HIPAA Compliance

IntakeAccess.ai is built from the ground up as a HIPAA-compliant AI healthcare platform. We handle Protected Health Information (PHI) on behalf of Covered Entities — including hospitals, clinics, SNFs, private practices, and FQHCs — and operate as a Business Associate under HIPAA (45 C.F.R. §§ 160–164).

Our compliance program encompasses the full scope of HIPAA's requirements: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the administrative, technical, and physical safeguard standards of the HITECH Act. We do not treat HIPAA compliance as a checkbox — it is embedded in every layer of our platform architecture, operational processes, and workforce culture.

• PHI encrypted at rest (AES-256 on AWS) and in transit (TLS 1.3)
• AWS HIPAA Eligible infrastructure with executed AWS BAA
• RCM claims data (837P, 837I) encrypted via Stedi
• MDS assessment data submitted to iQIES/HARP on facility behalf
• Business Associate Agreements (BAAs) with all subcontractors handling PHI including Stedi, Hathr AI, Comp AI, Doesspot
• Mandatory multi-factor authentication for all Provider accounts
• Role-based access controls enforcing least-privilege principle
• Complete audit logging of all PHI access (6-year retention)
• Automatic 15-minute session timeouts platform-wide
• 24/7 security monitoring via AWS GuardDuty and CloudTrail
• Annual third-party risk assessments and penetration testing
• Documented Breach Notification Policy with 60-day notification guarantee
• AWS HIPAA-compliant infrastructure with SOC 2 Type II certification
• No upcoding commitment: We do not submit codes that reflect higher reimbursement than warranted
• Regular billing audits: Internal audits ensure coding and billing accuracy
• No patient referrals: Platform does not refer individuals to healthcare providers

The HIPAA Security Rule (45 C.F.R. §§ 164.302–164.318) requires covered entities and business associates to implement three categories of safeguards. We implement all required and addressable specifications:

Technical Safeguards — Detail

• Access Control (§ 164.312(a)(1)): Unique user identification, automatic logoff (15 min), encryption and decryption of PHI at rest (AES-256 on AWS) and in transit (TLS 1.3). Role-based access control (RBAC) with least-privilege enforcement.
• Audit Controls (§ 164.312(b)): Hardware, software, and procedural mechanisms to record and examine activity in information systems containing PHI. All access events are logged with user identity, timestamp, data accessed, IP address, and action type. AWS CloudTrail monitors infrastructure access. Logs are retained for 6 years.
• Integrity Controls (§ 164.312(c)(1)): Electronic mechanisms to confirm PHI has not been improperly altered or destroyed. AWS S3 versioning and backup integrity checks.
• Transmission Security (§ 164.312(e)(1)): TLS 1.3 encryption for all PHI transmitted electronically. Email containing PHI transmitted via encrypted channels through BAA-covered providers only. Stedi EDI transmissions encrypted for claims data (837P, 837I).
• Authentication (§ 164.312(d)): MFA required for all Provider/Facility accounts; 2FA required for all patient portal and family portal sessions. AWS IAM for infrastructure access.

Administrative Safeguards — Detail

• Security Management Process (§ 164.308(a)(1)): Annual risk analysis identifying threats and vulnerabilities to PHI, including RCM claims data and MDS assessments. Risk management plan with documented mitigation measures. Quarterly security reviews.
• Security Personnel (§ 164.308(a)(2)): Designated HIPAA Security Officer responsible for policy development, incident response, and compliance oversight. Dedicated Privacy Officer for patient rights.
• Workforce Training (§ 164.308(a)(5)): All workforce members with PHI access receive HIPAA training upon hire and annually thereafter. RCM-specific billing compliance training for claims processing staff.
• Contingency Planning (§ 164.308(a)(7)): Data backup, disaster recovery, and emergency mode operation plans. Recovery Point Objective (RPO) < 15 minutes; Recovery Time Objective (RTO) < 4 hours. Plans tested annually.
• Business Associate Contracts (§ 164.308(b)): BAAs executed with all subcontractors and vendors prior to PHI access, including Stedi, AWS, Twilio, Stripe, SendGrid, Hathr AI, Comp AI, Doesspot, and iQIES/HARP (CMS).
• Security Incident Response (§ 164.308(a)(6)): Documented incident response plan with 24/7 security monitoring via AWS GuardDuty and CloudTrail. Security incident response team on call.

