Privacy Policy
Staffing For Doctors – HIPAA Compliance Policies and Procedures
Introduction: Staffing For Doctors is committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) as it applies to our role as a virtual healthcare staffing company. Our virtual assistants (VAs) access clients’ electronic health record (EHR) systems to perform scheduling, billing, documentation, and related services. All protected health information (PHI) handled by our workforce is stored and maintained on client-managed cloud systems; Staffing For Doctors does not host or permanently transmit PHI on its own systems. However, as a Business Associate, we implement all required administrative, physical, and technical safeguards to protect the privacy and security of any PHI our workforce accesses, and we adhere to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule in all operations. The following policy documents detail our HIPAA-compliant practices. Daniel Nabavi serves as the designated HIPAA Privacy Officer and Security Officer for Staffing For Doctors, responsible for overseeing the implementation of these policies
The following policy documents detail our HIPAA-compliant practices:
HIPAA Privacy Policy
Defines appropriate use/disclosure of PHI
Outlines minimum necessary access, safeguards, and staff responsibilities
Establishes workforce training and incident reporting expectations
2. HIPAA Security Policy
Covers administrative, physical, and technical safeguards
Includes risk assessment practices, device security, access control, and encryption
Describes secure remote work, contingency planning, and monitoring procedures
Breach Notification Policy
Provides procedures for identifying, investigating, and notifying clients of PHI breaches
Describes timing, coordination with clients, and content of notifications
Covers documentation and remediation steps for compliance and prevention
Workforce HIPAA Training Policy
Requires initial and annual training for all staff with PHI access
Details delivery formats, assessments, and documentation of participation
Outlines training content including Privacy, Security, Breach, and device policies
Device and Remote Work Security Policy
Specifies security controls for BYOD (e.g., encryption, firewall, AV)
Requires secure home Wi-Fi, VPN usage, privacy screens, and physical safeguards
Establishes responsibilities around Hubstaff monitoring, reporting, and compliance
Sanction Policy
Outlines progressive discipline for HIPAA policy violations
Includes real-world examples of violations and expected actions
Reaffirms fairness, documentation, and non-retaliation principles
Business Associate Management Policy
Describes BAA execution and maintenance with clients and subcontractors
Covers Hubstaff as a monitored subcontractor under BAA
Reiterates our responsibilities as a Business Associate under HIPAA
Risk Assessment and Management Policy
Documents annual and incident-triggered risk assessments
Uses a matrix to identify, evaluate, and mitigate threats
Aligns with HIPAA Security Rule and NIST best practices for healthcare
Compliance Framework: These policies are updated annually or upon major regulatory or operational changes. All documentation is retained for a minimum of six years. Policies are aligned with standards published by:
U.S. Department of Health & Human Services (HHS.gov)
NIST SP 800-30, NIST Cybersecurity Framework
Relevant legal advisory firms (e.g., Buchalter.com, EssentialAccess.org)
Client Assurance: By publishing these policies on our website, Staffing For Doctors confirms our proactive commitment to HIPAA compliance. We welcome client audits, provide signed BAAs, and maintain training and breach logs available upon request.
Contact: For HIPAA compliance inquiries or documentation requests, please contact: Daniel Nabavi, Privacy & Security Officer danny@staffingfordoctors.com
1. HIPAA Privacy Policy
Purpose: This policy establishes how Staffing For Doctors protects the privacy of PHI in compliance with the HIPAA Privacy Rule. It defines proper use and disclosure of PHI by our workforce and ensures appropriate safeguards are in place to maintain confidentiality of patient information
Scope: This Privacy Policy applies to all Staffing For Doctors workforce members (employees and contractors, including all virtual assistants) who handle or have access to PHI through client EHR systems. It covers all PHI in any form (electronic, paper, or oral) that our company may receive, create, or encounter on behalf of our healthcare provider clients. All activities performed for clients involving PHI – such as scheduling, billing, documentation, and communications – are within the scope of this policy. Since PHI is not stored on Staffing For Doctors’ own systems, our role is primarily that of accessing and using PHI within client-controlled environments under strict privacy safeguards
Policy Statements:
Designation of Privacy Official: Staffing For Doctors designates Daniel Nabavi as the HIPAA Privacy Officer. The Privacy Officer is responsible for the development, implementation, and oversight of privacy policies and procedures, training of the workforce on privacy requirements, and serving as the point of contact for any privacy concerns or inquiries.
Permitted Uses and Disclosures: Workforce members shall use or disclose PHI only as permitted or required for the purpose of providing services to the client (the covered entity) and in accordance with HIPAA and the Business Associate Agreement (BAA) with that client. Under no circumstances may PHI be accessed, used, or disclosed for any purpose outside the scope of our services (e.g. personal use, marketing, etc.) without explicit authorization and compliance with HIPAA. We will not use or further disclose PHI other than as allowed by our contracts or as required by law. In particular, any use or disclosure of PHI for our company’s own purposes (such as data analysis, research, or marketing) is strictly prohibited. If a workforce member is uncertain whether a particular use or disclosure is permitted, they must consult the Privacy Officer before proceeding.
Minimum Necessary Standard: In performing services, workforce members must access and use only the minimum necessary PHI required to accomplish the assigned task or purpose, consistent with HIPAA’s minimum necessary rule. For example, virtual assistants should view only the specific patient records needed to schedule an appointment or process a billing request, rather than broad or unnecessary data. By policy, our systems and procedures are designed to limit PHI access to job-specific needs. If a workforce member receives a request for PHI that seems beyond what is necessary, they should consult the Privacy Officer and the client for guidance. All disclosures of PHI (other than those that are authorized by the individual or otherwise required by law) will be limited to the minimum information necessary to achieve the purpose of the disclosure.
Safeguards to Protect Privacy: Staffing For Doctors maintains appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and prevent unauthorized use or disclosure. These safeguards include workforce training (detailed below), access controls and passwords for client systems, secure remote work practices (see Device and Remote Work Security Policy), and policies against any improper disclosure. All workforce members are required to sign confidentiality agreements as a condition of employment, affirming their obligation to protect PHI. Additionally, when handling PHI within client EHR or other systems, our staff must follow all client-imposed privacy procedures (for example, using secure messaging, logging out after use, etc.). We also ensure that any monitoring tools used (such as Hubstaff for productivity tracking) are configured in a HIPAA-compliant manner and do not compromise PHI confidentiality – any PHI captured in monitoring records is protected and handled as confidential.
Prohibition on Unauthorized Disclosures: Our workforce is strictly forbidden from discussing or sharing PHI with any unauthorized individual. PHI may not be disclosed to third parties (including family or friends of the patient, or the workforce member’s own friends or family) without the client’s authorization and in compliance with HIPAA’s Privacy Rule. This includes seemingly harmless acts such as telling a spouse about a celebrity patient or confirming that someone is a client’s patient – such disclosures are not allowed. Even within Staffing For Doctors, PHI should only be shared among team members who need it for their job duties for that client. If any workforce member is approached by someone requesting PHI and the request is not clearly permissible, the member must decline and refer the request to the Privacy Officer or the client’s privacy contact.
Patient Rights and Requests: As a Business Associate, Staffing For Doctors will assist our covered entity clients in responding to patients’ rights requests as needed. We recognize that patients (or their personal representatives) have rights under HIPAA, including the right to access their medical records, request amendments, an accounting of disclosures, request privacy restrictions, and request confidential communications. If any workforce member receives a direct inquiry from a patient (or the patient’s representative) regarding these rights – for example, a request for a copy of their records or to amend a record – the workforce member must not independently fulfill the request. Instead, the member should politely inform the individual that the request will be referred to the appropriate client (covered entity) for handling, and immediately notify the client’s designated contact or the Staffing For Doctors Privacy Officer. Staffing For Doctors will cooperate with the client to provide access or make amendments to PHI in our possession or in the client’s system if instructed, and will do so in a timely manner consistent with HIPAA requirements and the BAA. We will also assist clients in responding to accounting of disclosure requests by providing any information about disclosures we have made, if any, upon request. All such requests and our responses will be documented.
No Retaliation or Waiver: Staffing For Doctors supports the HIPAA requirement that individuals must not be retaliated against for exercising their privacy rights or filing a HIPAA complaint. We will not intimidate, threaten, coerce, or take retaliatory action against any person (whether a patient, client, or workforce member) for exercising their rights, raising a privacy concern, or participating in an investigation. Furthermore, no employee will be required or pressured to waive their own HIPAA rights or any patient’s rights as a condition of employment or service.
Reporting of Privacy Incidents: All workforce members are required to immediately report to the Privacy Officer any known or suspected privacy incident. A privacy incident includes any situation that may involve the unauthorized or improper use or disclosure of PHI, whether accidental or deliberate. Examples include: sending or faxing PHI to the wrong recipient, discussing patient information where others might overhear, a potential unauthorized access of records, or any breach as defined by HIPAA (see Breach Notification Policy). There will be no penalty for reporting a concern in good faith – in fact, it is an obligation. Prompt reporting allows us to investigate, contain any improper disclosure, and take corrective action including notification if required.
Mitigation of Unauthorized Disclosures: In the event of an unauthorized use or disclosure of PHI, Staffing For Doctors will take immediate steps to mitigate any harmful effects to the extent practicable. Mitigation efforts may include attempting to retrieve or delete wrongly disclosed information, requesting the recipient to return or destroy the information (and confirming they did so), providing identity theft protection services if data was compromised, etc., depending on the nature of the incident. The Privacy Officer will coordinate mitigation and maintain documentation of the incident and remedial measures. All such incidents will be evaluated to determine if they constitute a reportable breach under HIPAA (per the Breach Notification Policy), and appropriate notifications will be made in coordination with the client.
Workforce Training and Awareness: It is the policy of Staffing For Doctors to train all members of its workforce who have access to PHI on our privacy policies and procedures and relevant HIPAA rules. Each workforce member must complete HIPAA Privacy and Security training (as detailed in the Workforce HIPAA Training Policy) before being granted access to client PHI, and annually thereafter. This training covers the requirements of this Privacy Policy, including how to handle PHI, recognize and report incidents, and uphold patients’ rights. Additionally, all workforce members are required to sign a confidentiality and non-disclosure agreement acknowledging their responsibility to protect PHI. Periodic reminders and updates are provided to keep privacy awareness high. The Privacy Officer will ensure that training records are maintained and that any workforce member who fails to comply with privacy requirements is re-educated and subject to sanctions as appropriate (see Sanction Policy).
Discipline for Violations: Violations of this Privacy Policy or any misuse of PHI will result in appropriate disciplinary action under our Sanction Policy. Sanctions can range from re-training and warnings to termination of employment or contract, depending on the severity of the violation (up to and including termination for serious offenses). We enforce this to ensure accountability and to deter improper handling of PHI. Each incident will be reviewed by the Privacy Officer and management to determine the appropriate sanction, applied consistently and fairly.
Documentation: Staffing For Doctors will maintain documentation of all privacy policies and procedures, any required privacy practices notices (if applicable), training records, reports or investigations of privacy incidents, and any sanctions applied for violations. These records will be kept for a minimum of six years, or longer if required by state law or client contract. Documentation may be maintained electronically. The Privacy Officer is responsible for ensuring that documentation is current and retained properly.
By following this HIPAA Privacy Policy, Staffing For Doctors ensures that PHI accessed on behalf of our clients is safeguarded and only used or disclosed in compliance with HIPAA and client expectations. All workforce members are expected to understand and abide by these rules to maintain the trust of our healthcare clients and the privacy of their patients.
2. HIPAA Security Policy
Purpose: This policy outlines how Staffing For Doctors protects the security of electronic protected health information (ePHI) in accordance with the HIPAA Security Rule. It describes the administrative, physical, and technical safeguards we implement to ensure the confidentiality, integrity, and availability of ePHI accessed or used by our workforce. Because our services involve remotely accessing client systems containing ePHI, we focus on securing the methods and environments of that access.
Scope: The Security Policy applies to all electronic devices, systems, and networks used by Staffing For Doctors workforce members to access, transmit, or interact with ePHI. This includes personal computers and other devices used by remote VAs when logging into client EHRs or related systems, any company-managed applications or accounts (e.g., email or project management tools, if they handle ePHI), and the administrative and technical procedures around those systems. Even though Staffing For Doctors does not store ePHI on its own servers, this policy covers the security of any ePHI that is accessible to us in the course of our work (for example, viewing or entering data in a client’s EHR, or any ePHI that might be temporarily cached or displayed on a VA’s device). All workforce members and any technology resources they use for work are subject to this policy.
