Introduction
Staffing For Doctors is committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) as it applies to our role as a virtual healthcare staffing company. Our virtual assistants (VAs) access clients’ electronic health record (EHR) systems to perform scheduling, billing, documentation, and related services. All protected health information (PHI) handled by our workforce is stored and maintained on client-managed cloud systems; Staffing For Doctors does not host or permanently transmit PHI on its own systems. However, as a Business Associate, we implement all required administrative, physical, and technical safeguards to protect the privacy and security of any PHI our workforce accesses, and we adhere to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule in all operations. The following policy documents detail our HIPAA-compliant practices. Daniel Nabavi serves as the designated HIPAA Privacy Officer and Security Officer for Staffing For Doctors, responsible for overseeing the implementation of these policies
The following policy documents detail our HIPAA-compliant practices:
1. HIPAA Privacy Policy
- Defines appropriate use/disclosure of PHI
- Outlines minimum necessary access, safeguards, and staff responsibilities
- Establishes workforce training and incident reporting expectations
2. HIPAA Security Policy
- Covers administrative, physical, and technical safeguards
- Includes risk assessment practices, device security, access control, and encryption
- Describes secure remote work, contingency planning, and monitoring procedures
3. Breach Notification Policy
- Provides procedures for identifying, investigating, and notifying clients of PHI breaches
- Describes timing, coordination with clients, and content of notifications
- Covers documentation and remediation steps for compliance and prevention
4. Workforce HIPAA Training Policy
- Requires initial and annual training for all staff with PHI access
- Details delivery formats, assessments, and documentation of participation
- Outlines training content including Privacy, Security, Breach, and device policies
5. Device and Remote Work Security Policy
- Specifies security controls for BYOD (e.g., encryption, firewall, AV)
- Requires secure home Wi-Fi, VPN usage, privacy screens, and physical safeguards
- Establishes responsibilities around Hubstaff monitoring, reporting, and compliance
6. Sanction Policy
- Outlines progressive discipline for HIPAA policy violations
- Includes real-world examples of violations and expected actions
- Reaffirms fairness, documentation, and non-retaliation principles
7. Business Associate Management Policy
- Describes BAA execution and maintenance with clients and subcontractors
- Covers Hubstaff as a monitored subcontractor under BAA
- Reiterates our responsibilities as a Business Associate under HIPAA
8. Risk Assessment and Management Policy
- Documents annual and incident-triggered risk assessments
- Uses a matrix to identify, evaluate, and mitigate threats
- Aligns with HIPAA Security Rule and NIST best practices for healthcare
Compliance Framework: These policies are updated annually or upon major regulatory or operational changes. All documentation is retained for a minimum of six years. Policies are aligned with standards published by:
- U.S. Department of Health & Human Services (HHS.gov)
- NIST SP 800-30, NIST Cybersecurity Framework
- Relevant legal advisory firms (e.g., Buchalter.com, EssentialAccess.org)
Client Assurance: By publishing these policies on our website, Staffing For Doctors confirms our proactive commitment to HIPAA compliance. We welcome client audits, provide signed BAAs, and maintain training and breach logs available upon request.
Contact: For HIPAA compliance inquiries or documentation requests, please contact: Daniel Nabavi, Privacy & Security Officer danny@staffingfordoctors.com