RCM & Claims Data Security

• Claims Data (837P, 837I): Encrypted during transmission to Stedi via TLS 1.3. Stedi maintains SOC 2 Type II certification and HIPAA compliance.
• MDS Assessments: Submitted to iQIES/HARP via encrypted CMS channels. Data encrypted at rest on AWS.
• ERA Enrollment Data: Shared only with authorized payers per facility authorization. Encrypted in transit.
• Payment Data (Stripe): Stripe handles payment data under its BAA. IntakeAccess.ai never stores full payment credentials.
• PTAN/CCN/Facility IDs: Stored encrypted with restricted access to authorized RCM personnel only.

Under HIPAA, when a Business Associate handles PHI on behalf of a Covered Entity, a signed BAA is mandatory. IntakeAccess.ai maintains BAAs in two directions:

BAAs We Execute with Covered Entities (Our Customers)

Any healthcare provider, hospital, clinic, SNF, or other Covered Entity using IntakeAccess.ai must execute a BAA with us. We offer a standard BAA that meets all HIPAA requirements. Enterprise customers may negotiate terms through the Order Form process.

To request a BAA: Email compliance@intakeaccess.ai with subject line "BAA Request." We will provide the agreement within 3 business days. A signed BAA must be on file before any PHI flows through the Platform.

BAAs We Execute with Our Subcontractors

IntakeAccess.ai maintains a documented Breach Notification Policy in full compliance with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–164.414) and the HITECH Act. Our policy covers detection, risk assessment, notification, and post-incident remediation for all PHI, including RCM claims data and MDS assessments.

Breach Definition & Exceptions

For purposes of this policy, a "Breach" means the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the PHI. Exceptions include:

• Unintentional acquisition, access, or use by workforce members acting within their scope of duties
• Inadvertent disclosures to authorized persons within the same facility/organization
• Disclosures where there is a low probability PHI has been compromised (four-factor risk assessment applied)

Breach Scenarios Specific to IntakeAccess.ai

• Claims Data Breach: Unauthorized access to claims data (837P, 837I) submitted via Stedi
• MDS Data Breach: Unauthorized access to MDS assessment data submitted to iQIES/HARP
• RCM Data Breach: Unauthorized access to PTAN, CCN, Facility ID, or ERA enrollment data
• Third-Party Vendor Breach: Security incident at Stedi, AWS, Twilio, Stripe, SendGrid, Hathr AI, Comp AI, or Doesspot affecting IntakeAccess.ai PHI
• Family Portal Breach: Unauthorized access to patient PHI via family member account compromise
• API Breach: Unauthorized access via API endpoints (claims API, prior auth API, MDS API)
• Workforce Breach: Unauthorized access by employee outside scope of duties
• Credential Compromise: Unauthorized access using compromised provider, facility, or patient credentials

Breach Response Timeline

• T+0 (Discovery): Immediate containment and isolation of affected systems or data. Security incident logged and escalated to HIPAA Security Officer. For third-party vendor breaches, vendor must notify IntakeAccess.ai within 5 business days.
• T+1–7 (Risk Assessment): Four-factor risk assessment conducted — nature of PHI involved (including claims or MDS data), unauthorized persons involved, likelihood PHI was acquired/viewed, and extent to which risk has been mitigated.
• T+7–30 (Determination): Formal breach/non-breach determination. If breach confirmed, notifications are prepared.
• Within 60 days (Individual Notification): Affected individuals notified by first-class mail (or email if authorized). Notice includes: description of the breach, types of PHI involved (including specific RCM or MDS data if applicable), steps individuals should take, steps IntakeAccess.ai is taking, and contact information.
• Within 60 days (HHS/OCR): HHS notified for breaches of 500+ individuals simultaneously with individual notification. Smaller breaches logged and reported annually.
• Media Notification: Breaches affecting 500+ residents of a state reported to prominent state media within 60 days.
• Covered Entity Notification: Where acting as a Business Associate, affected Covered Entity notified without unreasonable delay and within 60 days. Facilities using RCM services receive additional notification of claims or MDS data breaches.
• CMS & Payer Notification: For breaches involving Medicare/Medicaid claims data or MDS assessments, CMS Regional Office notified within 1 business day (500+ individuals) and Medicare Administrative Contractor (MAC) notified within 5 business days.

