HIPAA-aware operations and secure client workflows.
OrvexHealth supports medical practices with operational services that may involve sensitive business or healthcare information. This page explains our approach to HIPAA-aware workflows, protected health information boundaries, and secure client communication expectations.
1. Purpose of This Page
OrvexHealth provides healthcare operations support to medical practices. The services we deliver may involve workflows that touch sensitive business or healthcare information belonging to our clients. This page explains our approach to HIPAA-aware workflows, the boundaries around protected health information (PHI), and what clients and prospective clients can expect regarding secure communication and data handling.
2. Business Associate Context
When OrvexHealth performs services for a covered entity or other regulated healthcare organization and those services require handling PHI on that client's behalf, OrvexHealth may function as a business associate as defined under HIPAA.
Where a business associate relationship exists, that relationship should be formalized through a Business Associate Agreement (BAA) executed between OrvexHealth and the client prior to the exchange of PHI. Clients who require a BAA should raise this as part of the engagement discussion.
3. Do Not Submit PHI Through Website Forms
General website contact and inquiry forms are not designed or intended to receive PHI.
Do not submit the following through website contact, inquiry, or careers forms:
- Patient records or medical histories
- Clinical notes or documentation
- Insurance details, payer information, or claim-level data
- Social Security numbers or government identification numbers
- Any other information that constitutes PHI under HIPAA
If your inquiry requires sharing sensitive information, please indicate that in your message and our team will establish an appropriate secure channel before any such information is exchanged.
4. Secure Channels for Client Work
PHI and sensitive operational data involved in client services should only be exchanged through approved secure channels. Depending on the engagement, this may include encrypted file transfer methods, secure client portals, client-approved EHR or practice management system access, or other workflows agreed upon in writing. Our team will coordinate the appropriate secure access or transfer method before sensitive information is shared.
5. Data Security Approach
OrvexHealth supports reasonable administrative, technical, and organizational safeguards designed to protect client information. Our approach includes the following practices:
- Role-based access practices that limit access to client information to team members who need it to perform their work
- Limited access to PHI and sensitive client data based on job function and engagement scope
- Secure communication expectations for internal and client-facing team members
- Workforce confidentiality expectations communicated to team members involved in client work
- Documentation and workflow controls designed to support accountability
- Incident escalation processes for potential privacy or security concerns
No system or safeguard is perfect. We work to maintain reasonable security practices consistent with the nature of the services we provide, but we do not represent that our safeguards are infallible or that all risks can be eliminated.
6. Minimum Necessary Approach
OrvexHealth aims to access and use only the information reasonably necessary to perform the services agreed upon with a client. We do not request or retain more client information than is needed for the scope of work in place. Clients should share access and information in alignment with this minimum necessary principle, granting access appropriate to the specific tasks being performed.
7. Client Responsibilities
Clients who are covered entities or business associates under HIPAA retain primary responsibility for their own HIPAA compliance program. OrvexHealth's support does not replace or satisfy a client's independent compliance obligations. Clients are responsible for:
- Maintaining their own internal HIPAA compliance policies and procedures
- Managing system access permissions and workforce training within their organization
- Determining what information may be appropriately shared with OrvexHealth under applicable agreements
- Conducting their own risk assessments and compliance reviews as required
- Ensuring that any BAA in place with OrvexHealth accurately reflects the services being provided
8. Candidate Submissions
Individuals submitting applications or inquiries through our careers forms should not include patient information, PHI, or confidential client data from previous or current employers in their submissions. Careers forms are intended only for personal professional information relevant to the candidate's application.
9. Incident or Security Concerns
If you are an OrvexHealth client and become aware of a potential privacy or security incident involving information shared with OrvexHealth, or if you have concerns about how information is being handled, please report it to us promptly at info@orvexhealth.com. Early reporting helps us respond appropriately and minimize potential impact.
10. Contact
For questions about our data security practices or to discuss a Business Associate Agreement, please contact us at info@orvexhealth.com.
Informational notice: This page is provided for general informational purposes and does not replace a Business Associate Agreement, client-specific security procedures, or legal advice. Clients and prospective clients with specific compliance questions should consult qualified legal or compliance counsel.