HIPAA Compliance at AEGIS ISD.

Our role under HIPAA

Under 45 CFR §160.103, AEGIS ISD is a Business Associate when it creates, receives, maintains, or transmits PHI on behalf of Covered Entity customers such as health plans, state Medicaid agencies, and their agents. The platform supports fraud detection, SIU case management, medical review, analytics, and recovery tracking. AEGIS ISD is not itself a Covered Entity.

Business Associate Agreement

AEGIS ISD's policy is to enter into a Business Associate Agreement ("BAA") with each customer before receiving, creating, maintaining, or transmitting Protected Health Information on that customer's behalf. Our standard BAA incorporates the required terms under 45 CFR §§164.504(e) and 164.314(a). A copy of our standard BAA is available for review prior to contracting by emailing legal@aegisisd.com.

Our policy likewise requires an executed downstream BAA with any subcontractor that will create, receive, maintain, or transmit PHI on our behalf, prior to the subcontractor's processing of PHI. Our current subprocessor inventory is published at aegisisd.com/subprocessors.

Safeguards for PHI

Our Security Rule safeguards (45 CFR §§164.308, 164.310, 164.312) include administrative, physical, and technical controls:

• Administrative. Documented policies and procedures, workforce HIPAA training within a reasonable period after hire and periodically thereafter consistent with our training program, role-based access with least-privilege, periodic access reviews, sanction policy for workforce violations, and a documented risk analysis reviewed on a regular cadence.
• Physical. Hosting within physical facilities of our cloud provider that maintain their own SOC 2 and HIPAA attestations. No on-premises servers contain PHI. Workforce devices are protected by full-disk encryption and centralized endpoint management.
• Technical. Unique user identification, automatic logoff, audit controls capturing access to PHI, integrity controls preventing unauthorized alteration, and encryption of electronic PHI in transit (TLS 1.2 or higher) and at rest (AES-256).

Minimum necessary

AEGIS ISD accesses, uses, and discloses PHI consistent with the minimum-necessary standard under 45 CFR §164.502(b). Role-based permissions limit workforce access to the PHI needed to perform assigned functions. Customers retain administrative control over who within their own organization has access to PHI in their tenant.

Breach notification

If AEGIS ISD becomes aware of a breach of Unsecured PHI as defined under 45 CFR §164.402, we will notify the affected Covered Entity without unreasonable delay and in any case not later than the outer limit of sixty (60) calendar days from discovery required by 45 CFR §164.410. Where an executed BAA commits AEGIS ISD to a shorter notification timeframe, the BAA controls and AEGIS ISD will meet that shorter timeframe. Notification will include the information required under 45 CFR §164.410(c), including identification (to the extent possible) of affected individuals, a description of what occurred, the types of PHI involved, and the steps we are taking to investigate, mitigate, and prevent recurrence.

Workforce training and sanctions

AEGIS ISD workforce members with potential access to PHI receive HIPAA privacy and security training within a reasonable period after hire and periodically thereafter, consistent with 45 CFR §164.530(b) (Privacy Rule training) and 45 CFR §164.308(a)(5) (Security Rule security awareness and training), as applicable to a Business Associate, and with our documented training program. Training completion is tracked and the associated records are retained consistent with 45 CFR §164.316(b)(2). A documented sanction policy, consistent with 45 CFR §164.308(a)(1)(ii)(C), establishes the consequences for workforce members who fail to comply with our HIPAA policies and procedures.

Contingency planning

Consistent with 45 CFR §164.308(a)(7), AEGIS ISD maintains a written contingency plan that includes data backup, disaster recovery, and emergency-mode operation procedures. Backups are tested on a regular cadence, and the disaster recovery plan is exercised periodically.

Audit logs and retention

The platform captures audit logs of PHI access and significant workflow events. Logs are retained in accordance with the HIPAA Security Rule and customer contractual requirements, and are available to customers for their own review of access to their tenant's data.

Notice of Privacy Practices

As a Business Associate, AEGIS ISD does not issue a Notice of Privacy Practices directly to individuals. Covered Entity customers are responsible for providing their Notice of Privacy Practices and for obtaining any individual authorizations required under the Privacy Rule. AEGIS ISD supports customer-directed rights requests (such as access, amendment, and accounting of disclosures) in accordance with the BAA.

Individual rights and complaints

Individuals who believe their privacy rights have been violated should first contact the Covered Entity from which they receive healthcare or health coverage. Individuals may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Information about filing is available at hhs.gov/hipaa/filing-a-complaint.

De-identified and limited data sets

When authorized by a customer through the BAA or a separate data-use agreement, AEGIS ISD may create de-identified information in accordance with 45 CFR §164.514(b) or limited data sets in accordance with §164.514(e). Such information is used only for permitted purposes and is not combined with data from other customers without authorization.