Third-Party Vendor Breach Protocol

If a Business Associate (Stedi, AWS, Twilio, Stripe, SendGrid, Hathr AI, Comp AI, Doesspot) experiences a breach affecting IntakeAccess.ai PHI:

• Vendor must notify IntakeAccess.ai within 5 business days of discovery (contractually required)
• IntakeAccess.ai conducts independent four-factor risk assessment
• IntakeAccess.ai responsible for patient/facility notification within 60 days of vendor notification
• Vendor remediation and corrective action plan required
• IntakeAccess.ai may terminate vendor relationship for uncured breaches

Facility Responsibility for Breach Response

Facilities using IntakeAccess.ai RCM, claims, or MDS services remain responsible for:

• Notifying patients of breaches originating from facility side (e.g., facility credential compromise, facility employee misconduct)
• Cooperating with IntakeAccess.ai breach investigations
• Providing accurate contact information for affected patients
• Maintaining their own breach documentation for CMS compliance
• Reporting suspected fraud to CMS OIG as required by law

Breach Documentation & Retention

For each breach (including those determined to have low probability of compromise), IntakeAccess.ai maintains documentation including:

• Date of breach discovery
• Description of PHI involved (including claims, MDS, or RCM data types)
• Steps taken to investigate and mitigate
• Risk assessment findings
• Notifications sent (with copies)
• Remediation actions taken
• Documentation retained for 6 years from breach discovery (HIPAA Security Rule § 164.312(b))

Continuous Monitoring

• 24/7 automated security monitoring of all platform systems and PHI access events, including RCM claims data and MDS assessments
• AWS CloudTrail monitoring for all infrastructure access and API calls
• AWS GuardDuty for intelligent threat detection and continuous security monitoring
• Anomaly detection for unusual access patterns, bulk data downloads, and unauthorized access attempts
• Real-time alerting for potential security incidents (email, SMS, PagerDuty escalation)
• All audit log entries include: user ID, timestamp, IP address, action type, data accessed (including specific claims or MDS records), and outcome
• Stedi transaction monitoring for claims submission anomalies
• iQIES/HARP submission logging for MDS assessment tracking

Billing Accuracy & Anti-Upcoding Audits

• Claims Coding Audits: Regular internal audits of claims submissions (837P, 837I) to verify coding accuracy and detect potential upcoding
• MDS Assessment Audits: Review of MDS submissions for accuracy and CMS RAI Manual compliance
• Documentation Review: Periodic review of claim documentation against submitted codes
• Corrective Action: Audit findings documented with corrective action plans; voluntary refunds issued where overpayments identified
• Audit Log Retention: All billing audit findings retained for 7 years (False Claims Act statute of limitations)

Periodic Assessments

• Annual Risk Analysis: Comprehensive assessment of threats, vulnerabilities, and impact to PHI confidentiality, integrity, and availability, including RCM claims data and MDS assessments
• Annual Penetration Testing: Independent third-party penetration testing of all production systems, including RCM API endpoints and claims submission interfaces
• Annual Third-Party Risk Assessments: Review of all Business Associates and subcontractors' security posture including Stedi, AWS, Twilio, Stripe, SendGrid, Hathr AI, Comp AI, Doesspot
• Quarterly Security Reviews: Internal review of access controls, workforce compliance, policy updates, and RCM data access patterns
• BAA Renewal Reviews: Annual review of all BAA terms against current HIPAA requirements
• SOC 2 Type II Review: Annual review of AWS SOC 2 Type II report and Stedi SOC 2 certification

Audit Log Retention

All PHI access audit logs are retained for a minimum of 6 years from the date of creation, as required by the HIPAA Security Rule (§ 164.312(b)) and the general documentation retention standard (§ 164.530(j)). Claims and MDS submission logs are retained for 10 years per CMS requirements (42 C.F.R. § 422.504(d)).

Third-Party Vendor Audits

• Stedi: SOC 2 Type II certification reviewed annually; claims processing logs audited quarterly
• AWS: SOC 2 Type II, HIPAA attestation, and ISO 27001 certifications reviewed annually
• Twilio/Stripe/SendGrid: Security posture reviewed via third-party assessments and SOC reports
• Hathr AI / Comp AI / Doesspot: HIPAA compliance and BAA adherence verified annually
• Vendor Audit Rights: IntakeAccess.ai reserves the right to audit any Business Associate's security controls upon reasonable notice or following a security incident

Compliance Reporting

• Facility Audit Reports: Facilities may request audit logs of their own claims and PHI access (Section 10 - Right of Access)
• CMS Audit Cooperation: IntakeAccess.ai provides full cooperation with CMS, OIG, MAC, and UPIC audits, including claims data access and submission logs
• HHS OCR Investigations: Full cooperation with HHS Office for Civil Rights investigations
• Annual Compliance Report: Internal compliance report prepared for leadership and board review

IntakeAccess.ai complies with the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E) governing the use and disclosure of Protected Health Information (PHI), including RCM claims data, MDS assessments, and mental health records:

