HIPAA Compliance Statement

Eaze Billing is a Business Associate as defined under HIPAA. We provide medical billing, revenue cycle management, staffing, digital marketing, technology, and consulting services to Covered Entities, which include healthcare providers, health plans, and healthcare clearinghouses operating in Florida and across the United States.

Because we handle Protected Health Information (PHI) on behalf of our clients, we are required by federal law to safeguard that information. We take this responsibility seriously. Our HIPAA compliance program is active, documented, and reviewed on a regular basis.

Eaze Billing signs a Business Associate Agreement (BAA) with every Covered Entity client before any service begins. This agreement is required by 45 CFR Part 164, Subpart E (the HIPAA Privacy Rule) and 45 CFR Part 164, Subpart C (the HIPAA Security Rule).

Our standard BAA includes the following commitments:

• We will only use and disclose PHI as permitted under the BAA and required by law.
• We will implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.
• We will report to the Covered Entity any use or disclosure of PHI not provided for in the BAA.
• We will ensure that any of our subcontractors who handle PHI agree to the same restrictions.
• We will make PHI available to individuals who request access to their own records, as required by HIPAA.
• We will make our internal records and practices available to the Secretary of Health and Human Services for compliance reviews.
• We will destroy or return all PHI upon termination of the agreement.

If you are a current or prospective client and need a copy of our standard BAA, please contact us at info@workwitheaze.com.

Under the HIPAA Security Rule (45 CFR Section 164.308), Eaze Billing maintains the following administrative safeguards:

• We conduct regular risk analyses to identify potential threats to ePHI.
• We implement security measures to reduce identified risks to a reasonable and appropriate level.
• We maintain written policies and procedures covering all aspects of HIPAA compliance.
• We apply sanctions to workforce members who violate our security policies.

• All Eaze Billing team members complete HIPAA training before they handle any client data.
• Training is repeated annually and updated whenever there are changes to HIPAA regulations.
• Access to PHI is granted only to team members who need it to perform their specific job duties.
• We review access privileges regularly and revoke access immediately when an employee leaves the company.

• We maintain a data backup plan so that ePHI can be recovered in the event of an emergency.
• We have a disaster recovery plan covering system failures, cyberattacks, and natural disasters.
• We test our contingency plans on a regular schedule.

Under 45 CFR Section 164.310, Eaze Billing implements the following physical safeguards:

• Access to workstations and devices used to handle ePHI is restricted to authorized personnel only.
• All workstations that access ePHI use automatic screen locks and require secure login credentials.
• Physical media containing ePHI is stored securely and disposed of properly when no longer needed.
• We maintain device and media controls covering receipt, removal, and disposal of hardware containing ePHI.

Under 45 CFR Section 164.312, Eaze Billing implements the following technical safeguards:

• We use unique user identification for every team member who accesses systems containing ePHI.
• We implement automatic logoff on all systems after a period of inactivity.
• We use encryption and decryption for ePHI where required.

• We maintain hardware, software, and procedural mechanisms that record and examine activity on systems containing ePHI.
• Audit logs are reviewed regularly for unauthorized access attempts or suspicious activity.

• All ePHI transmitted over electronic networks is encrypted using industry-standard protocols (TLS 1.2 or higher).
• We do not transmit ePHI via unencrypted email.
• Secure file transfer protocols are used for all client data exchanges.

In addition to HIPAA, Eaze Billing complies with the Florida Information Protection Act (FIPA), codified at Florida Statutes Section 501.171. FIPA applies to any business operating in Florida or handling personal information of Florida residents. Key FIPA obligations we follow include:

• We implement reasonable measures to protect and secure personal information in electronic form.
• In the event of a breach of security, we notify affected Florida residents within 30 days of determining that a breach has occurred, or as soon as reasonably possible.
• We notify the Florida Department of Legal Affairs if a breach affects more than 500 Florida residents.
• We dispose of customer records containing personal information by taking reasonable measures to protect against unauthorized access to or use of the information.

Florida also enforces the Florida Electronic Health Records Exchange Act and related regulations that may apply to clients who are covered entities operating in the state. Eaze Billing supports our Florida clients in meeting their obligations under these rules.

In the event of a breach of unsecured PHI, Eaze Billing follows the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and Florida law:

• We will notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovering a breach.
• Our notification will include the nature of the PHI involved, who accessed or used it, whether it was actually acquired or viewed, and the extent to which the risk has been mitigated.
• For breaches affecting Florida residents, we will also follow the notification requirements of FIPA, including notifying the Florida Department of Legal Affairs when required.
• We maintain a breach log and report breaches to the Department of Health and Human Services as required.

When Eaze Billing engages subcontractors or third-party vendors who may have access to PHI, we require them to enter into written agreements that impose the same HIPAA obligations that apply to us. We vet all subcontractors before engagement and maintain a list of active subcontractors who handle ePHI on our behalf.