Policy Statements: Staffing For Doctors implements a comprehensive set of safeguards as required by the HIPAA Security Rule’s standards: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Key measures in each category are as follows:
Administrative Safeguards
Security Management Process: We have an established process to prevent, detect, contain, and correct security violations. This includes conducting periodic risk analyses and risk assessments of our operations (see Risk Assessment and Management Policy) to identify potential threats and vulnerabilities to ePHI, and implementing risk management plans to mitigate those risks. In accordance with 45 C.F.R. §164.308(a)(1)(ii)(A), Staffing For Doctors conducts an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held or used by the company. Based on these assessments, we apply security measures sufficient to reduce identified risks to reasonable and appropriate levels, as required by HIPAA. The risk management process is ongoing; we review and update our security measures in response to new risks, changes in technology, or security incidents.
Assigned Security Responsibility: Daniel Nabavi is designated as the HIPAA Security Officer for Staffing For Doctors. The Security Officer is responsible for developing and enforcing this Security Policy, coordinating risk assessments, overseeing implementation of safeguards, and handling security incidents. The Security Officer has the authority to make decisions on security matters and to require compliance with security procedures across the organization. He also works in conjunction with the Privacy Officer (in this case, the same individual) to ensure seamless overall HIPAA compliance.
Workforce Security: We maintain procedures to ensure that all workforce members with access to ePHI are appropriately authorized and supervised. Workforce Clearance: Only individuals whose roles require access to ePHI are granted such access. Prior to assignment, each virtual assistant undergoes a screening process (e.g., background check as appropriate and signing of HIPAA confidentiality agreements) to ensure their suitability. Access Authorization: The Security Officer or designated managers control the process of authorizing, modifying, or terminating access to client systems or any company systems that involve ePHI. Access rights are granted based on the principle of least privilege – each user gets the minimum level of access needed for their duties. For example, a VA assigned to scheduling for a particular clinic will receive user credentials for that clinic’s scheduling system and only the permissions needed to perform scheduling tasks, not broader administrative rights. If a workforce member changes roles or leaves the company, we promptly coordinate with the client to revoke their access to client systems and ensure any company credentials are disabled. Supervision and Accountability: Supervisors and the Security Officer may monitor workforce activity (including through the use of Hubstaff monitoring software, which logs activity and periodic screenshots) to ensure that ePHI access is appropriate and in line with assigned duties. Monitoring is done in a HIPAA-compliant manner and only by authorized personnel. Any irregular access patterns or potential misuse are investigated.
Security Awareness and Training: Staffing For Doctors maintains a security awareness and training program for all workforce members, as detailed in the Workforce HIPAA Training Policy. Training includes information on how to secure ePHI, recognize phishing attempts or malware, proper use of passwords, and how to report security incidents. We provide initial training upon hire and periodic refresher training (at least annually, and whenever there are significant changes in security policies or emerging threats). We also employ ongoing awareness efforts, such as periodic security reminder emails, updates on new threats, and simulated phishing exercises, to keep security top-of-mind. Specialized training or guidance is given for remote work security (e.g., how to secure home Wi-Fi, the importance of not writing down passwords, etc.). Each workforce member is required to participate in this training and acknowledge understanding of security policies.
Security Incident Procedures: We have procedures for detecting, reporting, and responding to security incidents. A security incident is defined as any attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, or interference with system operations. All workforce members are required to report suspected security incidents or vulnerabilities immediately to the Security Officer. This includes events such as: a lost or stolen device that was used for work, a suspected computer virus or malware infection, detection of someone else using one’s credentials, or any unusual system behavior that could indicate a breach. The Security Officer will document and investigate each incident. If an incident results in a confirmed breach of unsecured ePHI, the Breach Notification Policy will be followed (including notifying clients without unreasonable delay). Even for incidents that do not meet the legal definition of a breach, we will take steps to mitigate any harm and strengthen security controls to prevent recurrence. Incident response may involve disconnecting compromised devices, resetting passwords, installing security patches, or engaging IT forensic experts as needed. All incidents and responses are documented.
Contingency Plan: Since Staffing For Doctors does not maintain ePHI on its own systems, our primary contingency planning revolves around ensuring continuity of our operations and availability of client data access in the event of an emergency or technology issue on our side. Data Backup: We do not host ePHI, so data backup of client medical records is handled by clients themselves. We do, however, ensure backup of any critical company records related to compliance (policies, training logs, etc.). Disaster Recovery: Each workforce member is expected to have contingency arrangements for common emergencies – for example, backup internet access (such as a mobile hotspot) if their primary internet fails, and possibly a secondary device if their primary computer crashes – to minimize downtime in serving clients. Emergency Mode Operations: If a situation arises such as a natural disaster or pandemic that disrupts normal operations, our plan is to continue supporting clients through remote work as we already do, possibly re-allocating tasks among staff in unaffected areas. Because PHI is stored on client systems, those clients’ disaster recovery plans take precedence for the actual data; our role is to be ready to reconnect and resume services as soon as feasible. We maintain a contact list and communication tree so that all VAs and managers can be reached in an emergency, and instructions can be given on how to proceed. The Security Officer will periodically test our emergency communications and general readiness (e.g., ensuring everyone can access client systems from an alternate network if needed). Contingency Operations for Facilities: (Note: Staffing For Doctors has no physical facility that houses servers or PHI, so facility emergency access is not applicable aside from general business continuity for our offices, if any.)
Evaluation: We conduct periodic evaluations of our security measures to ensure they remain effective and compliant with HIPAA. This includes reviewing policies and technical controls at least annually, or whenever there are material changes in our operations (such as adopting a new technology or service that could affect ePHI security). The Security Officer is responsible for coordinating these evaluations, which may include internal audits or reviews. We also stay informed about new threats and vulnerabilities (through security bulletins or our clients’ feedback) and evaluate whether our safeguards need updates. If our company undergoes a significant change (e.g., growth in staff, new types of services, different IT infrastructure), we will re-assess security controls in light of those changes. Documentation of these evaluations and any resulting improvements is maintained as part of our compliance records.
Physical Safeguards
Workstation Use and Security: All workforce members must ensure that any workstation (computer, laptop, or other device) used to access ePHI is used in a secure manner. Since our VAs work remotely from personal or home offices, each person is responsible for maintaining a private and secure work area. Screen Privacy: Workstations should be positioned or configured such that unauthorized individuals cannot view PHI on the screen. For example, if working at home, the screen should not face open windows or areas where family or visitors can see it. The use of privacy screen filters is encouraged if others are present. Authorized Use: Only the authorized workforce member may use the device when it is connected to client systems or when PHI is present on the screen – friends, family, or household members are strictly prohibited from using or even observing a device that is logged in to a system containing PHI. The device should automatically lock the screen after a short period of inactivity (e.g., 5-10 minutes) to prevent accidental exposure; workforce members must also manually lock their screen (Windows + L or similar) whenever stepping away. When work is finished, they must log out of all client systems and close any connections (and as an extra measure, disconnect from any VPN or remote desktop sessions, per client policies).
Device Management and Security: Detailed requirements for devices are covered in the Device and Remote Work Security Policy, but in summary, any device used to access PHI must meet security requirements: it must be password-protected, have up-to-date antivirus and firewall, apply security patches regularly, and (where possible) utilize encryption to protect data at rest. Encryption: Workforce members are required to enable full-disk encryption on their computers (e.g., BitLocker for Windows, FileVault for Mac) to safeguard any sensitive data that might reside on the device. Although our standard practice is not to download or save PHI locally, encryption provides protection for any temporary files, browser caches, or incidental data. Physical Protection of Devices: Devices must not be left unattended in insecure locations. If a laptop is used, it should be stored in a secure place when not in use (e.g., not left in a car or in plain sight). If traveling, the device should carry minimal data and be kept with the staff member at all times if possible. Portable Media: As a rule, PHI should not be stored on portable media (USB drives, external hard drives, CDs, etc.) unless absolutely necessary and approved by the Security Officer. If any portable media is used to transfer PHI (for example, if instructed by a client for a specific task), it must be encrypted and securely wiped or destroyed immediately after use. Generally, copying PHI to any unapproved external media is prohibited to ensure PHI remains on the client’s secure systems.
Mobile Devices: If any workforce member uses mobile devices (such as tablets or smartphones) to access client email or systems with ePHI, those devices must also adhere to security requirements: use of strong passcodes, device encryption, auto-lock, and no jailbreaking/rooting that would compromise security. PHI should not be stored in mobile applications unless the app is specifically approved for secure use by the client (e.g., a secure messaging app). Lost or stolen mobile devices that have any company or client access must be reported immediately so that accounts can be remotely disabled or wiped if possible.
Facility Controls: Staffing For Doctors does not operate a central facility where PHI is stored; however, we treat each remote workspace as an extension of our work environment. Access to Home Workspaces: Workforce members should maintain a dedicated or private area for work when dealing with PHI. They are advised to keep their work computers in a location not easily accessed by others and to lock the room or door when away if possible. Any paper documents containing PHI (though these should be extremely rare or avoided) must be stored in a locked file cabinet or safe when not in use. For example, if a VA prints a patient schedule to have on hand (only if allowed and necessary), that paper must be secured and later shredded. We discourage printing PHI altogether, but if it occurs under client direction, physical safeguards (locked storage, no leaving papers out, etc.) apply.
Device and Media Controls: We have procedures for disposal and reuse of media that may contain ePHI. Since our workforce primarily uses personal devices, if a device was used to access ePHI and is to be disposed of or repurposed, the workforce member must ensure that any ePHI or sensitive data is removed. This can involve following a media sanitization process such as a secure wipe of the hard drive (multiple-pass overwrite or using approved software). The Security Officer can provide guidance or tools for secure data destruction. In the event that a workforce member leaves the company, we ensure that any company credentials or cached data on their personal device (such as emails or temp files) are deleted, and we may request a confirmation of deletion or even return of any company-provided equipment for proper wiping. If any removable media or printed documents with PHI were used, they must be destroyed in a secure manner – paper via cross-cut shredding, electronic media via secure erasure or physical destruction. We also account for device loss: if a device containing or authorized to access ePHI is lost or stolen, the workforce member must notify the Security Officer immediately so that we can assist in protecting data (e.g., remotely disabling access, changing passwords, and working with client to monitor for any misuse). All devices used for work remain under an inventory and control process – each VA registers their work device with us, and attests to its security compliance. We maintain a record of these devices and periodically remind staff to report any changes (new device or disposal).
Technical Safeguards
Access Controls: Each workforce member is assigned unique user credentials for accessing client systems or any company systems that involve ePHI. Unique User Identification: We do not permit shared logins. Every access to ePHI can thus be tied to a specific person, allowing accountability. Password Management: All passwords used by our workforce (whether for client systems or for any company accounts with ePHI) must meet strong complexity requirements as defined by the client or our internal standards (e.g., at least 8 characters with a mix of letters, numbers, symbols if possible). Passwords must not be shared or reused across personal accounts. We enforce regular password changes where required by the client or at least annually if not, and immediate changes if compromise is suspected. Two-Factor Authentication (2FA): We strongly encourage and, where possible, require the use of multi-factor authentication for accessing client systems or company applications with ePHI. If a client’s EHR supports 2FA or one-time passcodes, our VAs must use them. For any company-managed services (for instance, if we had a secure email or documentation system), we enable 2FA. This significantly reduces the risk of unauthorized access even if a password is stolen.
Encryption and Transmission Security: All access to client systems is performed over encrypted connections. For example, our VAs access cloud EHRs via HTTPS web interfaces or secure VPN tunnels as required. We mandate that no PHI is ever transmitted in an insecure manner (such as via unencrypted email or public messaging). If there is a need to send PHI electronically outside the client’s EHR (which is generally avoided), it must be done through an approved secure method – e.g., the client’s secure email system or file transfer portal that meets encryption standards. Personal or public email (like Gmail) must not be used for sending PHI unless it’s through an encrypted channel sanctioned by the client. Device Encryption: As noted under physical safeguards, devices themselves are encrypted to protect ePHI at rest. Network Encryption: Workforce members are instructed to only connect to client systems through secure networks. For home Wi-Fi, they must use WPA2/WPA3 encryption on their routers and have strong router passwords (no default passwords). If they must work from a public network (e.g., a public Wi-Fi hotspot), they are required to use a VPN to encrypt all traffic, or better, use a personal mobile hotspot as a more secure alternative. All remote desktop or screen-sharing sessions that might involve PHI (for instance, if a VA is remote controlling a client’s machine) should be tunneled through VPN or use secure protocols. In summary, PHI must be encrypted in transit whenever it flows over networks not fully controlled by the client, in line with HIPAA requirements to protect data in transit.
