myPractice Care is a HIPAA-compliant patient communication and engagement platform designed specifically for healthcare providers.

We operate as a Business Associate and are contractually bound to protect Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act and the HITECH Act.

—

✔ Compliance You Can Rely On

– HIPAA-Compliant Infrastructure
– Business Associate Agreement (BAA) Included by Default
– Secure Patient Communication Systems
– Encrypted Data Transmission & Storage
– Controlled Access & Audit Logging

—

1. Our Role as a Business Associate

As a Business Associate, myPractice Care provides services on behalf of healthcare providers (Covered Entities), including:

– Patient feedback and satisfaction requests
– Patient communication related to service experience
– Reputation and review management

A Business Associate Agreement (BAA) is automatically applicable to all clients upon onboarding and governs all PHI-related activities.

—

2. What Data We Handle

We only process limited, non-clinical PHI, such as:

– Patient name
– Phone number
– Email address

We do not access or store:

– Medical records
– Diagnoses or treatment information
– Clinical data of any kind

—

3. Minimum Necessary Standard

We strictly adhere to HIPAA’s Minimum Necessary Rule:

– Only essential patient data is collected
– Data usage is limited to defined operational purposes
– No unnecessary or excessive PHI is stored or processed

—

3. How We Protect Patient Data

We implement comprehensive safeguards aligned with HIPAA’s Privacy and Security Rules.

a. Administrative Safeguards
– HIPAA-trained personnel
– Role-based access control
– Internal compliance and data protection policies

b. Technical Safeguards
– Encryption in transit (HTTPS, secure APIs)
– Secure authentication and system access controls
– Continuous monitoring and audit logging

c. Physical Safeguards
– Secure infrastructure environments
– Restricted access to systems handling PHI

—

4. How Your Data Flows Through Our System

We maintain a controlled and secure data lifecycle:

Practice → Secure Transfer → myPractice Care Platform → Patient Communication → Secure Storage → Scheduled Deletion

At every stage, data is encrypted, access-controlled, and monitored.

—

5. Data Retention & Deletion Policy

– PHI is retained only for the duration necessary to deliver services
– Data is securely deleted or anonymized after use
– Backup data is periodically purged in accordance with internal policies
– Upon termination, all PHI is returned or permanently destroyed unless retention is legally required

—

6. Permitted Use of PHI

PHI is used strictly for:

– Healthcare operations
– Patient experience and feedback collection
– Internal quality and service improvement

We do not:

– Use PHI for marketing without explicit patient authorization
– Sell or monetize patient data
– Share PHI across different clients or systems

—

7. Breach Notification & Transparency

In the event of a security incident or breach:

– Covered Entities are notified within 72 hours of discovery
– Detailed information is provided, including:
– Nature of the incident
– Type of PHI involved
– Number of affected individuals (if known)
– Corrective actions taken

We fully cooperate in investigation, mitigation, and compliance processes.

—

8. Security Incidents vs. Breaches

We actively monitor and distinguish between:

– Security Incidents: Attempted or minor unauthorized access (e.g., failed login attempts)
– Breaches: Confirmed unauthorized access, disclosure, or compromise of PHI

All events are logged, reviewed, and addressed under strict protocols.

—

9. Subcontractor & Third-Party Compliance

To deliver our services, we may use trusted third-party providers (e.g., messaging infrastructure, hosting services).

We ensure that:

– All subcontractors are bound by HIPAA-compliant agreements
– Equivalent safeguards are enforced across all systems
– myPractice Care remains fully responsible for subcontractor compliance

—

10. Audit & Compliance Assurance

We maintain internal compliance processes and documentation.

Covered Entities may:

– Request compliance-related information
– Verify our safeguards and practices
– Submit security or compliance inquiries at any time

—

11. Supporting Patient Rights

Where applicable, we support Covered Entities in:

– Providing patient access to their data
– Making corrections or updates
– Supporting accounting of disclosures

—

12. Liability & Responsibility

myPractice Care is committed to protecting PHI and maintaining compliance.

– We accept responsibility for unauthorized use or disclosure caused by our systems or personnel
– We remain accountable for subcontractors and third-party providers
– Liability is limited as defined in our service agreement, except in cases of gross negligence or willful misconduct

—

13. Governing Law

All agreements, including our Business Associate Agreement (BAA), are governed by applicable laws of the United States and the relevant state jurisdiction defined in the service agreement.

—

14. Continuous Compliance Commitment

We continuously monitor and update our policies to remain compliant with:

– HIPAA Privacy Rule
– HIPAA Security Rule
– HIPAA Breach Notification Rule
– HITECH Act requirements

—

15. Request a BAA or Compliance Information

If you would like a signed Business Associate Agreement or have questions regarding our compliance practices, please contact:

Email: support@myPracticecare.com
Company: myPractice Care

—

16. Final Commitment

We understand that patient trust is critical in healthcare. Our systems, processes, and agreements are designed to ensure that Protected Health Information is handled securely, responsibly, and in full compliance with HIPAA regulations.

—