HIPAA Compliance
Last Updated: April 18, 2026
✓ HIPAA Compliant: GMB Billing Firm is fully committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) and maintains comprehensive privacy and security programs to protect Protected Health Information (PHI).
1. Overview
As a medical billing service provider, GMB Billing Firm functions as a Business Associate under HIPAA. We handle Protected Health Information (PHI) on behalf of healthcare providers (Covered Entities) and implement strict safeguards to ensure compliance with HIPAA Privacy, Security, and Breach Notification Rules.
2. Business Associate Agreement
Before providing services involving PHI, we execute a Business Associate Agreement (BAA) with each covered entity client that:
- Defines permitted uses and disclosures of PHI
- Requires implementation of appropriate safeguards
- Obligates reporting of security incidents and breaches
- Ensures compliance with HIPAA Rules
- Provides for termination if violations occur
- Requires return or destruction of PHI upon termination
3. HIPAA Privacy Rule Compliance
3.1 Minimum Necessary Standard
We limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose:
- Role-based access controls
- Limited data sets when full PHI not required
- Regular access reviews
- Data minimization practices
3.2 Permitted Uses and Disclosures
We use and disclose PHI only for:
- Billing and claims processing
- Payment collection activities
- Healthcare operations on your behalf
- Required legal and regulatory reporting
- Other purposes authorized by you or permitted by law
3.3 Individual Rights
We assist covered entities in fulfilling patient rights:
- Right to access PHI (within 30 days)
- Right to request amendments
- Right to accounting of disclosures
- Right to request restrictions
- Right to confidential communications
4. HIPAA Security Rule Compliance
4.1 Administrative Safeguards
| Safeguard | Implementation |
|---|---|
| Security Management Process | Risk assessments, risk management, sanctions policy, information system activity review |
| Assigned Security Responsibility | Designated Security Officer responsible for developing and implementing policies |
| Workforce Security | Authorization procedures, supervision, termination procedures, clearance procedures |
| Information Access Management | Access authorization, access establishment, access modification |
| Security Awareness & Training | Security reminders, protection from malware, log-in monitoring, password management |
| Security Incident Procedures | Response and reporting procedures |
| Contingency Plan | Data backup, disaster recovery, emergency mode operations, testing procedures |
| Business Associate Contracts | Written contracts with subcontractors handling PHI |
4.2 Physical Safeguards
- Facility Access Controls: Secure data centers, visitor logs, access badges
- Workstation Use: Policies for workstation use and security
- Workstation Security: Physical safeguards for workstations
- Device and Media Controls: Disposal procedures, media re-use, accountability, data backup
4.3 Technical Safeguards
- Access Control: Unique user identification, emergency access, automatic log-off, encryption
- Audit Controls: Hardware, software, and procedural mechanisms to record and examine activity
- Integrity: Mechanisms to ensure PHI is not improperly altered or destroyed
- Person or Entity Authentication: Procedures to verify identity
- Transmission Security: Encryption and integrity controls for PHI in transit
5. Encryption Standards
5.1 Data at Rest
- AES-256 encryption for stored PHI
- Encrypted databases
- Full disk encryption on devices
- Encrypted backups
5.2 Data in Transit
- TLS 1.3 for all data transmissions
- Encrypted email for PHI communications
- Secure file transfer protocols (SFTP)
- VPN for remote access
6. AI Coding Platform - HIPAA Considerations
Important: The AI coding platform is designed for use with DE-IDENTIFIED data only.
6.1 De-Identification Requirements
Before using the AI platform, you must remove all 18 HIPAA identifiers:
- Names
- Geographic subdivisions smaller than state
- Dates (except year)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photos
- Any other unique identifying characteristic
6.2 PHI Detection
The platform includes automated PHI detection to:
- Scan input for common PHI patterns
- Block processing if PHI is detected
- Alert users to remove identifiers
- Prevent accidental PHI disclosure
6.3 Client-Side Processing
Where possible, processing occurs in your browser:
- Data does not leave your device during initial processing
- You maintain control over data transmission
- Reduces risk of unauthorized disclosure
7. Breach Notification
7.1 Breach Assessment
We promptly investigate suspected breaches using the four-factor risk assessment:
- Nature and extent of PHI involved
- Unauthorized person who accessed PHI
- Whether PHI was actually acquired or viewed
- Extent to which risk has been mitigated
7.2 Notification Requirements
If we discover a breach affecting your patients' PHI:
- We notify you within 60 days of discovery
- Notification includes breach details and individuals affected
- You remain responsible for patient notification
- We assist with breach analysis and notification as needed
- We report breaches affecting 500+ individuals to HHS
8. Workforce Training
All GMB Billing Firm employees receive:
- HIPAA training upon hire
- Annual HIPAA refresher training
- Role-specific security training
- Updates on policy changes
- Testing to verify understanding
9. Risk Assessment
We conduct comprehensive risk assessments:
- Annual enterprise-wide risk assessments
- Assessments when new systems or processes are implemented
- Evaluation of threats and vulnerabilities
- Assessment of current security measures
- Determination of risk levels
- Implementation of risk mitigation strategies
10. Incident Response
Our incident response procedures include:
- 24/7 security monitoring
- Immediate incident containment
- Forensic investigation
- Documentation of incidents
- Root cause analysis
- Corrective action implementation
- Follow-up monitoring
11. Subcontractor Management
We ensure HIPAA compliance by subcontractors:
- Executing Business Associate Agreements
- Conducting due diligence reviews
- Monitoring compliance
- Requiring similar safeguards
- Ensuring breach notification obligations
12. Audit and Monitoring
We maintain audit trails for:
- PHI access (who, what, when, where)
- System modifications
- Security incidents
- Failed access attempts
- Administrative actions
Audit logs are:
- Protected from unauthorized access
- Retained for minimum 6 years
- Regularly reviewed for anomalies
- Available for your inspection
13. Sanctions Policy
Employees who violate HIPAA or our security policies face:
- Retraining
- Written warnings
- Suspension
- Termination
- Legal action when appropriate
14. Your HIPAA Responsibilities
As a covered entity, you must:
- Execute our Business Associate Agreement
- Provide accurate and complete information
- Notify us of Privacy Rule restrictions
- De-identify data before using AI platform
- Report suspected breaches to us promptly
- Maintain your own HIPAA compliance program
15. Compliance Certifications
GMB Billing Firm maintains:
- SOC 2 Type II certification (in progress)
- HITRUST CSF certification (planned)
- Regular third-party security audits
- Penetration testing (annual)
- Vulnerability assessments (quarterly)
16. Documentation
We maintain documentation of:
- HIPAA policies and procedures
- Risk assessments and security measures
- Training records
- Incident investigations
- Audit logs
- Business Associate Agreements
Documentation is retained for minimum 6 years from creation or last effective date.
17. Contact Our Compliance Team
For HIPAA-related questions:
HIPAA Compliance Officer
GMB Billing Firm
1921 NW N River Dr, #B107
Miami, FL 33125
Phone: (305) 482-1491
Email: support@gmbcoding.com
18. Filing Complaints
If you believe we have violated HIPAA:
- Contact our Compliance Officer (above)
- File a complaint with HHS Office for Civil Rights:
- Online: https://ocrportal.hhs.gov/ocr/portal/lobby.jsf
- Phone: 1-800-368-1019
- Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201
We will not retaliate against anyone who files a good-faith complaint.
Related Policies:
Privacy Policy |
Terms of Service |
Cookie Policy