Audit Controls: Staffing For Doctors recognizes the importance of audit logs to detect and trace unauthorized access. Client Systems: Each client’s EHR or application typically has its own audit logging of user activity. We comply with any client requests or policies regarding audit trail reviews – for instance, clients may regularly review what records our VAs accessed. We fully support such audits and require our workforce to cooperate with any investigations. Internal Monitoring: In addition to client audit logs, we use Hubstaff (a HIPAA-compliant monitoring tool) to keep logs of remote access activity and work sessions. Hubstaff may record information such as time active, applications used, and periodic screenshots. These monitoring logs serve as a supplementary audit mechanism to ensure VAs are only accessing work-related information and not engaging in unauthorized activities during work time. Access to Hubstaff logs and screenshots is restricted to authorized supervisory personnel and the Privacy/Security Officer. Any screenshot or recorded information that incidentally contains PHI is treated as confidential and stored securely (Hubstaff itself signs a BAA with us, see Business Associate Management Policy). We periodically review logs of remote access and usage to detect any irregularities (for example, accessing systems outside of work hours without reason, or usage of unauthorized software). If a workforce member’s account is inactive for a certain period (e.g., more than 30 days of not providing services), we coordinate with clients to disable or revoke that account to reduce risk.
Integrity Controls: While our company does not maintain ePHI in databases, we still commit to not altering or destroying client data inappropriately. Each workforce member must only add, edit, or delete information in client systems as necessary and authorized by the client’s procedures. We rely on client systems’ integrity controls (such as checksums, audit logs, etc.) to ensure data is not improperly modified. Additionally, if we do handle any files or documents, we use secure file transfer methods that preserve data integrity (ensuring files are not corrupted or tampered with in transit).
Person or Entity Authentication: We verify that each person or entity seeking access to ePHI is who they claim to be. For workforce members, this means robust authentication when logging into systems (unique credentials, 2FA as noted). If a workforce member receives a request that involves PHI, such as a phone call or email asking for patient information supposedly from a client or coworker, the member must authenticate the identity of the requester. This might involve calling the person back on a verified number or confirming via official channels. We train staff to recognize phishing attempts and social engineering. Internally, before discussing PHI over phone or instant messaging, we ensure the participants are authorized and use secure channels. Any remote support sessions (e.g., if IT needs to remote into a VA’s computer) are authenticated and supervised to avoid unauthorized access to ePHI on the screen.
Automatic Log-off: Where possible, systems used by our workforce are set to log off or timeout after a period of inactivity, to reduce the risk of someone else continuing a session. Many client EHRs have this feature and we encourage clients to enable reasonable short timeout periods. Our staff are instructed to log off immediately after completing their tasks. For company-managed applications, we enforce session timeouts as well.
Configuration Management: We maintain baseline security configurations for any company-provided software or devices. For instance, if we utilize a secure browser or VPN client for connecting to a hospital system, we ensure it is configured according to best practices (e.g., disabling saving of passwords, clearing cache after sessions if possible, etc.). Personal devices used by workforce members must conform to our Device Security standards (see Device and Remote Work Security Policy) including having updated operating systems and software. We do not allow the installation of unauthorized or insecure applications on devices that could jeopardize ePHI security (for example, peer-to-peer file sharing apps or remote control tools not approved by Security Officer).
Malware Protection: All devices used to access ePHI must have reputable anti-malware software installed and updated. Regular scans should be conducted. We educate employees on avoiding malware (not clicking suspicious links, not installing unknown programs). If malware is detected on a device, the user must cease using it for any ePHI access and inform our Security Officer immediately for remediation. The device must be cleaned and confirmed safe before it can be used to handle PHI again.
Testing and Monitoring: The Security Officer may initiate periodic testing of our security measures, such as vulnerability scanning on any company-managed systems or requiring self-assessment checklists from workforce members (e.g., confirming their home network is secured, their devices updated, etc.). We treat security as an evolving process and adjust controls as needed to address new vulnerabilities or client requirements.
Third-Party Service Security: If any third-party services or cloud applications are used by our staff that could involve ePHI (for example, a transcription service, or a data analytics tool, or even Hubstaff monitoring data which may contain screenshots of PHI), we ensure those services are HIPAA-compliant and have Business Associate Agreements in place (see Business Associate Management Policy). We review their security practices or certifications where applicable. As noted, the only such service currently in use is Hubstaff, for which a BAA is in place and which meets HIPAA security requirements for data encryption and access control. No other third-party apps should be used with PHI unless vetted and approved by the Security Officer.
Enforcement: Compliance with this Security Policy is mandatory for all workforce members. Violations (such as disabling security software, sharing passwords, or other negligent behavior) will result in disciplinary action per the Sanction Policy. The Security Officer will periodically audit compliance (for example, checking a sample of devices for encryption or adherence to policy) and any deficiencies must be corrected promptly. We recognize that maintaining robust security is essential to protecting patient information and to upholding our obligations as a Business Associate. Through these measures, Staffing For Doctors ensures that ePHI accessed on behalf of clients is safeguarded against reasonably anticipated threats or hazards, in compliance with the HIPAA Security Rule.
3. Breach Notification Policy
Purpose: This policy describes the actions that Staffing For Doctors will take in the event of a breach of unsecured PHI, in order to comply with the HIPAA Breach Notification Rule (45 C.F.R. §§164.400-414) and relevant provisions of the HITECH Act. It outlines how we identify, investigate, and notify the appropriate parties (covered entity clients, and indirectly the affected individuals, HHS, or media as required) if a breach occurs at or by our company. The goal is to ensure timely notification and mitigation to protect affected individuals and maintain transparency.
Scope: This policy applies to any incident, suspected or confirmed, that involves the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI. It covers ePHI and paper/oral PHI alike. In practical terms, since Staffing For Doctors is a Business Associate that does not store PHI on its own systems, most potential breaches would involve PHI accessed or viewed by our workforce on client systems or PHI inadvertently obtained or disclosed through our actions. Examples of incidents within scope include: a VA accessing PHI they are not authorized to view; a computer or device of a VA that gets lost or stolen while containing or logged into PHI; an email or communication mistakenly sent to the wrong recipient containing PHI; unauthorized persons viewing PHI on a VA’s screen; malware or hacking that compromises a VA’s credentials or device used to access PHI; or any other impermissible disclosure or use of client PHI caused or experienced by our workforce. This policy does not directly cover breaches on the client’s side that do not involve us, but if we become aware of any such incidents, we will cooperate with the client as needed. It also recognizes the three exceptions to the definition of a breach (unintentional internal access in good faith, inadvertent disclosures within the same organization, and disclosures to an unauthorized person who would not reasonably have been able to retain the information) – such incidents, if they occur, will be evaluated to see if they meet these exceptions. If an incident falls under an exception, formal breach notification may not be required, but we will still document and address it appropriately.
Policy Statements:
Definition of Breach: For purposes of this policy, a breach is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of that information. “Unsecured PHI” means PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, PHI not encrypted or destroyed in accordance with HHS guidance). In determining whether an incident is a reportable breach, Staffing For Doctors will conduct a risk assessment considering at least the following factors: (1) the nature and extent of the PHI involved (types of identifiers, likelihood of re-identification), (2) the unauthorized person who used the PHI or to whom the disclosure was made, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk to the PHI has been mitigated. Unless this assessment determines there is a low probability that the PHI has been compromised, we will treat the incident as a breach requiring notification. We may skip the formal risk assessment if we choose to proceed with notifications anyway out of an abundance of caution. Any incident involving PHI will be presumed a breach unless it falls under an exception or is demonstrated to have a low probability of compromise.
Reporting of Incidents: Workforce members must immediately report any suspected or known incident that might involve the loss, theft, or improper disclosure of PHI to the Privacy/Security Officer. Time is of the essence, as the breach notification clock starts once a breach is “discovered” (when any employee knows or should have known of it). Therefore, employees are trained and required to report incidents without delay, ideally as soon as discovered. Examples that need reporting include: lost or stolen devices (even if uncertain if PHI was on them), misdirected emails/faxes containing PHI, someone’s system being hacked or infected with ransomware, any situation where PHI might have been seen or obtained by someone who shouldn’t have, etc. The report should include all known details (what happened, when, whose information, how many individuals potentially affected, etc.). The Privacy/Security Officer will document the time and date the incident was reported and begin the investigation immediately
Containment and Investigation: Upon learning of a potential breach, the Privacy/Security Officer will take immediate steps to contain the incident. This could involve ensuring a lost device is remotely locked or wiped (if possible), changing passwords if an account may have been compromised, contacting a recipient who received information in error and securing their assurance of deletion, or temporarily halting relevant systems access until the situation is understood. Next, a formal investigation is conducted to gather all facts. The Privacy/Security Officer (with assistance from others as needed, such as IT support or the client’s privacy office) will determine: the root cause of the incident, exactly what PHI and which individuals were involved, the number of individuals affected, the identities of unauthorized persons who had access (if known), whether the PHI was actually viewed or acquired, and what mitigation has already been done or can be done. The four-factor risk assessment (mentioned above) will be documented. Legal counsel may be consulted if needed to interpret obligations. Throughout this process, the Privacy/Security Officer maintains documentation of the investigation steps and findings.
Determination of Breach: Based on the investigation, the Privacy Officer will determine whether a breach of unsecured PHI occurred, and if so, classify its severity and scope. If the incident does not constitute a breach (for example, it falls under an exception or the risk assessment concludes PHI compromise is unlikely), the Privacy Officer will document the rationale for that conclusion (including any risk assessment performed). Even if not a reportable breach, appropriate remedial actions will still be taken (such as re-training an employee, improving procedures, etc.). If it is a breach, this policy’s notification procedures are triggered.
Notification to Covered Entity (Client): In the event of a confirmed breach at or by Staffing For Doctors, we will notify the affected covered entity client(s) without unreasonable delay and no later than 60 calendar days after discovery of the breach. Our goal is to notify much sooner than 60 days whenever possible – typically we will notify the client as soon as we have sufficient information to provide a meaningful notice (which could be within days of discovery). The notification to the client will include, to the extent known at the time: a description of the breach (the how, when, where it occurred), the types of PHI involved (e.g., whether it included names, dates of birth, social security numbers, medical information, etc.), the individuals affected (or at least the number of individuals and a description of the group, and later provide a list of names if available), and mitigation actions taken (such as information retrieved, device secured, etc.). We will also include contact information for our Privacy Officer for follow-up. If some details are not yet known (e.g., we are still determining exactly which individuals are affected), we will make an initial notice with the information we do have and follow up with supplemental information as soon as it’s available. Notification to the client will be made in writing, usually via official letter or secure email to the client’s designated privacy or security contact as specified in the BAA. We will also offer full cooperation and support to the client in the breach response.
Business Associate Agreement Requirements: We recognize that our BAAs with clients may specify particular breach reporting requirements (for example, some BAAs might require notice sooner than 60 days, such as within 5 or 10 days of discovery, and might require specific information). Staffing For Doctors will adhere to the specific requirements in each client’s BAA. In absence of more stringent contractual terms, the HIPAA default of “without unreasonable delay, and no later than 60 days” will apply. Typically, our standard BAA provides for notification to the covered entity within a specified short timeframe (e.g., 5 business days) so that the client can take prompt action. The Privacy Officer will ensure familiarity with each client’s BAA terms and will follow the most stringent applicable rule among HIPAA or the contract.
Notification to Affected Individuals and Others: Responsibility: Under HIPAA, the covered entity is ultimately responsible for notifying affected individuals, HHS, and (if applicable) the media of a breach. However, the covered entity may delegate this responsibility to the Business Associate in some cases. Staffing For Doctors’ policy is to assist the covered entity with individual notification. We will discuss with the client who will handle notifying the impacted patients. If the client requests our assistance in drafting or distributing notification letters (or if the BAA assigns that duty to us), we will cooperate and fulfill those obligations in line with HIPAA requirements for content and timeliness. By default, our role is to provide the client with the information they need to notify individuals (such as a list of affected individuals with contact info, if we have it, and details of the incident). We will also help in preparing any required notice content (description of the incident, types of data involved, steps individuals should take like credit monitoring, what we and the client are doing to mitigate and prevent recurrence, and our contact info). We will ensure such notifications are provided to the client (or directly to individuals if delegated) without unreasonable delay and no later than 60 days from breach discovery, as required by law. If >500 individuals are affected in a particular state/region, we know the client must notify prominent media and HHS within 60 days, and we will expedite our processes to enable the client to meet those timelines. Our Privacy Officer will coordinate closely with the client’s Privacy Officer on all notification efforts.
