HIPAA Notice

1. Our Commitment to HIPAA Compliance

REL1EF Medical Management ("REL1EF") operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). We are committed to protecting the privacy and security of Protected Health Information (PHI) entrusted to us by our healthcare provider clients (Covered Entities).

HIPAA compliance is not an add-on at REL1EF — it is fundamental to every process, system, and team member involved in delivering our services. We handle PHI only in connection with providing authorized billing, revenue cycle management, and related healthcare administrative services.

2. Protected Health Information (PHI)

What PHI We May Access

In the course of providing billing and RCM services, REL1EF may access the following types of PHI:

• Patient names and demographic information
• Dates of birth and Social Security numbers (when required for billing)
• Insurance plan information and member IDs
• Diagnosis codes (ICD-10)
• Procedure codes (CPT, HCPCS)
• Encounter documentation and clinical notes (as needed for coding and appeals)
• Explanation of Benefits (EOB) and Electronic Remittance Advice (ERA)
• Billing records, claim status, and payment history

Authorized Purposes

PHI is accessed exclusively for the following authorized purposes:

• Insurance eligibility verification and prior authorization
• Medical coding and claim preparation
• Electronic claim submission to payers
• Payment posting and reconciliation
• Denial management and appeals
• Accounts receivable follow-up and recovery
• Out-of-network claim negotiation and IDR filings
• Reporting and analytics for the Covered Entity

3. Business Associate Agreement (BAA)

REL1EF requires a signed Business Associate Agreement with every client before any PHI is accessed. No exceptions.

The BAA establishes:

• Permitted uses and disclosures: PHI may only be used for the services specified in the BAA and the underlying Service Agreement.
• Safeguard obligations: REL1EF must implement administrative, physical, and technical safeguards to protect PHI.
• Breach notification: REL1EF must report any breach of unsecured PHI to the Covered Entity within the timeframes specified in the BAA and HIPAA regulations.
• Subcontractor requirements: Any subcontractors with access to PHI must sign their own BAA with REL1EF.
• Return or destruction: Upon termination, PHI must be returned or securely destroyed as specified in the BAA.

A BAA is available upon request and is signed before any engagement begins. Contact bfritz@rel1ef.com to request a copy.

4. Administrative Safeguards

• HIPAA Privacy Officer: REL1EF has a designated Privacy Officer responsible for developing, implementing, and maintaining HIPAA policies and procedures.
• Workforce Training: All workforce members with access to PHI receive HIPAA training upon hiring and annually thereafter. Training covers privacy rules, security requirements, breach identification, and reporting obligations.
• Minimum Necessary Standard: Access to PHI is limited to the minimum amount necessary to perform authorized job functions. Role-based access controls enforce this standard.
• Sanctions Policy: Workforce members who violate HIPAA policies are subject to disciplinary action, up to and including termination.
• Risk Assessments: REL1EF conducts regular risk assessments to identify vulnerabilities and implement appropriate safeguards. Assessments are documented and reviewed at least annually.
• Policies and Procedures: Comprehensive written policies govern PHI handling, access controls, incident response, and workforce conduct. Policies are reviewed and updated annually.

5. Physical Safeguards

• Facility Access Controls: Physical access to areas where PHI is processed or stored is restricted to authorized personnel only.
• Workstation Security: Workstations used to access PHI are secured with automatic screen locks, positioned to prevent unauthorized viewing, and equipped with privacy screens where appropriate.
• Device and Media Controls: Portable devices containing PHI are encrypted. Disposal of PHI-containing media follows NIST 800-88 guidelines for secure sanitization.
• Visitor Controls: Visitors to REL1EF facilities are escorted and do not have unsupervised access to areas where PHI is processed.

6. Technical Safeguards

• Encryption in Transit: All data transmitted between REL1EF systems and client EHRs, clearinghouses, and payers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: PHI stored on REL1EF systems is encrypted using AES-256 encryption.
• Multi-Factor Authentication (MFA): All systems containing PHI require multi-factor authentication for access.
• Access Controls: Unique user IDs, role-based permissions, and principle of least privilege govern all system access.
• Audit Logs: All access to PHI is logged with user identification, timestamp, and action performed. Audit logs are reviewed regularly and retained per HIPAA requirements.
• Automatic Session Timeouts: Systems automatically lock after a period of inactivity to prevent unauthorized access.
• Anti-Malware and Patching: Systems are protected with up-to-date anti-malware software and regular security patching.
• Vulnerability Assessments: Regular vulnerability scans and penetration testing are conducted to identify and remediate security weaknesses.
• Backup and Recovery: PHI is backed up regularly with encrypted backups stored in geographically separate locations. Disaster recovery procedures are tested annually.

7. Breach Notification

In the event of a breach of unsecured Protected Health Information, REL1EF will:

• Notify the affected Covered Entity without unreasonable delay, and no later than sixty (60) days after discovery of the breach (or sooner if required by the BAA).
• Provide the Covered Entity with all information necessary to fulfill their own breach notification obligations under HIPAA, including identification of affected individuals, a description of the types of PHI involved, and the steps taken to investigate and mitigate the breach.
• Cooperate fully with the Covered Entity's breach notification and remediation efforts.
• Document the incident, investigation findings, and corrective actions taken.
• Implement measures to prevent recurrence of similar incidents.

8. Patient Rights

Under HIPAA, patients have rights regarding their PHI, including the right to access, amend, and receive an accounting of disclosures. As a Business Associate, REL1EF supports Covered Entities in fulfilling these patient rights requests.

Patients should direct requests regarding their PHI to their healthcare provider (the Covered Entity), who will coordinate with REL1EF as needed. REL1EF does not respond directly to patient requests unless specifically authorized by the Covered Entity in the BAA.

9. Subcontractors

REL1EF requires all subcontractors who may access, create, receive, maintain, or transmit PHI on our behalf to sign a Business Associate Agreement. Subcontractors are held to the same HIPAA standards that apply to REL1EF, including all administrative, physical, and technical safeguards described in this notice.

REL1EF maintains a current inventory of all subcontractors with access to PHI and monitors their compliance with applicable requirements.

10. State Law Considerations

Where state laws provide greater privacy protections than HIPAA, REL1EF complies with the more protective standard. This includes, but is not limited to, state laws governing:

• Mental health and substance abuse records
• HIV/AIDS-related information
• Genetic information
• Minor patient records
• State-specific breach notification requirements

11. Complaints and Inquiries

If you have questions about REL1EF's HIPAA practices, wish to report a suspected breach or violation, or need to request a copy of our BAA, please contact us:

REL1EF Medical Management — HIPAA Privacy Officer
P.O. Box 293810
Lewisville, TX 75029
Phone: +1 469 312 1407
Email: bfritz@rel1ef.com

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/hipaa/filing-a-complaint.

REL1EF will not retaliate against any individual for filing a complaint or reporting a suspected violation.