Core Privacy Rule Standards

• Minimum Necessary Standard: PHI is accessed and disclosed only to the minimum extent necessary for the specified purpose. RCM claims data is limited to required billing elements. MDS assessments include only CMS-required fields.
• Notice of Privacy Practices: Patients receive a Notice of Privacy Practices (incorporated into our Privacy Policy) describing uses, disclosures, and patient rights. Available electronically and in paper format upon request.
• TPO Disclosures: PHI may be used for Treatment, Payment, and Healthcare Operations without separate patient authorization. RCM services are considered Payment activities. MDS submissions are Healthcare Operations for SNF facilities.
• Authorization-Required Disclosures: All other disclosures (e.g., marketing, research, employer requests, life insurance) require written patient authorization. Psychotherapy notes require specific authorization separate from general PHI.
• Patient Rights Implementation: Platform supports all HIPAA patient rights — access, amendment, accounting of disclosures, restriction requests, and confidential communications (see Section 10 of Privacy Policy).
• Marketing Prohibition: PHI is never used for marketing without explicit patient authorization. No PHI shared with third parties for marketing purposes.
• Sale of PHI: PHI is never sold under any circumstances. This prohibition is absolute and contractually enforced with all Business Associates.

RCM & Claims Data Privacy

• Claims Data Use Limited to Payment: Claims data (837P, 837I) used solely for submission to payers, ERA enrollment, and denial management per facility authorization
• MDS Assessment Privacy: MDS data submitted to iQIES/HARP for CMS compliance only. Not used for any other purpose.
• PTAN/CCN/Facility ID Protection: Facility billing identifiers stored encrypted with restricted access to authorized RCM personnel only
• ERA Enrollment Data: Payer enrollment data shared only with authorized payers per facility written authorization (CMS-588 form)
• No RCM Data for Marketing: RCM data never used for marketing, analytics, or any purpose beyond authorized billing

AI & PHI Privacy — 35+ Features

• AI Feature Disclosure: IntakeAccess.ai provides 35+ AI-powered features including: AI Staff Scheduling, AI Bed Management, AI Walk-In Management, AI Medication Management, AI Meals & Activities, AI Assistant, AI PAC Management (Post-Acute Care), AI Referral Management, AI Medicaid Center, AI Inventory Management, AI Order Management, Chemotherapy Order Sets, Lab Monitoring Protocol, Tumor Registry, eMAR (Electronic Medication Administration Record), MDS Assessments, Progress Notes, Clinical Trial Enrollment, Survivorship Care Plan, Claims Management, EHR Integration, AI Specialty Templates (50+ specialties), Telemedicine Suite, Telepsychiatry Suite (including virtual meetings, group therapy, and group management), AI Appointments Management, Patient Portal, Family Portal, MCO Cards, Onboarding, Audit Logs (AI anomaly detection), Support Center (AI chat), Security Center (AI threat detection), Trust Center (AI compliance monitoring), and Facility Billing/RCM (claims + facility billing).
• AI Processing Transparency: When AI processes PHI for any of the above features, patients are notified through provider disclosure, portal notice, or feature-specific consent. AI processing includes: analyzing staffing needs and shift schedules, predicting bed availability and occupancy, prioritizing walk-in patients and estimating wait times, checking medication interactions and reconciliation, recommending meals and activities based on patient data, responding to AI Assistant queries, coordinating post-acute care transitions, matching referrals with specialists, verifying Medicaid eligibility and coverage, predicting inventory needs and reorder alerts, suggesting order sets and protocols, managing chemotherapy order safety, flagging abnormal lab results, assisting tumor registry data abstraction, tracking eMAR medication administration, coding MDS assessments and calculating RUG scores, drafting progress notes, matching patients to clinical trials, generating survivorship care plans, processing claims (837P, 837I) with AI predictions, integrating EHR data bidirectionally, applying 50+ specialty documentation templates, facilitating telemedicine and telepsychiatry virtual visits, detecting appointment no-show risks, scanning MCO cards for insurance data, guiding facility onboarding workflows, detecting audit anomalies and suspicious access patterns, providing AI chat support responses, monitoring security threats and incidents, generating trust center compliance reports, and managing full RCM billing operations.
• No Solely Automated Decision-Making: IntakeAccess.ai does not engage in solely automated decision-making that significantly affects patients. All AI outputs across all 35+ features are assistive only and require human provider, clinician, or facility staff review before any clinical, billing, or operational action is taken.
• AI Training Opt-Out: PHI is not used for AI model training without explicit patient authorization. De-identified data meeting HIPAA Safe Harbor standard (45 C.F.R. § 164.514(b)) may be used for model improvement. Patients may opt out of AI training using their PHI by contacting privacy@intakeaccess.ai. Opt-out requests processed within 30 days.
• RCM AI Privacy: AI-driven claim predictions, denial risk scores, reimbursement estimates, and prior authorization predictions do not guarantee approval. Facility retains full responsibility for all claim accuracy. AI-processed claims data is not used for any purpose beyond authorized billing.
• MDS AI Privacy: AI-assisted MDS coding, RUG calculation, and CMS compliance suggestions are assistive only. Facility retains full responsibility for MDS accuracy and CMS compliance. AI-processed MDS data submitted to iQIES/HARP for CMS purposes only.
• Telepsychiatry AI Privacy: AI-assisted mental health assessments (PHQ-9, GAD-7, MDQ), crisis detection alerts, and group therapy management are assistive only. Provider retains full clinical responsibility. AI does not diagnose, treat, or make clinical recommendations independently.
• Security & Audit AI Privacy: AI anomaly detection in Audit Logs, Security Center, and Trust Center flags suspicious patterns, access anomalies, and compliance risks but does not guarantee breach identification. Facility retains responsibility for independent security incident response and compliance verification.