Content of Notifications: Any breach notification that Staffing For Doctors issues (whether to a client, or to individuals on behalf of a client if so tasked) will include all information required by HIPAA. This includes: a brief description of the incident (date of breach and date of discovery, if known), a description of the types of PHI involved (e.g., full name, date of birth, diagnosis, social security number, etc. – but not the actual sensitive data itself), steps individuals should take to protect themselves (like contacting credit bureaus if financial info was leaked, or changing passwords, etc.), a description of what we (and/or the client) are doing to investigate the breach, mitigate harm, and prevent future occurrences, and contact information for us or the client (such as a toll-free number or email) for further inquiries. We will draft notifications in plain language that patients can understand, while ensuring accuracy.
Notification to HHS: As a Business Associate, we do not directly notify HHS of breaches – that is the covered entity’s responsibility. However, we will provide the client with all information they need for their report to HHS (via the HHS breach portal), including the totals of individuals affected and other circumstances. If a client asks us to handle the HHS notification on their behalf (which is uncommon and typically they would do it), we could assist, but typically the covered entity will do so. We note for our awareness that if a breach affects 500 or more individuals, the client must notify HHS within 60 days of discovery (and if fewer than 500, by end of year). Thus, we operate under internal targets to provide full incident details to the client well ahead of those deadlines.
Documentation: The Privacy/Security Officer will maintain documentation of all breaches and breach-related decisions. This includes the initial incident report, investigation notes, risk assessment analysis, determination of whether notification was required, copies of any notifications sent to clients or individuals, and communications with clients about the breach. We also document any root cause analysis and remedial actions taken (such as policy changes or additional training as a result of the breach). This documentation will be kept for at least six years as required by HIPAA. Additionally, the company acknowledges its burden of proof under the law to demonstrate that all required notifications were made or that an incident was evaluated and found not to be a breach. Our documentation will reflect how we met this burden for each incident.
Mitigation and Prevention: After a breach, beyond notifications, Staffing For Doctors will take corrective actions to mitigate harm and prevent future incidents. Mitigation might include providing credit monitoring to affected individuals if financial information was breached (in coordination with the client), or offering identity protection services. Internally, we will address the root cause – for example, if a breach occurred because a VA’s laptop was stolen, we will evaluate if encryption was in place; if not, enforce encryption and perhaps consider providing company-managed devices. If a phishing email fooled someone, we will reinforce training and possibly implement more technical email safeguards. We also assess whether any disciplinary action is warranted for workforce members involved in the breach (per our Sanction Policy). The Privacy/Security Officer will compile a post-incident report summarizing what happened and what is being done to prevent recurrence. Those preventive measures could range from revising a procedure, to technology changes, to additional audits.
Breaches Involving Subcontractors: Currently, the only subcontractor we use that could possibly handle PHI is Hubstaff (for monitoring). In the unlikely event that Hubstaff (or another future subcontractor) experiences a breach of PHI (for example, a breach of the monitoring data which may contain screenshots of PHI), that subcontractor, as our Business Associate under a BAA, is obligated to notify Staffing For Doctors of the breach. Our policy is to treat such an event as if it were our own breach: we will in turn notify the relevant client(s) just as outlined above, with the same urgency and information, once the subcontractor informs us. We will also coordinate with the subcontractor to ensure mitigation and that they fulfill any obligations they have. Our Business Associate Management Policy covers ensuring subcontractors’ compliance.
State Law Considerations: We acknowledge that certain states have breach notification laws that may have additional or more stringent requirements (for example, shorter notification timelines or different thresholds). As a Business Associate primarily serving covered entities, those entities usually handle individual notifications in line with applicable state laws. We will support our clients in meeting any state-specific obligations by providing necessary information promptly. If a client asks us to facilitate state law-required notifications (which could, say, require notice within 30 days in some states, or notice to state attorneys general), we will comply as directed
In summary, Staffing For Doctors is prepared to respond swiftly and thoroughly to any potential data breach. By following this Breach Notification Policy, we ensure that our covered entity clients are informed in a timely manner and that affected patients can be notified and protected as required by HIPAA. Transparency, prompt action, and full cooperation with our clients and regulators are the guiding principles of our breach response. All workforce members must understand the importance of immediate incident reporting and the role they play in this process.
4. Workforce HIPAA Training Policy
Purpose: This policy establishes the requirements and procedures for training Staffing For Doctors workforce members on HIPAA and our internal privacy and security policies. The purpose is to ensure that all employees and contractors (including virtual assistants) are knowledgeable about HIPAA regulations, understand their responsibilities for protecting PHI, and are equipped to follow our company’s policies and procedures. Proper training is a cornerstone of HIPAA compliance, helping to prevent violations and safeguarding patient information.
Scope: This policy applies to all members of the workforce at Staffing For Doctors who have access to PHI or are involved in any aspect of services that deal with healthcare data. “Workforce” includes full-time and part-time employees, independent contractor VAs, management, and any volunteers or interns if applicable (though generally not expected). Essentially, anyone acting under the control of Staffing For Doctors with potential access to PHI must undergo HIPAA training as described here. The training program covers both the HIPAA Privacy Rule and Security Rule requirements, as well as the specific expectations laid out in our company’s Privacy Policy, Security Policy, Breach Notification Policy, and related procedures. This policy also covers the documentation of training and the frequency of refreshers
Policy Statements:
Training Requirement: It is the policy of Staffing For Doctors to train all members of its workforce who have access to PHI on its privacy and security policies and procedures, and on HIPAA obligations. Training is mandatory and a condition of ongoing employment/engagement. No workforce member may begin handling PHI for a client until they have completed initial HIPAA training and demonstrated understanding of the material.
Initial Training: New Hire Orientation: All new workforce members must undergo comprehensive HIPAA training before or within the first days of assignment to any position involving PHI access. Ideally, this training is completed prior to the individual accessing any client EHR or PHI. In practice, we schedule training for new virtual assistants as part of their onboarding. The initial training program covers:
An overview of HIPAA, including the Privacy Rule, Security Rule, and Breach Notification Rule, and the civil and criminal penalties for non-compliance.
Definitions of key terms such as PHI, minimum necessary, use vs. disclosure, etc
The duties of a Business Associate and our specific role and obligations to clients (for instance, importance of the BAA, permitted uses of PHI).
Detailed review of Staffing For Doctors’ HIPAA Privacy Policy: permitted uses/disclosures, safeguarding PHI, patient rights handling, reporting incidents, etc.
Detailed review of our HIPAA Security Policy: security safeguards, secure workstation use, password policies, device security requirements, etc.
Review of the Breach Notification Policy: what constitutes a breach, the urgency of reporting incidents.
The Workforce members’ personal responsibilities: maintaining confidentiality, following procedures, consequences of violations (with reference to the Sanction Policy).
Practical guidelines for remote work (reinforcing the Device and Remote Work Security Policy): e.g., how to securely connect, avoid inadvertent disclosures at home, etc
Scenarios and examples are used to illustrate correct vs. incorrect behaviors (e.g., “What would you do if a family member asks about a patient?” or “How to recognize a phishing email.”).
Emphasis on the culture of compliance: encouraging questions and reporting of issues without fear of retaliation.
At the end of initial training, each workforce member is required to sign an acknowledgment (or complete a quiz/certification) indicating they have received and understood the HIPAA training and will comply with all requirements. For contractors, this may be included as part of their contract or NDA as well. The Privacy Officer or designated trainer documents the completion of training for each person (date, content covered, results of any competency quiz if given).
Ongoing Training (Periodic Refresher): HIPAA training is not a one-time event. Staffing For Doctors provides regular refresher training at least annually for all workforce members with continuing access to PHI. Annual training may be somewhat abbreviated relative to initial training but will cover any updates in regulations or policies, and reinforce key points that merit reminder (like common pitfalls or recent incidents). The annual training often includes an overview of any changes in HIPAA or related laws, any new threats or security awareness topics (for example, emerging phishing tactics), and a review of company policy updates. It also serves as a forum to share lessons learned from any compliance issues in the past year (anonymized as appropriate) to prevent recurrence. We might include interactive elements or Q&A to engage staff. Like initial training, attendance is recorded and each member must acknowledge participation.
Training Upon Material Changes: In addition to scheduled annual training, we will provide ad hoc training or informational updates whenever there are material changes to HIPAA regulations or to our internal policies and procedures. For instance, if HHS issues new guidance or if there is a significant change in our business processes (e.g., adopting a new software tool or a new type of service) that affects how PHI is handled, the Privacy/Security Officer will develop an appropriate training module or briefing to address that change. All relevant workforce members would be required to complete this supplemental training in a timely manner. We document the content and date of such interim training as well.
Specialized Training: Certain roles might require additional focused training. For example, managers or the Privacy/Security Officer themselves may undertake more advanced training (like courses or certifications) to deepen their expertise. If a workforce member is assigned a task that has particular privacy implications (such as responding to patient record requests or handling subpoenas), that individual will receive targeted instructions on those duties, either from the client or from our Privacy Officer, to ensure compliance. Additionally, IT personnel or those involved in any technical aspect of our operations would receive training on security configurations, incident response procedures, and so forth.
Training Delivery Methods: We utilize various methods to deliver training:
Live Training: Often conducted via webinar or video conference (since our workforce is remote) by the Privacy Officer or a qualified compliance trainer. This allows for interaction and questions.
Training Materials: We provide written training materials such as a HIPAA training manual, slide decks, or an employee handbook that includes HIPAA policy summaries. These materials are updated and available for reference at any time.
Online Training Platform: We may use an online learning management system (LMS) or compliance training modules that track completion. Given the remote nature, this is effective for ensuring everyone can take training on schedule.
Quizzes/Assessments: To verify comprehension, we include quizzes or knowledge checks during training. A passing score may be required on an end-of-training test to demonstrate understanding. For instance, a short multiple-choice exam covering what constitutes PHI, how to handle it, etc., must be completed by trainees.
Acknowledgment: After training, each person signs an electronic or physical acknowledgment of HIPAA training completion and understanding of their obligations. This is kept on file.
Documentation of Training: The Privacy Officer or delegate maintains records of all HIPAA training sessions and attendance. This includes the date of training, list of participants, topics covered (agenda or slides), and results of any tests or evaluations. For each workforce member, we have a training log indicating when they last completed training. These records are retained for at least six years (per HIPAA’s documentation retention requirement) and can be produced during audits or client inquiries to demonstrate our compliance. Additionally, copies of the actual training content (presentations, handouts, etc.) are archived to show what was taught.
Failure to Complete Training: If any workforce member does not complete required training by the assigned deadline (e.g., a new hire not finishing the orientation before starting work, or an existing member missing the annual refresher), that individual’s access to PHI will be suspended. For example, we would inform the client that the VA cannot continue services until training is done, or reassign tasks temporarily. Completion of training is mandatory; refusal or negligence in completing training could lead to disciplinary action. Our Sanction Policy addresses non-compliance with training requirements (e.g., repeated failure to attend training sessions could result in warnings or further discipline).
Evaluation of Training Effectiveness: Staffing For Doctors periodically evaluates the training program’s effectiveness. We might do this by testing understanding (via quizzes), soliciting feedback from trainees, monitoring for fewer incidents/errors, or having management observe whether procedures are being correctly followed. If we find gaps in knowledge or recurring mistakes in practice, it may indicate that training needs improvement or more emphasis on certain topics. The Privacy Officer updates the training content accordingly. Also, after any significant privacy/security incident, we assess whether it was due to a training gap; if so, we will adjust the training to cover that scenario or topic more clearly.
Culture and Ongoing Awareness: Beyond formal training sessions, Staffing For Doctors fosters a culture of compliance by ongoing awareness activities. We distribute periodic HIPAA reminders and tips via email or internal newsletters. For example, a monthly “HIPAA Hint” might be sent (e.g., reminding about not sharing passwords or how to spot phishing). We also encourage workforce members to ask questions anytime – the Privacy and Security Officer is approachable for clarifications or guidance outside of formal training. Employees are assured that if they are ever unsure about a HIPAA requirement or a situation, seeking guidance proactively is the right course of action.
Privacy and Security Officers Training: Since Daniel Nabavi is our Privacy and Security Officer, he will pursue continuing education in HIPAA compliance and security best practices. This ensures that the trainer and overseer of our program stays current with evolving regulations and industry standards. He may attend external webinars, certification courses, or conferences (e.g., Certified HIPAA Professional courses, or HHS/OCR guidance webinars). Keeping the knowledge of the leadership up-to-date directly benefits the training passed on to workforce members.
By adhering to this Workforce HIPAA Training Policy, Staffing For Doctors ensures that all personnel are well-informed about protecting PHI and are equipped to follow all HIPAA policies. This significantly reduces the risk of violations and helps create a workforce that is vigilant and accountable for maintaining patient privacy
5. Device and Remote Work Security Policy
Purpose: Staffing For Doctors operates with a fully remote workforce. This policy provides specific requirements and best practices for securing devices and remote work environments used to access PHI. The purpose is to supplement our general Security Policy with focused guidance tailored to remote work and “bring your own device” (BYOD) scenarios, ensuring that even outside a traditional office, PHI remains protected. We aim to address the unique risks of remote work (such as home network security, personal device use, and potential family/visitor access) by enforcing strict controls on how devices are configured and used when handling PHI.
