HIPAA Compliant
Free Revenue Audit →
HomeHIPAA Policy
Compliance & Privacy

HIPAA Policy &
Security Safeguards

Ordinate Health maintains privacy, security, and access-control practices designed to protect protected health information and support HIPAA-aligned operations for the healthcare organizations we serve.

Contact Compliance Team View Services

1. Purpose and Scope

Ordinate Health is committed to protecting the confidentiality, integrity, and availability of protected health information, or PHI, that we may create, receive, maintain, or transmit while supporting healthcare organizations. Our HIPAA policy is intended to guide how we manage PHI across people, processes, systems, and third-party relationships.

This policy applies to workforce members, contractors, approved subcontractors, business processes, software systems, infrastructure, and client service workflows that interact with sensitive healthcare data.

2. Information Covered

For purposes of this policy, sensitive information may include PHI, patient account information, payer data, operational records, user credentials, audit logs, and other regulated or confidential information entrusted to Ordinate Health by clients.

  • Patient demographic and insurance information
  • Clinical and billing-related documentation needed for claims operations
  • Eligibility, authorization, denial, and payment records
  • System credentials, access logs, and workflow metadata tied to healthcare operations

3. Administrative Safeguards

Workforce Access

Access to PHI is role-based and limited to personnel with a documented business need.

Training

Workforce members receive privacy, security, and incident-escalation training appropriate to their responsibilities.

Policy Management

Privacy and security procedures are reviewed periodically and adjusted when risks, systems, or legal requirements change.

Vendor Oversight

Subcontractors and service providers are evaluated before gaining access to regulated data or supporting regulated workflows.

4. Technical Safeguards

Ordinate Health uses layered technical controls designed to reduce unauthorized access, limit data exposure, and support traceability across systems that may handle PHI.

  • Authentication and access control mechanisms designed around least-privilege principles
  • Encryption in transit and, where applicable, encryption at rest for regulated or sensitive data stores
  • System logging, audit trails, and monitoring for administrative and operational review
  • Controlled permissions for applications, file locations, and production environments
  • Change management and security review practices for critical systems and workflows

5. Physical Safeguards

Where physical environments, devices, or workstations are involved, Ordinate Health expects reasonable controls to protect equipment and information from unauthorized use, viewing, removal, or loss. This includes secure device handling, controlled work environments, and appropriate disposal or reassignment procedures for hardware and storage media.

6. Minimum Necessary Standard

Ordinate Health seeks to limit the use and disclosure of PHI to the minimum amount reasonably necessary to perform the requested service, support an operational function, or satisfy a legal or contractual obligation. Workforce members are expected to access only the information required for the specific task at hand.

7. Incident Response and Reporting

Ordinate Health maintains procedures for identifying, escalating, investigating, documenting, and responding to suspected privacy or security incidents. When an incident may affect client data or regulated information, internal review and client notification processes are initiated in accordance with contractual commitments and applicable legal requirements.

  • Prompt internal escalation of suspected misuse, loss, disclosure, or system compromise
  • Containment, investigation, remediation, and documentation of the event
  • Client communication where required by contract, law, or risk profile
  • Post-incident corrective actions to reduce the likelihood of recurrence

8. Business Associate Management

When Ordinate Health performs services that qualify us as a business associate, we support appropriate contractual controls, including business associate agreements where required. We also assess material subcontractor relationships to determine whether additional privacy, security, or contractual controls are necessary before PHI is shared or accessed.

9. Retention, Disposal, and Auditability

Records, logs, and operational data are retained according to business, legal, contractual, and security requirements. When information, devices, or storage media are no longer needed, disposal is handled using methods appropriate to the sensitivity of the data involved. Auditability is preserved where required for compliance review, operational analysis, or incident investigation.

10. Questions and Requests

Questions about this policy, compliance documentation requests, or client-specific security reviews can be directed to our team.

Email Compliance Contact Ordinate Health

Need Client-Specific Compliance Detail?

We can provide additional documentation, discuss safeguards in scope for your workflow, and support a compliance review during onboarding.

Request Information Talk to Our Team