Family Portal & Patient-Controlled Access

• Granular Patient Control: Patients control family member access through Patient Portal settings — can authorize access to clinical data, billing data, or both
• Revocable at Any Time: Patients may revoke family member access at any time without cause or notice to family member
• Access Logs: Patients may request logs of family member access to their PHI (Section 10 - Accounting of Disclosures)
• No Family Access Without Authorization: Family members cannot access PHI without patient's explicit written authorization through the Patient Portal
• Mental Health Restrictions: For mental health records (where state law permits), patients may restrict family access even if authorized for other data types

Special Privacy Protections

• Mental Health Records: PHQ-9, GAD-7, MDQ results, telepsychiatry session notes, virtual meeting recordings, group therapy participant lists, and crisis assessments receive heightened protection. Disclosure requires separate authorization except for treatment, payment, or safety exceptions.
• Substance Use Disorder Records (42 C.F.R. Part 2): Where applicable, Part 2 records receive additional confidentiality protections and require specific patient consent for disclosure.
• Reproductive Health Information: Compliance with applicable state laws restricting disclosure of reproductive health information without patient authorization.
• Genetic Information: GINA compliance — genetic information not used for underwriting or employment decisions.

Business Associate Privacy Obligations

• BAA Required for All PHI Access: No subcontractor accesses PHI without executed BAA
• Stedi Privacy Compliance: Claims data processed under Stedi's HIPAA-compliant infrastructure with BAA
• AWS Privacy Compliance: PHI stored on AWS HIPAA Eligible services with AWS BAA
• Hathr AI / Comp AI / Doesspot Privacy: AI and e-prescribing services operate under BAAs
• Vendor Privacy Audits: Annual review of Business Associate privacy practices

IntakeAccess.ai expressly commits to the following billing and coding compliance standards to align with the federal Anti-Kickback Statute (42 U.S.C. § 1320a-7b(b)) and Stark Law personal services safe harbor (42 C.F.R. § 411.357(d)):

Our Commitments

• No Upcoding: We will not upcode any services (i.e., will not submit codes that reflect higher reimbursement than warranted by documented services). All claims submitted through the Platform reflect accurate coding based on documentation provided by the Facility.
• Regular Audits: We conduct regular internal audits of claims submissions to ensure services are coded and billed accurately. Audit findings are documented and corrective actions implemented as needed.
• No Referrals: We do not and will not, directly or indirectly, refer individuals to any healthcare provider for services. The Platform is a technology and billing tool only and does not engage in patient referral or steering practices.
• Billing & Coding Exclusion: Our RCM services are limited to claims submission, ERA enrollment, denial management, and payment posting. Clinical coding, medical necessity determinations, and documentation accuracy remain the sole responsibility of the Facility.
• Audit Cooperation: We cooperate fully with Facility audits, CMS audits, OIG investigations, and MAC reviews related to billing and coding accuracy.

INTAKEACCESS.AI LLC
DBA: IntakeAccess Health Solutions
181 W Valley Ave STE 245-1742
Birmingham, AL 35209

For all HIPAA compliance inquiries, BAA requests, breach reports, and regulatory questions:

• Compliance Email: compliance@intakeaccess.ai
• Security Incidents: security@intakeaccess.ai
• Privacy Rights: privacy@intakeaccess.ai
• Legal: legal@intakeaccess.ai
• Phone: 205-855-4545
• Website: https://intakeaccess.ai