Scope: This policy applies to all devices (computers, laptops, tablets, smartphones, etc.) and networks used by Staffing For Doctors workforce members to perform work involving PHI from remote locations (e.g., home offices). It covers both company-issued devices (if any in future) and personal devices (BYOD) that are authorized for work. It also covers the conduct of remote work itself – the environment and practices that workforce members must adhere to whenever they are accessing or discussing PHI outside of a client’s physical facility. This includes home office setup, internet/Wi-Fi usage, prevention of unauthorized viewing or listening, and handling of any physical records. Given that all our current VAs use their personal computers to connect to client cloud systems, this policy is critical to maintaining HIPAA compliance in that context
Policy Statements:
Device Authorization (BYOD Agreement): Any personal device used by a workforce member to access client PHI must be approved by Staffing For Doctors for such use. Upon hiring (or when an existing member needs to use a new device), the device’s security must be vetted – the Security Officer or IT delegate will verify it meets our specifications (see below). Each workforce member must sign a BYOD Agreement acknowledging the rules for using their personal device for work, including consent to implement required security measures and (if ever needed) to allow inspection or remote wipe of company-related data. If a workforce member cannot meet the device requirements, they will not be permitted to use that device for PHI; alternative arrangements (like using a different device or obtaining appropriate hardware) must be made. We maintain a list of authorized devices per person. No unlisted or non-compliant device should be used for work.
Secure Configuration of Devices: All devices used to access PHI must be configured securely:
Operating System: The device should run a currently supported and patched operating system (e.g., latest versions of Windows or macOS with current security updates). The user must enable automatic updates for the OS and critical software, or regularly apply updates (at least monthly). Known vulnerabilities shall not be left unpatched.
User Account: The workforce member must have a unique user account on the device that is password or passphrase-protected. If the device is shared with family (discouraged), the work account must be separate and others should not know its password. Ideally, the device used for work is not shared at all. The account should have a strong authentication (see next bullet).
Password/Authentication: The device login must use a strong password or equivalent authentication (such as biometric plus strong PIN). A strong password typically means at least 8 characters with a mix of letters, numbers, and symbols (or per current NIST guidelines, a passphrase). No one besides the workforce member should know or have access to this password. The password must not be reused on non-work accounts. Devices should be set to lock after a certain number of failed attempts to deter brute force attempts.
Encryption: The device’s storage drive must be encrypted. Full-disk encryption ensures that if the device is lost or stolen, data on it (including any PHI in temporary files or screenshots) is not accessible to an unauthorized person. Workforce members are required to enable BitLocker, FileVault, or an equivalent encryption solution on their computers. The Security Officer can assist in verifying encryption status. Mobile devices must also have encryption enabled (most modern iOS and Android devices do so when a PIN/password is set).
Firewall and Anti-malware: Each device must have a host-based firewall turned on (both Windows and macOS have built-in firewalls that should be enabled). Additionally, an up-to-date anti-virus/anti-malware solution must be installed and kept running with real-time scanning. Regular scans (at least weekly) are recommended. The software should be set to update its virus definitions automatically. There are many reputable AV solutions; at minimum the built-in Windows Defender or equivalent should be active. The workforce member should not disable these protections
Secure Browser Configuration: When accessing web-based EHRs or systems, the workforce member should use a modern browser that is kept up-to-date. They must ensure the browser is using secure connections (look for https and valid certificates). Browser settings should be such that PHI is not cached excessively: for instance, disabling or clearing forms auto-fill for sensitive data. If possible, using the browser in a privacy mode or configuring it to clear cache on exit can reduce residual data. No browser extensions that are not work-related (especially those with access to page content) should be installed, as they might pose a risk.
Application Security: Only authorized and necessary applications should be installed on the work device. Particularly, any software that could potentially record screen or keystrokes (aside from approved monitoring like Hubstaff) or that opens unnecessary network ports is forbidden. Personal software/games that might come bundled with spyware should be avoided. We advise maintaining the device primarily for professional use. The Security Officer may periodically ask for a list of potentially sensitive applications to ensure none are risky (for example, torrent clients, which are disallowed).
No Root/Jailbreak: If using a mobile device for any work functions, it must not be jailbroken or rooted, as that undermines security controls. Only vendor-supported OS versions are allowed.
Auto-Lock: The device should be set to automatically lock and require re-entry of the password after a short idle period (e.g., 10 minutes or less). This prevents someone from easily accessing the device if the user steps away momentarily. As mentioned under Security Policy, workforce members must also manually lock screens whenever leaving the workstation.
Network Security for Remote Work: Remote workers must ensure the security of their internet connection:
Home Wi-Fi: If connecting via home Wi-Fi, it must be secured with WPA2 or WPA3 encryption. Default router passwords must be changed – the admin interface of the router should be protected so outsiders cannot compromise it. The Wi-Fi network itself should have a strong passphrase. We recommend not sharing the Wi-Fi network with guests; if the router supports a guest network, that can be used for non-work devices, while the work device stays on a separate secured network. The SSID can be hidden (not broadcast) as a minor additional measure, though not foolproof. The router firmware should be kept updated to patch any vulnerabilities, and ideally, network segmentation or a firewall on the router is used to block unsolicited inbound traffic.
VPN Usage: If a client provides a VPN for connecting to their network or systems, the workforce member must use that VPN every time when accessing those resources. If the client does not provide one but the workforce member is on an untrusted network (like public Wi-Fi), the workforce member should use their own VPN service to encrypt traffic. Staffing For Doctors encourages always using a VPN if outside the home. We can provide recommendations for reputable VPN services that are known to be secure and do not log traffic content. Note: some EHRs are entirely cloud-based (accessible via https) in which case a VPN is not strictly required if using a secure connection, but using VPN adds an extra layer, especially on public networks.
Public Networks: Avoid using public Wi-Fi (like in cafes, airports) for any work that involves PHI. If it’s absolutely necessary, as stated, a VPN is required. Similarly, do not use public computers (like library or hotel business center PCs) to access PHI, as they may have malware or keyloggers.
Email and Communications: For any company or client communications that might include PHI, only use secure email solutions. Do not send PHI through personal email accounts. If a client uses an encrypted email portal, that must be used. Our own company policy is to avoid email with PHI; instead, PHI should stay within the client’s systems. If communicating with clients about PHI, we either use the client’s systems or de-identify information as much as possible.
Remote Desktop: If a VA uses remote desktop software to connect to a workstation in a clinic or uses screen sharing with colleagues, ensure the remote desktop connection is encrypted (most are, e.g., RDP with proper configuration, or tools like TeamViewer which have encryption). Only use remote desktop solutions approved by the client or Security Officer.
Physical Security of the Home Workspace: Workforce members must set up their home work environment to maintain confidentiality:
Private Workspace: Work should be conducted in a private room or area where others are not passing by or overhearing. If the VA lives with others, they should communicate the importance of not disturbing or observing the screen. PHI should never be viewed in public spaces (like working at a coffee shop with patient data visible on screen is not allowed). If working from home is not feasible without frequent interruption or exposure, the person must address that (e.g., use privacy screens, headphones, or adjust working hours).
Screen Privacy: As mentioned, screen filters can be used to prevent side-angle viewing. The brightness and positioning can be adjusted to minimize visibility from a distance.
Phone Calls: If part of the job involves phone calls where PHI is discussed (e.g., confirming patient appointments or speaking with billing info), those calls should be made in a private area where they cannot be overheard by household members or others. Use a low voice or separate room. We encourage use of headset to avoid others overhearing the caller's voice on speaker.
Documents and Note-Taking: VAs should avoid writing down PHI on paper. If some notes must be jotted (e.g., a callback number or a name), that paper becomes PHI and must be protected. We advise using electronic secure notes when possible (within the client system). If paper is used, it should be treated like sensitive material – kept secure and then shredded. Hard Copy PHI: As a general rule, do not print or keep hard copy documents containing PHI at home. In rare cases if printing is required by a client, you must have a secure printing environment: immediately collect printouts from the printer (don’t let them sit), and store them in a locked file drawer or safe when not actively used. When they're no longer needed, use a cross-cut shredder to destroy them. We can provide small personal shredders if needed for this purpose.
Family/Roommate Access: As stated, friends, family, or roommates must not be allowed to use any work devices that can access PHI. The device should be password-locked and not shared. Also, do not allow them to look over your shoulder or help with work tasks. Children should not be playing on the same computer used for work, to avoid accidental exposure or changes in settings.
Device Storage: When not in use, laptops or work devices should be shut down and closed. If you leave the house, ideally take the laptop with you if it’s not in a secure home. If leaving it at home, ensure the home is locked. If going out for a short break during work, lock the device in a drawer or at least sign out.
Listening Devices: Be mindful of smart home devices (e.g., Alexa, Google Home) in the workspace, as they technically could pick up conversations. It’s advisable to mute or turn off any such voice-activated devices when discussing PHI on calls.
Use of Hubstaff Monitoring: Staffing For Doctors utilizes Hubstaff to monitor and record work activity for productivity and compliance purposes. Hubstaff runs on the workforce member’s device and can capture screenshots and activity levels at intervals. Workforce obligations with Hubstaff: VAs must keep Hubstaff running during all working hours as required. They should understand that screenshots may capture PHI on their screen; thus, these screenshots are themselves sensitive. Protection of Hubstaff Data: Hubstaff has been evaluated for HIPAA compliance and we have a BAA in place. All data captured by Hubstaff (screenshots, logs) is stored securely on Hubstaff’s cloud (which is encrypted and access-controlled). Only authorized managers/Privacy Officers can view those screenshots, and they do so solely to ensure compliance and evaluate productivity. This monitoring data will not be used or disclosed in any way contrary to HIPAA (for instance, we don’t share screenshots that contain PHI except as required for internal compliance audits or if requested by the client in context of an investigation). By policy, after a certain retention period, screenshots are deleted. VAs should treat Hubstaff as an extension of our secure environment. They must not attempt to disable or circumvent it during work time. If they notice Hubstaff malfunctioning, they should report it
Incident Reporting (Devices/Remote): Any security incident involving devices or remote work must be reported immediately:
If a device used for work is lost, stolen, or suspected to be compromised (e.g., you lose your laptop bag, or your computer is hacked or shows malware activity), the workforce member must notify the Security Officer right away. Quick response might enable a remote wipe or at least password changes to protect accounts. The loss of a device with saved passwords or active sessions could be a severe incident (potential breach), so rapid action is needed.
If a workforce member suspects that someone without authorization has seen or heard PHI (e.g., a family member walked by and saw a patient’s info on screen, or you were on a call and someone overheard a name), that should be reported as well. While it may fall under a minor incident or even a breach exception depending on context, it’s important for us to evaluate and mitigate (maybe reminding you to use a private room, etc.).
If any required security software (AV, firewall, updates) fails or cannot be enabled, inform us so we can assist in remediation. Do not just leave a device unprotected
If your home network was breached (for example, you find out your Wi-Fi was hacked) or you inadvertently connected to a wrong network, report that as it could imply exposure of session data.
These reports tie into our broader incident response and breach policy. The key is to remove any embarrassment or fear in reporting – we expect prompt reporting and will treat it as a security matter, not an immediate blame issue. Failing to report, however, could lead to worse consequences.
No Unauthorized Cloud Storage or Printing: Workforce members should not use personal cloud storage or file-sharing services (Dropbox, Google Drive, iCloud, etc.) to store or transfer PHI unless explicitly authorized by the client and vetted for HIPAA compliance. Our company policy forbids uploading client data to any such service outside the client’s control. The only exception might be if a client asks a VA to use a specific secure platform – in that case, follow the client’s instructions and ensure a BAA is in place for that platform through the client. Similarly, do not print PHI at local copy shops or public printers. If printing is needed and you don’t have a home printer, coordinate with the client for alternatives or ensure the shop has a business associate relationship (which is unlikely, so best avoid it entirely).
Periodic Attestations and Audits: To enforce this policy, Staffing For Doctors may require workforce members to periodically attest that their remote environment and devices remain in compliance. This might be a checklist where the VA confirms: “I still use only my approved device, it’s updated as of this week, my AV is running, my Wi-Fi is secure, no one else uses my PC,” etc., signed and returned quarterly or annually. We reserve the right to conduct inspections or audits of compliance with reasonable notice. For instance, the Security Officer might schedule a video call with a VA and ask to see (via screen-share or camera) that encryption is enabled or that certain settings are turned on. We do this in a non-intrusive way respecting privacy, but the company must ensure policy adherence. If any gaps are found (like a missing update or an insecure configuration), the workforce member must remediate immediately, and follow-up will be done.
