HIPAA Compliance Policy

3F Solutions is a Business Associate (BA) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act, codified at 45 C.F.R. Parts 160 and 164.

As a Business Associate, we provide administrative, billing, and coordination services to covered entities — U.S.-based healthcare practices — in which we may create, receive, maintain, or transmit Protected Health Information (PHI) on their behalf.

We are not a Covered Entity. Our obligations arise from our contractual relationships with our clients and from applicable law. We take those obligations seriously and have built our operations around HIPAA compliance from the ground up.

Depending on the services your practice has engaged us for, our Healthcare Virtual Assistants (HVAs) may access the following types of Protected Health Information:

• Patient names, dates of birth, and contact information
• Insurance policy numbers and payer details
• Diagnosis and procedure codes (ICD-10, CPT)
• Explanation of Benefits (EOB) and remittance data
• Prior authorization requests and responses
• Appointment and scheduling information
• Chart notes and clinical documentation (for organization and prep — not clinical interpretation)
• Lab results and imaging referral data (for coordination purposes only)

Our HVAs access only the minimum necessary PHI required to complete the specific tasks assigned by your practice. We do not access, use, or retain PHI beyond what is operationally required.

3F Solutions maintains administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C):

Administrative Safeguards:

• Designated HIPAA Security Officer responsible for policy oversight
• HIPAA training completed by all HVAs before client placement
• Access limited to specific client systems on a need-to-know basis
• Workforce sanctions policy for HIPAA violations
• Annual HIPAA policy review and update

Physical Safeguards:

• HVAs work in controlled, private environments — no shared workspaces with non-authorized personnel
• Screen privacy measures required during any PHI access
• No printing of PHI on personal devices

Technical Safeguards:

• Secure, encrypted communication channels for all client work
• Unique login credentials per HVA — no shared passwords
• VPN required for access to client EHR systems where applicable
• Automatic session lock on inactive workstations
• PHI is not stored locally on HVA devices

Every Healthcare Virtual Assistant placed by 3F Solutions completes mandatory HIPAA training before beginning any client work. This training covers:

• What constitutes Protected Health Information (PHI) and Electronic PHI (ePHI)
• Minimum necessary standard — accessing only what is needed for the task
• Secure communication and data handling procedures
• Prohibited uses and disclosures of PHI
• How to recognize and respond to potential breaches
• Patient rights under HIPAA (access, amendment, accounting of disclosures)
• Consequences of HIPAA violations — civil and criminal penalties

Training is refreshed annually and whenever significant changes to HIPAA regulations or our internal policies occur. Training completion records are maintained and available upon request.

3F Solutions executes a Business Associate Agreement with every client whose practice involves PHI before any work begins. This is non-negotiable and applies even during the free 20-hour trial period.

Our standard BAA covers:

• Permitted uses and disclosures of PHI on your behalf
• Prohibition on use or disclosure of PHI other than as permitted
• Appropriate safeguards to prevent unauthorized use or disclosure
• Reporting of security incidents and breaches to your practice
• Return or destruction of PHI upon termination of services
• Compliance with applicable requirements of the HIPAA Security Rule

If you require a custom BAA or need to incorporate our BAA into your existing compliance framework, please contact us at info@3fsolutionsph.com before your trial begins.

In the event of a discovered or suspected breach of unsecured PHI, 3F Solutions will:

• Notify the affected Covered Entity (your practice) without unreasonable delay and in no case later than 60 calendar days after discovery of the breach
• Provide the following information to the extent known: the nature of the PHI involved, the unauthorized person who accessed it, whether it was actually acquired or viewed, and the extent to which the risk of harm has been mitigated
• Cooperate fully with your breach risk assessment and notification obligations under 45 C.F.R. § 164.410
• Document all security incidents, including those that do not constitute reportable breaches

To report a suspected security incident immediately, contact: info@3fsolutionsph.com

3F Solutions does not engage subcontractors who access PHI on behalf of our clients without first ensuring equivalent HIPAA protections are in place.

Any third-party tools or platforms used by our HVAs in the course of your work (such as EHR systems, communication platforms, or project management tools provided by your practice) are accessed under your practice's existing compliance and data governance agreements. We do not independently introduce third-party tools that access PHI without your knowledge and consent.

As a Business Associate, 3F Solutions supports your obligations to patients under HIPAA's Privacy Rule. We do not directly handle patient requests regarding their rights (such as requests for access, amendment, or accounting of disclosures). All such requests must be directed to your practice as the Covered Entity.

However, we will fully cooperate with your practice in fulfilling these obligations, including providing information about any PHI we accessed, used, or disclosed on your behalf upon request.

3F Solutions reviews this HIPAA Compliance Policy at least annually and whenever significant regulatory changes occur. The "Last Updated" date at the top of this page reflects the most recent review.

Clients with active BAAs will be notified of any material changes to our compliance practices that affect our obligations under your agreement.

For HIPAA compliance questions, BAA requests, or to report a security incident: