HIPAA Compliance

IntakeAccess.ai is built from the ground up as a HIPAA-compliant AI healthcare platform. We handle Protected Health Information (PHI) on behalf of Covered Entities — including hospitals, clinics, SNFs, private practices, and FQHCs — and operate as a Business Associate under HIPAA (45 C.F.R. §§ 160–164).

Our compliance program encompasses the full scope of HIPAA's requirements: the Privacy Rule, the Security Rule, the Breach Notification Rule, and the administrative, technical, and physical safeguard standards of the HITECH Act. We do not treat HIPAA compliance as a checkbox — it is embedded in every layer of our platform architecture, operational processes, and workforce culture.

• PHI encrypted at rest (AES-256) and in transit (TLS 1.3)
• Business Associate Agreements (BAAs) with all subcontractors handling PHI
• Mandatory multi-factor authentication for all Provider accounts
• Role-based access controls enforcing least-privilege principle
• Complete audit logging of all PHI access events
• Automatic 15-minute session timeouts platform-wide
• 24/7 security monitoring and incident response
• Annual third-party risk assessments and penetration testing
• Documented Breach Notification Policy with 60-day notification guarantee
• HIPAA-compliant cloud infrastructure (Google Cloud/Firebase, AWS)

The HIPAA Security Rule (45 C.F.R. §§ 164.302–164.318) requires covered entities and business associates to implement three categories of safeguards. We implement all required and addressable specifications:

Technical Safeguards — Detail

• Access Control (§ 164.312(a)(1)): Unique user identification, automatic logoff (15 min), encryption and decryption of PHI at rest and in transit
• Audit Controls (§ 164.312(b)): Hardware, software, and procedural mechanisms to record and examine activity in information systems containing PHI. All access events are logged with user identity, timestamp, data accessed, and IP address. Logs are retained for 6 years.
• Integrity Controls (§ 164.312(c)(1)): Electronic mechanisms to confirm PHI has not been improperly altered or destroyed
• Transmission Security (§ 164.312(e)(1)): TLS 1.3 encryption for all PHI transmitted electronically. Email containing PHI transmitted via encrypted channels through BAA-covered providers only.
• Authentication (§ 164.312(d)): MFA required for all Provider/Facility accounts; 2FA required for all patient portal sessions

Administrative Safeguards — Detail

• Security Management Process (§ 164.308(a)(1)): Annual risk analysis identifying threats and vulnerabilities; risk management plan with documented mitigation measures
• Security Personnel (§ 164.308(a)(2)): Designated HIPAA Security Officer responsible for policy development, incident response, and compliance oversight
• Workforce Training (§ 164.308(a)(5)): All workforce members with PHI access receive HIPAA training upon hire and annually thereafter
• Contingency Planning (§ 164.308(a)(7)): Data backup, disaster recovery, and emergency mode operation plans. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) documented and tested.
• Business Associate Contracts (§ 164.308(b)): BAAs executed with all subcontractors and vendors prior to PHI access

Under HIPAA, when a Business Associate handles PHI on behalf of a Covered Entity, a signed BAA is mandatory. IntakeAccess.ai maintains BAAs in two directions:

BAAs We Execute with Covered Entities (Our Customers)

Any healthcare provider, hospital, clinic, SNF, or other Covered Entity using IntakeAccess.ai must execute a BAA with us. We offer a standard BAA that meets all HIPAA requirements. Enterprise customers may negotiate terms through the Order Form process.

To request a BAA: Email compliance@intakeaccess.ai with subject line "BAA Request." We will provide the agreement within 3 business days. A signed BAA must be on file before any PHI flows through the Platform.

BAAs We Execute with Our Subcontractors

IntakeAccess.ai maintains a documented Breach Notification Policy in full compliance with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–164.414) and the HITECH Act. Our policy covers detection, risk assessment, notification, and post-incident remediation.

Breach Response Timeline

• T+0 (Discovery): Immediate containment and isolation of affected systems or data. Security incident is logged and escalated to the HIPAA Security Officer.
• T+1–7 (Risk Assessment): Four-factor risk assessment conducted — nature of PHI involved, unauthorized persons involved, likelihood PHI was acquired/viewed, and extent to which risk has been mitigated.
• T+7–30 (Determination): Formal breach/non-breach determination. If breach confirmed, notifications are prepared.
• Within 60 days (Individual Notification): Affected individuals notified by first-class mail (or email if authorized). Notice includes: description of the breach, types of PHI involved, steps individuals should take, steps IntakeAccess.ai is taking, and contact information.
• Within 60 days (HHS/OCR): HHS notified for breaches of 500+ individuals simultaneously with individual notification. Smaller breaches logged and reported annually.
• Media Notification: Breaches affecting 500+ residents of a state reported to prominent state media within 60 days.
• Covered Entity Notification: Where acting as a Business Associate, affected Covered Entity notified without unreasonable delay and within 60 days.

Continuous Monitoring

• 24/7 automated security monitoring of all platform systems and PHI access events
• Anomaly detection for unusual access patterns, bulk data downloads, and unauthorized access attempts
• Real-time alerting for potential security incidents
• All audit log entries include: user ID, timestamp, IP address, action type, data accessed, and outcome

Periodic Assessments

• Annual Risk Analysis: Comprehensive assessment of threats, vulnerabilities, and impact to PHI confidentiality, integrity, and availability
• Annual Penetration Testing: Independent third-party penetration testing of all production systems
• Annual Third-Party Risk Assessments: Review of all Business Associates and subcontractors' security posture
• Quarterly Security Reviews: Internal review of access controls, workforce compliance, and policy updates
• BAA Renewal Reviews: Annual review of all BAA terms against current HIPAA requirements

Audit Log Retention

All PHI access audit logs are retained for a minimum of 6 years from the date of creation, as required by the HIPAA Security Rule (§ 164.312(b)) and the general documentation retention standard (§ 164.530(j)).

IntakeAccess.ai complies with the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E) governing the use and disclosure of PHI:

• Minimum Necessary Standard: PHI is accessed and disclosed only to the minimum extent necessary for the specified purpose
• Notice of Privacy Practices: Patients receive a Notice of Privacy Practices (incorporated into our Privacy Policy) describing uses, disclosures, and patient rights
• TPO Disclosures: PHI may be used for Treatment, Payment, and Healthcare Operations without separate patient authorization
• Authorization-Required Disclosures: All other disclosures require written patient authorization
• Patient Rights Implementation: Platform supports all HIPAA patient rights — access, amendment, accounting of disclosures, restriction requests, and confidential communications
• Marketing Prohibition: PHI is never used for marketing without explicit patient authorization
• Sale of PHI: PHI is never sold under any circumstances

INTAKEACCESS.AI LLC
DBA: Intake Access Health Solutions
181 W Valley Ave STE 245-1742
Birmingham, AL 35209

For all HIPAA compliance inquiries, BAA requests, breach reports, and regulatory questions:

• Compliance Email: compliance@intakeaccess.ai
• Security Incidents: security@intakeaccess.ai
• Privacy Rights: privacy@intakeaccess.ai
• Legal: legal@intakeaccess.ai
• Phone: 205-855-4545
• Website: https://intakeaccess.ai