Superlative Systems Integration, Inc.

Menu
HELP TICKET
Get A QUOTE

HIPAA PRIVACY & SECURITY STATEMENT (FOR BUSINESS ASSOCIATE)

Effective Date: [October 2004]
Applies To: Superlative Systems Integrations, Inc. (“we,” “us,” or “our”)

1) Who We Are and Our Role Under HIPAA

Superlative Systems Integrations, Inc. provides information technology services to healthcare clients, including Unified Communications, managed IT, cloud hosting, EHR integrations, cybersecurity, help desk, data backup and recovery, interface development, and network monitoring.

When we receive access to Protected Health Information (“PHI”) from or on behalf of our healthcare clients (the “Covered Entities”), we act as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, including the Privacy Rule and Security Rule, as amended by the HITECH Act.

Note: This Statement is not a covered entity “Notice of Privacy Practices.” Patients should contact their healthcare provider for the provider’s HIPAA Notice of Privacy Practices.

2) PHI We May Receive or Process

The PHI we may handle in the course of providing services to our clients can include, as applicable:

  • Identifiers (e.g., name, address, email, phone, date of birth)
  • Medical record numbers, account numbers, treatment/diagnosis information
  • Claims, billing, and payment information
  • Device IDs, IP addresses, and system logs only if such data is linked to an individual’s health information
  • Other PHI as strictly necessary to perform contracted services

We do not collect PHI directly from patients via this website unless the site includes secure forms or portals expressly designed for that purpose and labeled accordingly.

3) How We Use and Disclose PHI (Business Associate Permitted Uses)

We use and disclose PHI solely:

  • To perform our services as described in our Business Associate Agreements (BAAs) with our healthcare clients
  • For proper management and administration, or to fulfill our legal responsibilities (e.g., required by law), provided we apply appropriate safeguards and limit disclosures to the minimum necessary

We do not sell PHI, use PHI for marketing, or use PHI for any purpose not permitted by HIPAA or our BAAs.

4) Safeguards To Protect PHI (Security Overview)

We maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of electronic PHI (“ePHI”), which may include:

  • Administrative: workforce training, role-based access, least-privilege authorization, vendor and sub processors due diligence, security risk analysis, policies and procedures, and BAAs with applicable subcontractors
  • Technical: encryption in transit and at rest (where applicable), multi-factor authentication for privileged access, network segmentation, endpoint protection, vulnerability management and patching, logging and monitoring, secure configurations and backups
  • Physical: restricted facility access, secure server/closet rooms, device/media controls and secure disposal

We review and update controls periodically in response to risk assessments, regulatory changes, and industry best practices.

 

5) Subcontractors and Cloud Providers

We may engage subcontractors or cloud service providers to support our services. Where such parties may access PHI, we:

  • Evaluate their security controls as part of vendor risk management; and
  • Execute downstream BAAs requiring HIPAA-compliant safeguards and breach reporting.

6) Data Retention and Disposal

We retain PHI only for as long as necessary to deliver services, meet contractual commitments, and comply with applicable law. Upon contract termination or at the client’s instruction, we return or securely destroy PHI in accordance with our BAA and data disposition procedures, unless retention is required by law.

7) Breach Notification

If we discover a breach of unsecured PHI under HIPAA, we will notify the affected Covered Entity without unreasonable delay and in accordance with our BAA and applicable law. We cooperate with our clients on any required notifications to individuals, regulators, or the media.

8) Individual Rights

As a Business Associate, we generally do not respond directly to patient requests regarding access, amendments, or restrictions on PHI. Individuals should submit such requests to their healthcare provider (the Covered Entity). Where a Covered Entity instructs us to assist with individual rights requests, we will support as permitted by HIPAA and our BAA.

9) Website Privacy (Non‑PHI)

Our public website may collect non-PHI information (e.g., cookies, analytics, log data) for functionality, security, or to improve the user experience. We do not intentionally link website analytics to PHI. For details, please see our Website Privacy Policy and Cookie Notice. If your interaction with us through the site involves PHI (e.g., a secure support portal), those interactions are governed by HIPAA and this Statement.

10) Minimum Necessary

We apply the HIPAA minimum necessary standard to limit PHI use and disclosure to what is reasonably necessary to accomplish the intended purpose.

11) International Data Transfers

[If applicable] PHI is hosted and processed in U.S.A / North American Region. We do not transfer PHI internationally unless expressly authorized by the Covered Entity and permitted by applicable law and our BAA.

12) Children’s Information

Our services are provided to healthcare organizations and business users. We do not knowingly collect PHI directly from children via this website.

13) Changes to This Statement

We may update this Statement from time to time. The “Effective Date” above reflects the latest revision. Material changes will be posted on this page.

14) How to Contact Us

HIPAA & Security Contact:
Contact – Superlative Systems Integration, Inc.

You may also contact us to request a copy of our Business Associate Agreement template or to report a security concern.