Sanctions for Non-Compliance: Violations of this Device and Remote Work Security Policy will invoke our Sanction Policy. Examples of violations include: letting someone else use your work device to play games (unauthorized access), failing to report a stolen laptop for days, deliberately turning off your firewall or AV, or keeping PHI downloads on your computer against policy. Depending on severity, sanctions up to termination could apply, especially if the action results in a data breach. Our enforcement is meant to underscore how seriously we take remote security.
Support and Resources: Staffing For Doctors will support workforce members in meeting these requirements. If a member is not tech-savvy in implementing a security setting, our IT support (if available) or Security Officer will guide them. If a personal device cannot meet the standards (maybe it’s too old to encrypt), we will discuss alternatives (like possibly providing a stipend for an upgrade, or a loaner device if feasible) rather than forcing someone to use an insecure setup. We provide tools as needed, like recommending reputable VPN services, providing encryption how-tos, or supplying a privacy screen filter for the monitor. The goal is to enable compliance, not burden the workforce unfairly – but security cannot be compromised, so if one method doesn’t work, another must be found.
By following this Device and Remote Work Security Policy, our virtual assistants will maintain a secure computing environment that mirrors the security of a traditional clinical office. This ensures that even though PHI is accessed from various locations, it remains well-protected against unauthorized access or breaches. Our clients can be confident that remote work is conducted with the same diligence for privacy and security as on-site work.
6. Sanction Policy
Purpose: This policy describes the sanctions (disciplinary actions) that Staffing For Doctors will apply to workforce members who fail to comply with HIPAA requirements or the company’s privacy and security policies. The purpose is to ensure that violations are addressed consistently and appropriately, to deter negligent or willful misconduct, and to reinforce our commitment to HIPAA compliance. HIPAA regulations (45 C.F.R. §§164.530(e) and 164.308(a)(1)) require covered entities and business associates to have and apply sanctions against workforce members who violate privacy or security policies. This policy fulfills that requirement and provides transparency about the consequences of non-compliance.
Scope: This policy applies to all members of the workforce (employees, contractors, etc.) of Staffing For Doctors, at all levels, who may violate HIPAA laws or any of our internal policies related to the protection of PHI. It covers violations of the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, as well as breaches of confidentiality, misuse of PHI, failure to follow security procedures, and any other deviation from established HIPAA compliance practices. The policy addresses both inadvertent breaches (e.g., accidental but negligent acts) and deliberate violations. It also covers both single incidents and patterns of behavior. Note that this policy is internal; it does not address civil or criminal penalties that regulators might impose for violations (though those exist independently), it strictly covers our internal disciplinary response.
Policy Statements:
Expectation of Compliance: All workforce members are expected to comply fully with HIPAA regulations and Staffing For Doctors’ HIPAA policies and procedures. Lack of awareness of a policy is not an excuse, as we provide training and resources to ensure everyone understands their obligations. By continuing employment or engagement, workforce members agree to adhere to these standards.
Sanction Requirement: Staffing For Doctors will apply appropriate sanctions against any workforce member who fails to comply with privacy or security policies or HIPAA regulations. The severity of the sanction will correspond to factors such as the nature of the violation, whether it was intentional or accidental, whether it indicates a pattern or repeat offense, the harm or potential harm caused, and the individual’s willingness to cooperate and remediate. Sanctions will be applied consistently across the organization – no individual is exempt due to position or tenure, and similar violations will result in similar disciplinary measures, taking into account the context of each case.
Range of Disciplinary Actions: The following types of sanctions may be imposed, in order of increasing severity (though not necessarily strictly sequential if the situation warrants stronger action immediately):
Verbal Counseling/Remedial Training: For minor or first-time offenses that appear accidental or due to lack of understanding, the immediate supervisor or Privacy/Security Officer may give a verbal warning or coaching. The incident and conversation will be documented for record. The workforce member will be instructed on what went wrong and how to correct it. Often, additional training will be provided to ensure they properly understand the policy. For example, if someone inadvertently left their computer unlocked and a family member glimpsed a screen, this might result in counseling and a reminder of the locking procedure.
Written Warning: If the violation is more serious or if a minor violation is repeated, a formal written reprimand will be issued. This letter will describe the violation, the expected compliance, and the consequences if further violations occur. The workforce member may be required to sign the warning acknowledging receipt. A written warning will typically be placed in the individual’s personnel file. At this stage, the company may also impose temporary restrictions (like closer monitoring of work or suspension of certain accesses until trust is re-earned).
Suspension: For significant violations or repeated offenses, Staffing For Doctors may suspend the workforce member from duties for a period. Suspension can be with or without pay depending on employment status and severity. During suspension, an investigation may occur (if not already completed). For instance, if a serious breach occurred because of the member’s actions, we might suspend them while assessing the damage. Suspension serves both as a punitive measure and to prevent further potential harm while matters are sorted.
Termination of Employment/Contract: Serious violations will result in termination of the workforce member’s employment or contract with cause. Examples of violations that would lead to termination on the first occurrence include: deliberate snooping in patient records without need, theft or sale of PHI, sharing your login credentials knowingly, using PHI for personal gain or malicious intent, or any breach that shows gross neglect (like ignoring repeated warnings). Also, failure to report a known breach or violation might itself be grounds for termination if it significantly aggravates the situation. Termination decisions are made by management in consultation with the Privacy/Security Officer and possibly legal counsel. The individual will be escorted (virtually, since remote – meaning accounts disabled immediately) out of any systems and reminded of their ongoing obligations (like continuing confidentiality even post-termination).
Other Sanctions: Depending on circumstances, other actions might be taken, such as demotion, reassignment, removal from a particular client’s work, or financial penalties if contractually applicable for contractors (for example, withholding pay for hours if work was fraudulent). Additionally, some violations might warrant reporting the individual to professional licensing boards (if they hold a license and the behavior violated professional ethics) or even to law enforcement (if laws were broken, e.g., theft or willful misuse of PHI can be a criminal offense). While these external actions are not “sanctions” per se in the HR sense, they may be pursued in parallel if appropriate.
Sanction Procedure: When a potential violation is identified (through an audit, report, complaint, or breach investigation), the Privacy Officer and appropriate management will:
Investigate the incident: gather facts, talk to involved parties, review any evidence (logs, emails, etc.).
Determine the severity: was it accidental or intentional, what rules were violated, what harm resulted or could have resulted.
Check past history: see if the individual has prior violations or warnings on record.
Consult policies and precedent: what does our sanction policy guide for this type of offense, and how have we handled similar cases before (to ensure consistency).
Decide on sanction: in a meeting with HR (if applicable) and management, decide the appropriate level of discipline. The Privacy/Security Officer provides input on the regulatory seriousness.
Communicate to the individual: a meeting or call is arranged to inform the person of the findings and the disciplinary action. It’s important to do this respectfully but clearly, so they understand the gravity. They are given a chance to provide any additional context or mitigation (which may or may not change the decision, but is documented).
Document the action: a summary of the violation and the sanction applied is written up. The individual is asked to acknowledge (for a written warning or termination, etc.). If they refuse to sign, it’s noted.
Follow-up: implement the sanction (e.g., suspension timeline, termination steps like collecting company assets or disabling accounts). Increase monitoring or training as needed if the person remains employed.
Examples of Violations and Sanctions: To clarify how we apply this policy:
Example 1: An employee accidentally emails a patient file to the wrong client (misdialed an email address). This is a breach. It was accidental, but a clear policy violation (should have double-checked email or used secure transfer). First offense. Likely sanction: Written warning + immediate breach procedure + re-training on proper email protocol.
Example 2: A VA is found to have left their workstation unlocked repeatedly, even after a verbal reminder, and on one occasion their family member clicked into a patient chart. This shows negligence. Sanction: Possibly written warning after first serious instance, and if repeated, suspension or termination because it shows disregard for policy after warning.
Example 3: A contractor intentionally accessed the medical records of a friend out of curiosity (no work-related need). This is intentional snooping – a serious Privacy Rule violation. Sanction: Termination on first offense due to willful misconduct, and we would report the incident to the client (the covered entity) because it’s a privacy breach. Possibly report to authorities if it seems egregious.
Example 4: An employee doesn’t complete mandatory HIPAA training even after reminders and continues to ask basic questions that indicate non-compliance. This shows non-cooperation with policies. Sanction: Progressive – initial counseling, then written warning if still non-compliant, and potential termination if they refuse training, because we cannot have untrained staff handling PHI.
Example 5: A VA uses unapproved cloud storage to keep patient lists because it’s “convenient,” thereby exposing PHI to unauthorized platforms. That’s a deliberate disregard of the policy for personal convenience. Sanction: Could be termination or at least final warning, depending on harm caused and attitude (if they genuinely didn’t realize the severity, maybe one chance with heavy reprimand; if they knowingly did it, likely termination).
Consistency and Fairness: We commit to applying sanctions fairly. Similar circumstances will yield similar discipline. However, we will individualize as appropriate: for instance, if two people made the same mistake but one promptly self-reported it and the other tried to hide it, we would treat the latter more severely because honesty and proactive reporting are encouraged. We also comply with any applicable employment laws in issuing discipline (for example, ensuring we are not discriminatory). The Privacy Officer keeps a record of sanctions to ensure trends can be analyzed and consistency maintained. If any sanction is appealed (some companies allow an internal appeal), management will review but given our small size it may just be a direct conversation.
No Retaliation for Reporting: It’s important to distinguish sanctioning violators vs. our stance on whistleblowers or incident reporters. If a workforce member in good faith reports a potential HIPAA violation or breach (whether it's about themselves or others), we will not retaliate against them for the act of reporting. In fact, reporting is required. The only time a self-report might still result in sanction is if the act itself was a violation – we will give some credit for self-reporting (which might mitigate the discipline severity), but the violation could still warrant discipline. For example, if someone accidentally breached data and reports it, we focus on mitigating and may just retrain rather than punish harshly. Retaliation against a person who reports a concern is itself a serious offense and could result in sanctions for the retaliator.
Documentation of Sanctions: All sanctions applied, including verbal warnings, will be documented in writing (even if just a memo to file for a verbal counseling). We maintain these records for at least six years as part of compliance documentation. This documentation may be reviewed during audits to demonstrate we enforce our policies. It will include the name of the workforce member, date, description of violation, sanction applied, and the date it was implemented. Privacy of these HR records will be maintained, but relevant leadership will have access.
Reporting Violations to Clients or Authorities: If a workforce member’s violation results in a breach of PHI that must be reported, we will, as required, inform the client (covered entity) per the Breach Notification Policy. We might also inform law enforcement if the situation involves theft or malicious wrongdoing. Those external reports are separate from internal sanctions but are part of the consequence. Our BAA likely requires notifying the client of any workforce sanctions that involve misuse of their PHI, and we will comply with that (for example, telling the client if we terminated a VA for violating privacy involving their data).
Continuous Improvement: The Sanction Policy also serves as feedback for our compliance program. The Privacy Officer will periodically review sanction cases to see if there are underlying causes – e.g., multiple sanctions around the same issue might indicate a need for improved training or changes in procedure. Our goal is not to punish for its own sake, but to maintain a culture of compliance. If we notice trends, we address them systemically. Ideally, sanctions become rare because training and culture prevent violations.
By enforcing this Sanction Policy, Staffing For Doctors ensures that every workforce member understands the seriousness of HIPAA compliance and that there are real consequences for failing to uphold our standards. This not only reduces risk of future breaches but also demonstrates to clients and regulators that we take our responsibilities seriously. All employees and contractors are expected to read and acknowledge this policy, and to conduct themselves accordingly.
7. Business Associate Management Policy
Purpose: Staffing For Doctors, in its role as a Business Associate (BA) to healthcare providers and other covered entities, must manage its obligations and agreements with those clients, as well as with any subcontractors or service providers that handle PHI on its behalf. This policy outlines how we manage Business Associate Agreements (BAAs) and relationships to ensure compliance with HIPAA requirements. The goal is to ensure that PHI entrusted to us by clients is protected through enforceable agreements and that any downstream entities we use are likewise bound to protect PHI. It also ensures we fulfill our own responsibilities as a Business Associate to covered entities.
Scope: This policy covers:
Agreements with Covered Entity Clients: Every contract with a healthcare provider or other covered entity client for whom we will create, receive, maintain, or transmit PHI must include a HIPAA-compliant Business Associate Agreement. This policy covers the content and handling of those agreements.
