications to individuals and authorities
  • Document the breach and our response in accordance with HIPAA

Customer Responsibilities

As the covered entity, you are responsible for:
  • Notifying affected individuals within 60 days
  • Reporting breaches affecting 500+ individuals to HHS
  • Notifying media if breach affects 500+ individuals in a jurisdiction
  • Maintaining documentation of breach notifications

7. Customer Responsibilities

While we provide a HIPAA-compliant platform, you must also take steps to ensure compliance:

  • Execute a Business Associate Agreement with Practice ROI

  • Configure the platform appropriately for your use case
  • Train your staff on HIPAA requirements and platform use
  • Implement appropriate access controls for your users
  • Obtain necessary patient authorizations for marketing
  • Conduct your own risk assessments
  • Report suspected breaches to Practice ROI immediately
  • Maintain your own policies and procedures

8. Subcontractors and Third-Party Services

We use carefully vetted subcontractors to provide our services. All subcontractors who may access PHI:

  • Sign Business Associate Agreements with Practice ROI

  • Meet or exceed our HIPAA compliance standards
  • Are subject to the same safeguards and requirements
  • Are regularly audited for compliance
Our Subcontractors Include:

  • Cloud infrastructure providers (AWS, Google Cloud)

  • Email service providers
  • SMS/communication providers (Twilio)
  • Payment processors (Stripe)

  • Analytics and monitoring services

9. Data Retention and Destruction

9.1 Retention

  • PHI is retained as long as your account is active
  • After account termination, data is retained for 90 days
  • Backup data may be retained for up to 1 year
  • Audit logs retained for 6 years per HIPAA requirements

9.2 Secure Destruction

When PHI is destroyed, we use secure methods including:

  • Cryptographic erasure of encryption keys

  • Multiple-pass overwriting of storage media
  • Physical destruction of decommissioned hardware

  • Certificate of destruction provided upon request

10. Ongoing Compliance

We maintain HIPAA compliance through:
  • Regular security risk assessments (at least annually)
  • Penetration testing and vulnerability scans
  • Third-party security audits
  • Continuous monitoring of security controls
  • Regular policy and procedure reviews
  • Staying current with HIPAA regulations and guidance
  • Participation in industry security initiatives

11. Training and Awareness

All Practice ROI employees receive:
  • HIPAA training during onboarding
  • Annual security awareness training
  • Role-specific training for those with PHI access
  • Regular updates on security threats and best practices
  • Incident response training and drills

12. Audit Rights

Under our Business Associate Agreement, you have the right to:

  • Request information about our security practices
  • Review our policies and procedures (subject to confidentiality)
  • Request audit reports from third-party auditors
  • Conduct your own audit (with reasonable notice and scope)

  • Review logs of your PHI access (where technically feasible)

Need a Business Associate Agreement?

Request a BAA from our compliance team to begin using Practice ROI for PHI processing.

Request BAAContact Compliance Team

HIPAA Compliance Contact Information

HIPAA Compliance Officer

Email: hipaa@practiceroi.com

Report a Security Incident

Email: security@practiceroi.com

Phone: (719) 985-3535 (24/7 Security Hotline)

BAA and Compliance Questions

Email: compliance@practiceroi.com