VOL · II · CH · IIPROG · 03 · HIPAAPROGRAM · DETAILCOMPLIANCE · PERIMETER
HIPAA Privacy & Security Rules
Primary citations: 45 CFR §§160, 162, 164 · HITECH. The bullets below are how the firm has encoded this program into operating controls, evidence classes, and dialer policy—not legal advice, and not a substitute for the underlying statute or rule text.
H
45 CFR §§160, 162, 164 · HITECH
- Covered-entity status maintained for the firm's enrollment workflows; BAAs in force with carriers, RingCentral, Box.com, and HealthSherpa.
- Minimum necessary standard applied to access and export of PHI from the directory.
- Encryption in transit and at rest; key rotation tracked to the audit ledger.
- Breach notification thresholds and timelines documented and rehearsed annually.