Subcontractors or Vendors (Sub-Business Associates): Any third-party service or subcontractor that Staffing For Doctors uses, who will have access to PHI in the course of providing services to us (and indirectly to our clients), must also be treated as a Business Associate under HIPAA. This policy covers how we select and bind such subcontractors (via BAAs or similar assurances) and oversee their compliance. In our current operations, the primary relevant subcontractor is Hubstaff (which monitors our workforce and may incidentally capture PHI in screenshots). If we add any other vendor that might handle PHI (e.g., an IT support provider, cloud service, etc.), this policy will apply.
No other subcontractors beyond Hubstaff are presently used for PHI, which simplifies our current scope, but this policy is written to handle future cases as well.
Business Associate Obligations: This policy also reiterates the internal steps we take to meet our contractual and regulatory obligations as a BA to our clients (e.g., reporting breaches, permitting audits, etc., as often outlined in BAAs).
Policy Statements:Requirement of Business Associate Agreements with Clients: Staffing For Doctors will enter into a Business Associate Agreement (or equivalent contractual clauses) with each covered entity client before any PHI is received or accessed. We recognize that under HIPAA, a covered entity is required to obtain “satisfactory assurances” in the form of a contract or agreement that we, as a BA, will appropriately safeguard PHI. It is our policy not to commence services involving PHI until a duly executed BAA is in place. Typically, the client will provide their standard BAA; our Privacy/Security Officer will review it to ensure it meets all required elements. In some cases, we may provide our BAA template if the client doesn’t have one, but in all cases, the final agreement must contain all HIPAA-required provisions. These required provisions include, at minimum: a description of permitted and required uses of PHI by us; a stipulation that we will not use or disclose PHI in a manner not permitted by the agreement or law; requirements to use appropriate safeguards (and comply with the Security Rule) to protect ePHI; a requirement to report to the client any unauthorized use/disclosure including breaches; passing on of certain duties (like providing access to records or amendments) if applicable; making our records available to HHS if needed; returning or destroying PHI at contract termination if feasible; and ensuring any subcontractors agree to the same restrictions.
Content of BAAs: Our Privacy Officer maintains a template BAA that is compliant with 45 C.F.R. 164.504(e). Key points that we ensure in every BAA (whether our template or the client’s) are:
Permitted Uses and Disclosures: We can use PHI only for the purposes of fulfilling our service obligations (e.g., scheduling, billing, etc.) and for proper management and administration of Staffing For Doctors or to carry out our legal responsibilities, and then only if such use or disclosure would not violate HIPAA (for instance, using PHI for our management if necessary and either securing confidentiality assurances from any third party or as required by law).
No Further Disclosure: We will not disclose PHI except as permitted or required by the agreement or as required by law.
Safeguards: We must implement appropriate safeguards to prevent unauthorized use/disclosure, including complying with the Security Rule for ePHI. Our Security Policy and this overall manual serve to document those safeguards.
Breach/Incident Reporting: We are required to report to the covered entity any use or disclosure not provided for by the contract, including breaches of unsecured PHI and any security incidents of which we become aware. Our Breach Notification Policy aligns with this by requiring notification without unreasonable delay, and BAAs often specify even tighter timelines (commonly immediate or within 5 days).
Subcontractors: We must ensure any subcontractor that will have access to PHI agrees to the same restrictions, conditions, and requirements that apply to us. We accomplish this by having subcontractors sign BAAs with us (see below).
Access and Amendment: If applicable, we must assist the covered entity in providing individuals access to their PHI or making amendments, by either doing it or providing the info to the covered entity, within the timeframes specified by HIPAA. If our role means we hold PHI that is part of a Designated Record Set, the BAA will include that we will accommodate access or amendment requests as directed. Typically, since PHI stays on client systems, our role would be just to inform the client if we receive a request and then help as needed.
Accounting of Disclosures: We must document and provide an accounting of any disclosures of PHI we make that the covered entity would need to include in an accounting to an individual (for example, if we disclosed PHI to a third party under an exception, which is rare in our case).
HHS Access: We must make our internal practices, books, and records relating to PHI use and disclosure available to the Secretary of HHS if required for determining the client’s HIPAA compliance. This means we must maintain documentation and be prepared for audits.
Return/Destruction of PHI: Upon termination of the contract, we will return or destroy all PHI we still have, if feasible, or extend protections if destruction is infeasible. Because we don’t typically keep PHI, this usually means ensuring we have no client data in our possession once our services end (e.g., confirm any lists or documents are given back or wiped). For Hubstaff screenshots that contain PHI, we have a retention and deletion process that can be aligned with contract end.
Termination for Cause: The BAA gives the covered entity the right to terminate our contract if we are in material breach of the BAA’s terms (i.e., if we violate a material HIPAA obligation). Our policy is to avoid that by strict compliance, but we acknowledge that clause.
Execution and Maintenance of BAAs: The Privacy/Security Officer (Daniel Nabavi) is responsible for negotiating and ensuring execution of BAAs with clients. We keep a central repository of all executed BAAs. Each BAA is signed by an authorized official of Staffing For Doctors (which is often the Privacy Officer or another executive) and by the client. We do not begin work until the BAA is signed by both parties. BAAs are typically incorporated into or attached to the service contract with the client, but if not, we maintain them separately. We review these agreements periodically (especially if regulatory changes occur) to determine if any updates or re-signing is needed. For instance, if HIPAA law changes or if our business practices change (like we start storing PHI), we would need to update agreements. We also ensure renewal or extension of BAAs in sync with service contract renewals so no lapse occurs. The Privacy Officer stays informed of current HHS guidelines for BAAs to ensure our agreements remain compliant with any new interpretations (the last major update was 2013 Omnibus Rule, but we stay alert).
Managing Subcontractors (Downstream BAs): Whenever Staffing For Doctors engages a subcontractor or service provider to perform a function or service that involves PHI (on our behalf, for our clients), we must treat that subcontractor as a Business Associate under HIPAA and obtain satisfactory assurances of compliance. Our policy is:
Pre-approval: Any department or manager considering using a third-party service that might handle PHI must consult the Privacy/Security Officer. We will assess whether the vendor will encounter PHI and if so, whether they are HIPAA capable.
Due Diligence: We perform due diligence on prospective subcontractors for HIPAA compliance. This could include checking if they advertise HIPAA compliance, asking for their policies or security measures, and ensuring they have appropriate safeguards. For example, with Hubstaff, we confirmed that they offer HIPAA-compliant plans and that data is encrypted, access is limited, etc., before proceeding.
Business Associate Agreement with Subcontractor: We will enter a BAA with any subcontractor who may receive or create PHI on our behalf, just as a covered entity would with a BA. The BAA with a subcontractor includes essentially the same obligations we have to our clients, flowing down. It binds the subcontractor to: use PHI only for the purposes we hired them for and not inappropriately, implement safeguards (including Security Rule compliance for ePHI), report breaches to us, allow us to terminate if they violate material terms, and so forth. We obtained a BAA with Hubstaff as a condition of using their service and ensuring it meets these requirements. The Privacy Officer maintains copies of subcontractor BAAs alongside client BAAs.
Minimum Necessary & Scope: We will only disclose to a subcontractor the minimum PHI necessary for them to perform their functions. In practice, for Hubstaff, we do not actively send PHI, but we knew that screenshots might inadvertently contain it, which is why we set them as a BA. If we engage, say, an IT support company to troubleshoot a VA’s computer, we would ensure either no PHI is visible during support or that the IT company signs a BAA because they might see data on screen. All subcontractors are instructed similarly to follow the same privacy and security rules as we do.
Monitoring Subcontractor Compliance: We will monitor or obtain assurances that the subcontractor is complying with HIPAA. This could be through contract warranties, reviewing their compliance reports if available, or requiring periodic attestations. We generally trust reputable vendors but remain vigilant. If a subcontractor informs us of any incident on their side, we will respond as per our breach policy (and report to clients if needed). We also reserve rights in the contract to audit or request information on their practices concerning PHI.
Subcontractor Breach Management: If a subcontractor (like Hubstaff) experiences a breach or violation involving PHI they handle for us, our policy is to treat it as if we ourselves had the breach (since ultimately we’re responsible to our client). We will require the subcontractor to provide us all necessary information and to take appropriate steps. We would then notify our clients as required (fulfilling our BA obligations) and potentially terminate the subcontractor if the issue indicates gross negligence or inability to meet requirements.
No Unauthorized Subcontractors: Workforce members are not permitted to engage any outside service provider to handle PHI (for example, forwarding work to an unapproved assistant or using a transcription service on their own) without formal approval and a BAA in place. All PHI-related work must be done either by our workforce or by approved contracted entities.
No Other Subcontractors (Current State): At present, aside from Hubstaff, we do not use any other subcontractors who handle PHI. We do not off-shore any PHI tasks to another company, nor use cloud services like storage (beyond what clients provide) for PHI. Should this change (for instance, if we decide to utilize a secure cloud database to temporarily hold PHI or a communication tool for PHI outside client systems), we will update this policy and ensure BAAs are in place with those vendors. We commit to informing our clients in the BAA of any subcontractors we use that will have access to their PHI and, if required, obtain their consent or at least ensure the subcontractor is under the same obligations.
Our Responsibilities as a Business Associate: In managing our role, the Privacy/Security Officer ensures that we uphold all promises made in the BAAs with clients:
We maintain the safeguards and policies (like everything in this manual) to protect PHI.
We train our workforce and impose sanctions for violations, as evidenced by our policies.
We report breaches or incidents promptly to clients (as per Breach Notification Policy).
We mitigate any harmful effects of breaches to the extent practicable.
We provide access or information for accounting if the client asks (e.g., if they need to compile an accounting of disclosures, we check our records if we disclosed any PHI of that client outside routine purposes, which is unlikely but possible in certain cases).
We open ourselves to audits or inspections by the client or HHS if legitimately needed. For example, some clients might audit their BAs. We will cooperate and provide them with requested compliance documentation (policies, training records, etc.), under appropriate confidentiality.
Upon termination of a client contract, we return or destroy PHI. Since we usually do not have client PHI saved, this often simply means confirming that all user accounts have been deactivated and we no longer can access their systems, and requesting that any PHI artifact (like an email or document that might have been sent to us) is either returned or deleted. If deletion is infeasible (maybe because it’s in emails that must be retained for legal reasons), we extend protections to that data indefinitely.
If we carry out any covered entity obligation (like distributing a Notice of Privacy Practices or fulfilling individual rights) on behalf of the client, we do so in compliance with HIPAA as if we were the client. Typically, we don’t do those things except maybe assist in providing records, but we are aware of the requirement.
Client Notifications and Communications: We maintain open communication with our clients regarding BA management. We inform them of who our designated Privacy/Security Officer is (Daniel Nabavi) and provide contact info in the BAA. If a client inquires about our HIPAA compliance program or requests to see evidence (like our training program or a security overview), we accommodate such requests to build trust. We also proactively reach out if there’s any situation that might affect our ability to safeguard PHI (for instance, if we suspect any security issue on our side, even if not rising to a breach, we might alert the client as appropriate).
Termination of BA Relationships: If a client terminates our services, we ensure BAA termination provisions are followed (as noted, PHI return/destruction). Conversely, if we find that a client’s expectations or requests would cause us to violate HIPAA (unlikely, but hypothetically if a client pressured us to do something non-compliant), we would address it and if not resolved, it could lead to discontinuation of the partnership. Similarly, if a subcontractor cannot meet our standards or has a serious breach, we will terminate that subcontractor relationship. The aim is to only be in business arrangements where all parties take HIPAA seriously.
Documentation: The Privacy Officer keeps a log of all Business Associate Agreements (with dates of execution, renewal dates, and parties) and subcontractor agreements. We also document any due diligence for subcontractors (like notes on why we trust Hubstaff’s compliance). These documents are retained for at least six years.
By implementing this Business Associate Management Policy, Staffing For Doctors ensures a chain of trust for PHI from our clients to us and onward to any of our agents. This instills confidence that PHI will be consistently protected at every step. It also protects our company by clearly defining the responsibilities and liabilities through contracts. All staff involved in procurement or management of vendor services must be aware of these requirements so that no PHI is ever exposed through an unmanaged partnership.
7. Business Associate Management Policy
Purpose: This policy establishes our process for conducting regular HIPAA Security Risk Assessments and implementing risk management measures. The HIPAA Security Rule’s Administrative Safeguards require an ongoing risk analysis and risk management program (45 C.F.R. 164.308(a)(1)(ii)(A) & (B)). The goal is to systematically identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI that Staffing For Doctors handles, and to take appropriate steps to mitigate those risks to a reasonable and acceptable level. This policy is crucial for proactive HIPAA compliance, ensuring we are not just reacting to incidents but anticipating and preventing them where possible.
