HIPAA & data security

Compliance is a working system—not a website badge.

OriNova uses a BAA-first, minimum-necessary approach and requires approved secure systems before receiving PHI.

Before PHI is handled

  • Project scope and responsibilities are defined.
  • A service agreement and BAA are executed when required.
  • The approved transfer, storage, access, and communication methods are confirmed.
  • Only the minimum information necessary for the assigned review is requested.

Safeguards and controls

  • Access is limited to authorized personnel with a business need.
  • Electronic PHI is handled through approved systems and protected in transit and at rest as applicable.
  • Findings are quality-checked and delivered through the approved channel.
  • Suspected privacy or security incidents are escalated and documented.
  • Subcontractors handling PHI must accept applicable restrictions and safeguards.
Important

The public website is not a PHI intake system.

Do not submit EOBs, ERAs, claim files, medical records, patient identifiers, or other PHI through the website form, calculator, or ordinary email. A signed BAA is required when applicable, but secure tools and operating controls are also required.

Standards referenced

OriNova’s approach is informed by the HIPAA Privacy, Security, and Breach Notification Rules and HHS guidance for business associate contracts. Final compliance depends on the actual engagement, systems, workforce practices, vendor relationships, and documented risk-management program.

HHS Security Rule overview ↗HHS business associate contract provisions ↗
Start with clarity

Before you invest in a bigger solution, find out where the process is breaking.

A focused review can turn a vague revenue-cycle problem into a prioritized plan.

Request a Process Review