HIPAA Compliance
Last updated: January 1, 2025
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes national standards for the protection of sensitive patient health information (PHI). Any organisation that handles PHI on behalf of a covered entity is considered a Business Associate and must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.
Breeze.io as a Business Associate
When Breeze.io places professionals with healthcare clients who handle PHI, we act as a Business Associate under HIPAA. We are prepared to execute a Business Associate Agreement (BAA) with any covered entity client prior to an engagement beginning. Our BAA outlines each party's responsibilities with respect to PHI, including permitted uses and disclosures, safeguards required, and breach notification obligations.
Professional Vetting for Healthcare Roles
All professionals placed in healthcare-related roles go through an enhanced vetting process: • HIPAA awareness training verification • Background checks with healthcare-specific screening • NDA execution covering PHI handling • Skills assessment for prior authorisation, medical billing, EHR systems, and patient scheduling Professionals are not presented to healthcare clients until all vetting steps are completed and verified.
Data Handling Standards
Breeze.io and its placed professionals adhere to strict standards when handling PHI: • PHI is accessed only on a need-to-know basis • Professionals use client-provided, HIPAA-compliant systems only • PHI is never stored, transmitted, or shared outside of approved client systems • Any suspected breach of PHI is reported to the client within 24 hours of discovery
Security Safeguards
We require that all healthcare placements operate within environments that maintain: • Administrative safeguards: role-based access controls, workforce training, and incident response procedures • Physical safeguards: secure workstation use and device controls • Technical safeguards: encryption, audit controls, and automatic logoff
Breach Notification
In the event of a suspected or confirmed breach involving a Breeze-placed professional, we will: • Notify the affected client within 24 hours of discovery • Provide a written incident report within 5 business days • Cooperate fully with the client's breach response and any regulatory investigation • Take immediate corrective action with the relevant professional
Requesting a BAA
If you are a covered entity and require a signed Business Associate Agreement, contact us at legal@breeze.io. We will provide and execute a BAA prior to any engagement beginning.