Scope: This risk assessment and management program covers all aspects of Staffing For Doctors’ operations that involve ePHI. Since we primarily access client systems and do not host our own ePHI databases, our risk scope includes: the devices and networks our workforce uses (as they interface with client data), the applications and services we employ (like Hubstaff or any communication tools that might handle PHI), our internal processes (like training, policies enforcement), and any potential human factors. It encompasses technical risks (e.g., malware, hacking), physical risks (device theft, unauthorized viewing), and administrative risks (policy gaps, human error). The risk assessment will consider both our role as a Business Associate and our subcontractors’ roles. We will also factor in any regulatory or environmental changes that could affect risk (like new types of cyber attacks targeting remote workers).
Policy Statements:
Conducting Risk Analysis: Staffing For Doctors will conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI that we create, receive, maintain, or transmit.This formal Risk Assessment will be performed at least annually, and additionally whenever there are significant changes in our environment (such as adopting new technology, experiencing a significant security incident, or expanding services). The risk analysis process includes:
Data Inventory: First, we identify and document what ePHI we handle and where it flows. As part of initial and ongoing risk assessment, we perform or update a data mapping: listing all sources of ePHI (e.g., client EHR systems accessed, any files or reports possibly stored on local devices, Hubstaff screenshot data, emails containing PHI, etc.), how that ePHI is transmitted or accessed (VPN, web, etc.), where it is stored or maintained (mostly on client side, but also in transit on our devices screens and Hubstaff’s cloud), and who has access to it. We consider all remote employees and the systems they use. This comprehensive understanding of the flow of PHI in our business is the foundation for risk analysis.
Threat Identification: We identify reasonably anticipated threats that could affect the ePHI. These threats can be:
Human threats: e.g., insider misuse, employee mistakes (like sending info to the wrong person), credential theft by phishing, or malicious outsiders targeting our accounts.
Technical threats: e.g., malware infections, vulnerabilities in software we use, hacking attempts on remote desktops or our monitoring data, etc.
Physical threats: e.g., theft of a laptop or smartphone, fire or flood in a home office destroying devices, eavesdropping in a public place.
Environmental threats: e.g., power outages or internet outages affecting availability (less about confidentiality, more availability).
Vulnerability Assessment: For each threat, we assess our vulnerabilities – i.e., areas where we may be susceptible. For example, a vulnerability could be that a workforce member’s home router wasn’t secure or that someone hasn’t updated their OS, or a policy that is hard to enforce like no family viewing. We also consider organizational vulnerabilities like lack of awareness or insufficient monitoring. We specifically look at our prior incidents (if any) to identify recurring weak points.
Risk Evaluation: We then consider likelihood and impact of each threat exploiting a vulnerability:
Likelihood (Low/Moderate/High) – e.g., likelihood of a phishing email landing and someone clicking it might be moderate; likelihood of an armed robbery of someone’s home office low, etc.
Impact (Low/Moderate/High) – if the event occurred, how bad would it be? E.g., a lost unencrypted laptop has high impact (lots of PHI potentially exposed). A short internet outage is low impact (just availability for a bit).
Using those, we often rate risk levels (like a high likelihood & high impact scenario is high risk).
We may utilize a risk assessment tool or framework for consistency, such as referencing NIST SP 800-30 or the HHS SRA Tool. We might also align with the NIST Cybersecurity Framework or SOC2 criteria as guides to ensure comprehensive coverage of controls.
Documentation: We document all the above in a Risk Analysis Report or Matrix, listing assets, threats, vulnerabilities, current controls, and risk level.
Risk Management Plan: Following the risk analysis, we develop and implement a Risk Management Plan to address identified risks. In accordance with 45 C.F.R. 164.308(a)(1)(ii)(B), we will implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Key steps:
Prioritize Risks: We prioritize identified risks based on their risk level (combination of likelihood and impact). Generally, any high risks will be addressed immediately. Medium risks will have planned mitigation in a reasonable timeframe. Low risks will be acknowledged and perhaps accepted or scheduled for later improvement if feasible.
Mitigation Strategies: For each significant risk, we determine one or more mitigation measures. Mitigation can include:
Administrative actions (e.g., update a policy, increase training on a particular issue if lack of knowledge is a vulnerability).
Technical safeguards (e.g., deploy a new security tool, enforce MFA if not already, implement stricter device configurations).
Physical safeguards (e.g., require locking cabinets, provide privacy screens).
Sometimes, transferring risk (e.g., ensuring insurance or shifting hosting to a more secure environment if that was an issue).
We consider options and choose measures that are reasonable and appropriate given our company size, capabilities, and the sensitivity of PHI. (HIPAA allows flexibility but expects us to address things meaningfully).
Risk Mitigation Action Plan: We formalize a plan listing what will be done, by whom, and by when, to address each high/medium risk. For example, if we find that not all devices were encrypted (a vulnerability) and threat of lost device is high, action = enforce encryption on all devices by X date (responsible: Security Officer). If phishing is a threat, action = implement an email filter and do a phishing test training by Y date.
Implement Controls: The Security Officer oversees the implementation of chosen controls. This can involve coordinating with the workforce for any new steps (like everyone must start using a password manager if weak passwords were a risk, etc.), configuring any technology, or updating procedures. We ensure that mitigations themselves do not inadvertently create new problems (for example, if we implement a remote wipe tool, ensure it’s secure).
Residual Risk: After applying measures, some residual risk will remain (no environment is zero-risk). We assess if that residual risk is acceptable. If not, we consider additional controls. If yes, we document acceptance of that residual risk by management. For instance, there might always be a risk that a very sophisticated hacker could target a remote VA; we mitigate with good practices, and accept the extremely low likelihood remains.
Periodic Review and Updates: Risk analysis is not a one-time task. We will review and update the risk assessment at least annually and whenever we have significant changes or incidents. An annual risk assessment might involve going through the previous risk report, updating asset inventory (maybe we have more employees now, or new clients, or new tools), and evaluating if earlier mitigations were done and effective. It will also consider new threats (e.g., if teleworking risks have evolved with new remote access technologies, etc.). The Privacy/Security Officer will schedule this, often aligning with year-end or the anniversary of the previous assessment. We also re-assess after any major incident: e.g., if a breach occurred, we’ll do a fresh risk analysis focusing on what allowed it and if other areas have similar exposures.
Additionally, compliance with this process will be part of our internal audits. We may also be asked by clients to share if we conduct risk assessments; we can affirm and show a summary if needed (without exposing any sensitive internal info).
Involving Stakeholders: The risk assessment process may involve others in the organization. For example, we might have a small risk assessment team including the Privacy/Security Officer, an operations manager, maybe an IT consultant if needed, and representation of the VAs perspective. We might also use external expertise or tools for risk assessment (some companies use HIPAA consultants or automated risk assessment tools – if we find it beneficial, we will consider it). Management (CEO or equivalent) will review the risk analysis results and approve the risk management plan, ensuring the organization commits necessary resources to implement it.The risk assessment process may involve others in the organization. For example, we might have a small risk assessment team including the Privacy/Security Officer, an operations manager, maybe an IT consultant if needed, and representation of the VAs perspective. We might also use external expertise or tools for risk assessment (some companies use HIPAA consultants or automated risk assessment tools – if we find it beneficial, we will consider it). Management (CEO or equivalent) will review the risk analysis results and approve the risk management plan, ensuring the organization commits necessary resources to implement it.
Risk Register and Management Log: We maintain a risk register (a document or spreadsheet) that tracks identified risks, their ratings, mitigation steps, responsible persons, and status. This log is updated as actions are completed. For instance, if “unencrypted device” was a risk and we mitigated by encrypting, we mark that done and risk reduced. This acts as evidence of our risk management efforts and is very useful for audits or management oversight. We can also derive metrics (like if risk scores overall are coming down over time).
Addressable/Required Specifications: Under the Security Rule, some standards are addressable (meaning we can choose alternative measures if reasonable). Our risk analysis informs those decisions. For example, encryption of data at rest is addressable – our risk analysis however likely deems it necessary (given remote devices), so we implemented it. If there was an addressable spec we choose not to implement as stated, we will document the rationale and alternative (as required by HIPAA). Currently, we attempt to implement most recommended safeguards, but should any be impractical, we ensure an equivalent alternative or a documented acceptance of risk.
Integration with Other Policies: The risk management outputs often feed into updating our policies and training. For instance, if we find a risk of a remote work environment (like some employees not using secure Wi-Fi), that triggers creation/updating of our Device and Remote Work Security Policy and more training emphasis. If we find a risk in how we handle breaches, we might refine the Breach Policy. Thus, this policy ties all others together by continuously improving them based on assessed risks.
Use of Frameworks: As noted, while HIPAA sets the baseline, we may leverage well-known security frameworks for structuring our risk management. For example, adopting the NIST Cybersecurity Framework (CSF) can help ensure we cover Identify->Protect->Detect->Respond->Recover functions for our scale. Or if a client requires a SOC 2 report, aligning our controls to SOC 2 trust principles. While not mandated, these frameworks can strengthen our program beyond minimum. Our policy is to consider and possibly adopt elements that fit our environment. We remain mindful that our operations are not as complex as a large hospital, but the threats (like phishing, device loss) are still very real.
Risk Acceptance: Some low-level risks might be accepted by management if mitigating them is not feasible or the cost grossly outweighs the benefit. Such acceptance is always documented and approved by the Privacy/Security Officer and company leadership. For instance, if a risk is identified that “a determined insider could screenshot PHI with their phone camera circumventing monitoring” – we mitigate by policy/training, but we might accept that residual risk because you cannot entirely prevent a bad actor with a camera without extreme measures. We would note that as accepted due to low likelihood or trusted workforce. But if something changes making that more concerning, we revisit.
Continuous Monitoring: Risk management is ongoing. We implement continuous monitoring of controls where possible. For example, we audit device compliance periodically, we monitor network logs on devices via security software, we review Hubstaff logs for any anomalies (that could indicate a security issue or misuse), etc. This continuous aspect means we might catch issues early (like an outdated antivirus) and fix it before it leads to an incident. It supplements the formal annual review with day-to-day vigilance.
Incident Response Feedback: Any actual security incidents or near-misses will feed back into the risk assessment. If something happens that we didn’t anticipate, it will be added to the risk profile. If something was narrowly avoided, we consider that a warning to possibly implement stronger measures. Essentially, real-world events calibrate our risk analysis to ensure it’s grounded in practice, not just theory.
Regulatory Compliance and Documentation: Performing the risk analysis and managing risks is not only good practice but legally required. We maintain all documentation to demonstrate compliance with the risk analysis requirement. Should OCR or a client audit ask for evidence, we can provide the latest risk assessment report and action plan. These documents are kept for at least 6 years. Also, the existence of this Risk Assessment Policy and records shows auditors that we have a formal process (lack of risk analysis is a common audit failure – we are keenly aware of that).
By following this Risk Assessment and Management Policy, Staffing For Doctors ensures that we proactively identify and address security weaknesses, thereby reducing the likelihood of breaches and maintaining a robust HIPAA compliance posture. It is a cycle of continuous improvement – assess, mitigate, monitor, and repeat. All workforce members, especially the security team, are expected to support and participate in this process, as risk management is a collective responsibility.
Conclusion: The above policies (Privacy, Security, Breach Notification, Training, Device/Remote Security, Sanctions, Business Associate Management, and Risk Management)
collectively form Staffing For Doctors’ HIPAA compliance program documentation. They are approved by company leadership and are to be strictly followed by all workforce members. These documents will be reviewed and updated as necessary to reflect changes in regulations, technology, or business operations. By adhering to these formal policies and procedures, Staffing For Doctors demonstrates its commitment to protecting patient information and supporting clients in delivering healthcare in a compliant and secure manner.
Florida HIPAA Compliance Addendum
In addition to federal HIPAA standards, we comply with Florida-specific privacy and breach laws:
Florida Statute §456.057: Requires confidentiality of patient records and prohibits disclosure without consent. Our VAs are trained not to share, forward, or access records outside permitted uses.
Florida Statute §501.171: Requires notification of breaches involving more than 500 Florida residents to the Florida Attorney General within 30 days. We support clients in meeting this deadline.
Record Retention: While HIPAA mandates 6 years of documentation retention, Florida requires 5 years for patient medical records. We comply with the more stringent 6-year HIPAA standard for all compliance documentation.
Telehealth Support: If we support Florida clients with telehealth, our staff use HIPAA-secure platforms and do not store or transmit video/audio unless expressly permitted and encrypted.
Say hello to your
Virtual Assistants.
Contact Now
StaffingForDoctors
Join Our Newsletter
Subscribe to our newsletter for expert tips, industry updates, marketing insights, and exclusive offers to elevate your brand success!
Explore
Useful Links
2025 © StaffingForDoctors. All rights reserved.