HIPAA Notice & Compliance Statement
How AxioRCM safeguards protected health information as a HIPAA Business Associate to the healthcare providers we serve.
1. Our role: Business Associate
The Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act govern how protected health information (PHI) is used and protected. AxioRCM LLC provides billing, coding, credentialing, and related services to healthcare providers. In doing so, AxioRCM acts as a Business Associate โ not a Covered Entity โ and processes PHI only on behalf of, and at the direction of, its provider clients.
2. Business Associate Agreements
Before AxioRCM accesses or processes any PHI, we execute a Business Associate Agreement (BAA) with the healthcare provider. The BAA defines the permitted uses and disclosures of PHI, our safeguarding obligations, breach notification duties, and the return or destruction of PHI at the end of the engagement.
3. How we safeguard PHI
AxioRCM maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule:
- Administrative โ written policies, risk assessments, designated privacy and security officers, and incident response procedures.
- Physical โ controlled facility access and secure handling and disposal of any media containing PHI.
- Technical โ encryption of PHI in transit and at rest, role-based access controls, unique user credentials, multi-factor authentication, and audit logging of access to PHI.
4. Permitted uses and disclosures
AxioRCM uses and discloses PHI only as permitted by the applicable BAA and by law โ primarily to perform billing, coding, claim submission, denial management, and credentialing on the provider's behalf. AxioRCM does not sell PHI and does not use PHI for marketing.
5. Workforce training and access
All AxioRCM workforce members complete HIPAA privacy and security training at hire and on a recurring basis. Access to PHI is granted on a least-privilege, need-to-know basis and is reviewed periodically. Workforce members are subject to sanctions for violations of our privacy and security policies.
6. Subcontractors
Where AxioRCM engages a subcontractor that may access PHI, that subcontractor is required to enter into a written agreement imposing safeguards at least as protective as those in our own Business Associate Agreements.
7. Breach notification
If AxioRCM discovers a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and within the timeframes required by the HIPAA Breach Notification Rule and the applicable BAA, and will cooperate with the provider's notification and mitigation obligations.
8. Patient rights
Patients have rights regarding their health information โ including the rights to access, amend, and receive an accounting of disclosures of their records. These rights are exercised through the healthcare provider that holds the records. AxioRCM supports providers in responding to such requests as required by the BAA.
9. Reporting a concern
To report a privacy or security concern, or to reach the AxioRCM Privacy Officer, contact AxioRCM LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, by email at [email protected], or by phone at +1 (307) 430-1809. AxioRCM does not retaliate against anyone for reporting a concern in good faith.