HIPAA Compliance

Our Commitment to Protecting Patient Information

Total Relief MD is committed to maintaining the highest standards of privacy and security for Protected Health Information (PHI). As a Business Associate under HIPAA, we understand the critical importance of safeguarding patient data in all aspects of our remote physician supervision services.

HIPAA Compliant Platform

Our HIPAA Compliance Framework

Total Relief MD maintains a comprehensive HIPAA compliance program that addresses all aspects of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Our framework includes:

Administrative Safeguards

  • Designated Privacy and Security Officers
  • Comprehensive workforce training
  • Access management policies
  • Incident response procedures
  • Regular compliance audits

Physical Safeguards

  • Secure data center facilities
  • Facility access controls
  • Workstation security policies
  • Device and media controls
  • Environmental protections

Technical Safeguards

  • End-to-end encryption (AES-256)
  • Multi-factor authentication
  • Automatic session timeouts
  • Audit logging and monitoring
  • Intrusion detection systems

Business Associate Agreement (BAA)

Total Relief MD enters into a Business Associate Agreement (BAA) with each client facility. Our BAA:

  • Establishes the permitted uses and disclosures of PHI
  • Requires appropriate safeguards to prevent unauthorized use or disclosure
  • Mandates reporting of any security incidents or breaches
  • Ensures compliance with the HIPAA Security Rule
  • Provides for termination if material breach occurs

We will provide a BAA as part of your service agreement. If you have questions about our BAA, please contact us at compliance@totalreliefmd.com.

Data Encryption and Security

Our platform employs multiple layers of security to protect PHI:

Data in Transit

  • TLS 1.3 encryption for all web communications
  • End-to-end encrypted video/audio streams
  • Secure WebSocket connections for real-time communication

Data at Rest

  • AES-256 encryption for stored data
  • Encrypted database backups
  • Secure key management practices

Access Controls

  • Role-based access control (RBAC)
  • Unique user identification
  • Automatic logoff after inactivity
  • Multi-factor authentication for all users

Audit Controls and Monitoring

Total Relief MD maintains comprehensive audit logs that record:

  • All user authentication events (login/logout)
  • Access to patient information
  • All supervision sessions (timestamp, duration, participants)
  • System configuration changes
  • Security events and anomalies

Audit logs are retained for a minimum of six (6) years and are available for compliance review upon request.

Workforce Training

All Total Relief MD personnel receive comprehensive HIPAA training, including:

  • Initial HIPAA privacy and security training upon hire
  • Annual refresher training and updates
  • Role-specific training for individuals with access to PHI
  • Training documentation and attestation records

Our supervising physicians and staff are trained on proper handling of PHI during remote supervision sessions.

Breach Notification

In the unlikely event of a breach of unsecured PHI, Total Relief MD will:

  1. Investigate: Promptly investigate the incident to determine scope and impact
  2. Mitigate: Take immediate steps to mitigate harm and prevent further breach
  3. Notify: Notify affected covered entities within 24 hours of discovery
  4. Document: Maintain detailed records of the incident and response
  5. Cooperate: Assist covered entities with their breach notification obligations

We maintain cyber liability insurance and have established relationships with forensic experts for incident response.

Risk Assessments

Total Relief MD conducts regular risk assessments to identify and address potential vulnerabilities:

  • Annual comprehensive security risk assessments
  • Quarterly vulnerability scans
  • Penetration testing by third-party security firms
  • Continuous monitoring for security threats
  • Remediation tracking and verification

Subcontractors and Third Parties

We carefully vet all subcontractors and third-party service providers who may have access to PHI. All such parties are required to:

  • Execute Business Associate Agreements
  • Demonstrate HIPAA compliance
  • Undergo security assessments
  • Comply with our security policies

Our cloud infrastructure providers (Google Cloud Platform, Firebase) maintain SOC 2 Type II certifications and HIPAA compliance.

Data Retention and Disposal

Total Relief MD maintains PHI only for as long as necessary to fulfill our service obligations and comply with legal requirements:

  • Supervision session records: Retained per state medical record requirements (minimum 6 years)
  • Audit logs: Retained for 6 years
  • Business records: Retained per applicable legal requirements

When PHI is no longer needed, it is disposed of using secure methods that render the data unreadable and unrecoverable.

Your Responsibilities

As a covered entity using Total Relief MD services, you maintain responsibility for:

  • Implementing your own HIPAA compliance program
  • Training your workforce on HIPAA requirements
  • Ensuring appropriate authorizations for disclosures to Total Relief MD
  • Maintaining security of your own systems and access credentials
  • Reporting any suspected security incidents to us promptly

Contact Our Compliance Team

For questions about our HIPAA compliance program, to request a BAA, or to report a security concern:

Total Relief MD Compliance Office

HIPAA Privacy Officer: privacy@totalreliefmd.com

HIPAA Security Officer: security@totalreliefmd.com

General Compliance: compliance@totalreliefmd.com

Security Incident Reporting: If you suspect a security incident or breach involving Total Relief MD services, please contact security@totalreliefmd.com immediately.

Privacy Policy Terms of Service