HIPAA Notice

Atlas Care Software, operated by Atlas Labs LLC ("Atlas Care," "we," "us," or "our") is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and their implementing regulations. This HIPAA Notice describes how we safeguard PHI that is created, received, maintained, or transmitted through our home care agency management platform.

1. Our Commitment to HIPAA Compliance

Atlas Care Software operates as a Business Associate under HIPAA when processing PHI on behalf of our customers (Covered Entities and their Business Associates). We maintain a comprehensive HIPAA compliance program that includes:

• A designated Privacy Officer and Security Officer responsible for overseeing our HIPAA compliance program.
• Regular risk assessments to identify and address vulnerabilities in our systems and processes.
• Ongoing workforce training on HIPAA requirements, privacy practices, and security awareness.
• Documented policies and procedures that are reviewed and updated at least annually.
• Regular internal audits and third-party assessments to verify the effectiveness of our compliance program.

2. Protected Health Information (PHI)

Protected Health Information is individually identifiable health information that is created, received, maintained, or transmitted in connection with the provision of healthcare services. In the context of our platform, PHI may include:

• Client names, addresses, dates of birth, Social Security numbers, and other demographic information.
• Care plans, clinical assessments, nursing notes, and visit documentation.
• Medical histories, diagnoses, medication lists, and treatment records.
• Billing records, insurance information, and claims data.
• Any other information that relates to the past, present, or future health condition of an individual, the provision of care, or payment for care.

We use and disclose PHI only as permitted or required by HIPAA and as specified in the Business Associate Agreement executed with each customer. We do not use PHI for marketing purposes or sell PHI under any circumstances.

3. Business Associate Agreements (BAAs)

Before any PHI is processed through our platform, we execute a Business Associate Agreement (BAA) with each customer. The BAA establishes the permitted and required uses and disclosures of PHI, and it outlines the responsibilities of both parties in protecting that information. Our BAA includes provisions for:

• Limiting the use and disclosure of PHI to the minimum necessary to fulfill our obligations.
• Implementing appropriate administrative, technical, and physical safeguards.
• Reporting security incidents and breaches of unsecured PHI.
• Ensuring that any subcontractors who access PHI agree to the same restrictions and conditions.
• Returning or securely destroying PHI upon termination of the agreement, where feasible.

If you are a customer who requires a BAA, please contact us at hipaa@atlascaresoftware.com to initiate the process.

4. Administrative Safeguards

We maintain comprehensive administrative safeguards to protect PHI, including:

• Security Management Process: We conduct regular, comprehensive risk analyses to identify potential threats and vulnerabilities to PHI. Risk mitigation measures are documented, implemented, and tracked to completion.
• Workforce Security: All employees and contractors undergo background checks before being granted access to systems containing PHI. Access is granted based on the minimum necessary standard and job function requirements.
• Security Awareness and Training: All workforce members complete HIPAA training upon hire and annually thereafter. Additional training is provided when policies change or when security incidents occur.
• Incident Response: We maintain a documented security incident response plan that includes procedures for identifying, containing, mitigating, and reporting security incidents involving PHI.
• Contingency Planning: We maintain data backup, disaster recovery, and emergency mode operation plans to ensure the availability of PHI during emergencies or system failures.

5. Technical Safeguards

We implement robust technical safeguards to ensure the confidentiality, integrity, and availability of PHI:

• Encryption at Rest: All PHI stored in our systems is encrypted using AES-256 encryption. Database fields containing sensitive health information are encrypted at the application level in addition to volume-level encryption.
• Encryption in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher. API communications are secured with mutually authenticated TLS connections.
• Access Controls: We enforce role-based access controls (RBAC) with the principle of least privilege. Multi-factor authentication (MFA) is required for all administrative access and is available for all user accounts. Unique user identifiers ensure individual accountability.
• Audit Logs: We maintain comprehensive audit logs that record all access to PHI, including who accessed the data, when, and what actions were performed. Audit logs are tamper-resistant, retained for a minimum of six years, and regularly reviewed for unauthorized access patterns.
• Automatic Session Management: User sessions are automatically terminated after a configurable period of inactivity to prevent unauthorized access to unattended workstations.
• Integrity Controls: We implement mechanisms to verify that PHI has not been altered or destroyed in an unauthorized manner, including checksums and digital signatures for data at rest and in transit.

