HIPAA-compliant from day one

HIPAA,
taken seriously.

We operate as a Business Associate of every client we serve. Encrypted infrastructure. Role-based access. BAA before a single byte of PHI moves.

This page explains how we handle Protected Health Information (PHI), what a Business Associate Agreement actually does, and the safeguards we run by default.

Request our BAA How we do it

Compliance posture

Active

Cleared RCM safeguards at a glance

BAA executed before PHI Required
Encryption in transit & at rest AES-256
Multi-factor authentication Enforced
Data residency US-only
Access logs Reviewed monthly

Required by us

Signed BAA

Before any PHI exchange. Always.

Encryption

TLS 1.2+ & AES-256

In transit and at rest. No exceptions.

Access control

Role-based, audited

Minimum-necessary by default.

Data residency

United States

No offshore processing of PHI.

The relationship

What a Business Associate actually does.

HIPAA distinguishes between Covered Entities (you, the healthcare provider) and Business Associates (us, your billing partner). When you hand us claims to work, we become a Business Associate of your practice. Bound by HIPAA's Privacy and Security Rules and the specific terms of the BAA we sign together.

BAA on file

A written contract that defines permitted uses, safeguards, breach handling, and what happens at termination.

Minimum necessary

We touch only the PHI required to do the work. Not your whole patient roster, not your clinical notes if we don't need them.

Audited access

Every PHI access is logged. We can produce an access log on request, scoped to your records.

Breach protocol

Notification to you without unreasonable delay, and never later than 60 days. Documented incident response plan.

Onboarding

How we get to "PHI in motion."

Three steps from "let's talk" to "claims moving." No PHI changes hands until step 2 is signed.

01 Scope

Discovery call.

No PHI yet. We talk about your practice, payer mix, current pain points, and what an engagement would look like.
02 BAA

BAA signed.

We send our standard BAA (or sign yours). Once executed, we set up read-only access to your billing system and any necessary secure transfer channels.
03 Operate

PHI in motion.

Audit begins. Then weekly ops. Every PHI access logged. Monthly summary of access patterns available on request.

Safeguards

The security stack we run by default.

Administrative, physical, and technical safeguards as required by the HIPAA Security Rule. Plus what we'd want anyway.

Encryption everywhere

TLS 1.2+ in transit. AES-256 at rest. Encrypted laptops and disks for any personnel with PHI access.

MFA enforced

Multi-factor authentication required on every system that touches PHI. Ours and the ones we access on your behalf.

Role-based access

Permissions scoped to job function. Access is granted on a minimum-necessary basis and reviewed when roles change.

Audit logging

Every PHI access. Who, when, what record. Is logged and retained per BAA terms. Available to you on request.

US-only processing

No offshore subcontractors. PHI stays on infrastructure hosted in the continental United States.

Workforce training

Founder completes HIPAA training annually. Future subcontractors will execute subcontractor BAA + complete training before any PHI access. Sanctions policy per WISP applies.

For patients & families

If you're a patient or family member of one of our clients.

Cleared RCM does billing on behalf of your provider. They are the HIPAA Covered Entity for your records. For requests about access, amendment, or accounting of disclosures, please contact the provider directly.

We will support your provider in responding to any valid request, and we will never communicate about your records directly with anyone other than the provider unless they instruct us to do so in writing.

Incident response

If something goes wrong.

We hope it never happens. Here's the plan if it does.

Within 24 hours

Detect & contain.

Internal escalation, access lockdown, evidence preservation. We stop the bleeding before we talk.

Without unreasonable delay

Notify you.

Founder-direct call. Written incident report with what we know so far. And what we don't.

No later than 60 days

Final report.

Scope, cause, mitigation, and corrective action. In the form HIPAA Breach Notification Rule requires.

FAQ

Common HIPAA questions.

Do you sign our BAA or do we sign yours?

Either works. We have a standard BAA we'll send you, and we're equally happy to sign yours if you have a preferred template. The substance matters, not whose paper it's on.

What PHI do you actually access?

For billing work: client demographics, insurance information, dates of service, CPT codes, modifiers, authorization details, claim status, denial reasons. We do not need clinical narrative or progress notes for routine billing. If your workflow gives us access to them, we treat them with the same safeguards but we don't use them for our work.

Where is the data stored?

Primarily inside your own systems. We work in your practice-management platform under read/write access scoped to billing functions. Any extracts (e.g. for analytics or appeals packets) sit on encrypted, US-based cloud storage with role-based access. Specifics are itemized in the BAA.

Do you use subcontractors?

Founder-direct service means a small operating team. Any subcontractor who would touch PHI must execute a subcontractor BAA with us first. None are offshore.

What happens to my data if we stop working together?

Per BAA terms, any PHI we've extracted is returned, destroyed, or transferred to you (or a successor BA) on a defined timeline at termination. Your raw data is yours, with clean export anytime. The dashboards we built remain our IP; your license to use them ends with the engagement, but final-period snapshots can be exported as PDF or static files on request.

Want to see the BAA?

We'll send our standard agreement before any kickoff call. Read it, mark it up, send it back.

hello@clearedrcm.com

HIPAA, taken seriously.