6. Physical Safeguards

Our infrastructure is hosted in SOC 2 Type II certified data centers that provide enterprise-grade physical security, including:

• 24/7 on-site security personnel with multi-layer access controls including biometric authentication.
• Video surveillance and intrusion detection systems at all facility entry points.
• Environmental controls including fire suppression, climate control, and redundant power systems with uninterruptible power supplies and backup generators.
• Controlled access to hardware and media containing PHI, with documented procedures for the disposal and reuse of electronic media.
• Geographic redundancy across multiple data center facilities to ensure business continuity.

7. Breach Notification

In the event of a breach of unsecured PHI, we follow the breach notification requirements outlined in the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and the HITECH Act:

• Discovery and Investigation: Upon discovering a potential breach, we immediately initiate an investigation to determine the nature and scope of the incident, identify the individuals affected, and assess the risk of harm.
• Notification to Customers: We will notify affected customers (Covered Entities) without unreasonable delay, and no later than 30 days after discovery of a breach. Notification will include a description of the breach, the types of PHI involved, steps taken to mitigate harm, and recommendations for individuals to protect themselves.
• Cooperation with Covered Entities: We will assist our customers in fulfilling their own breach notification obligations to affected individuals, the U.S. Department of Health and Human Services (HHS), and, where applicable, the media.
• Documentation and Remediation: All breach incidents are documented, including the facts of the breach, the root cause analysis, and corrective actions taken. We use lessons learned to strengthen our security posture and prevent future incidents.

8. Minimum Necessary Standard

We apply the HIPAA minimum necessary standard to all uses, disclosures, and requests for PHI. This means we limit the PHI we access, use, or disclose to the minimum amount reasonably necessary to accomplish the intended purpose. Our role-based access controls ensure that workforce members can access only the PHI needed to perform their specific job functions.

9. Your Rights Under HIPAA

If you are an individual whose PHI is processed through our platform, you have certain rights under HIPAA. These rights are exercised through the Covered Entity (the home care agency) that maintains your health information. Your rights include:

• Right of Access: You have the right to inspect and obtain a copy of your PHI maintained by the Covered Entity.
• Right to Amendment: You have the right to request that the Covered Entity amend your PHI if you believe it is inaccurate or incomplete.
• Right to an Accounting of Disclosures: You have the right to receive a list of certain disclosures of your PHI made by the Covered Entity or its Business Associates.
• Right to Request Restrictions: You have the right to request restrictions on certain uses and disclosures of your PHI, although the Covered Entity is not required to agree to all requests.
• Right to Confidential Communications: You have the right to request that the Covered Entity communicate with you about your health information through alternative means or at alternative locations.
• Right to File a Complaint: If you believe your privacy rights have been violated, you have the right to file a complaint with the Covered Entity or directly with the U.S. Department of Health and Human Services, Office for Civil Rights.

As a Business Associate, we will cooperate with the Covered Entity to facilitate the exercise of these rights where our assistance is required.

10. Subcontractors

We require all subcontractors who create, receive, maintain, or transmit PHI on our behalf to enter into Business Associate Agreements with us. These agreements impose the same restrictions on the use and disclosure of PHI that apply to us. We conduct due diligence on subcontractors before engaging them and monitor their compliance on an ongoing basis.

11. Contact Our Privacy Officer

If you have questions about this HIPAA Notice, our compliance program, or wish to report a potential privacy or security concern, please contact our Privacy Officer:

For general privacy inquiries not related to HIPAA, please refer to our Privacy Policy.