HIPAA Notice & Data Use

Business Associate Relationship

When OMNICARE BILLING & IT SOLUTIONS LLC ("OmniCare") provides medical billing, coding, credentialing, or IT services to healthcare providers, we act as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). This means we handle Protected Health Information (PHI) on your behalf and are legally obligated to protect it.

Business Associate Agreement (BAA)

Before accessing any PHI, we execute a Business Associate Agreement with each client. Our BAA outlines:

• Permitted uses and disclosures of PHI
• Safeguards to protect PHI
• Breach notification procedures
• Subcontractor requirements
• Patient rights regarding their information
• Termination and data return procedures

To request a BAA, visit our BAA Request page.

How We Use PHI

We only use and disclose PHI as permitted by our BAA and HIPAA regulations:

• Billing Services: To submit claims, post payments, and manage accounts receivable
• Coding Services: To assign appropriate diagnosis and procedure codes
• Credentialing: To enroll providers with insurance payors
• IT Services: To maintain, secure, and support EHR/PMS systems
• Required by Law: When legally mandated (e.g., court orders, regulatory audits)

Safeguards We Implement

We maintain comprehensive safeguards as required by the HIPAA Security Rule:

Technical Safeguards

• Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication (MFA) for system access
• Role-based access controls (RBAC)
• Audit logging and monitoring
• Automatic session timeouts
• Regular security patches and updates

Administrative Safeguards

• Annual risk assessments
• Security policies and procedures
• Workforce training on HIPAA compliance
• Incident response plan
• Business associate agreements with subcontractors
• Sanction policy for violations

Physical Safeguards

• Secure facility access controls
• Workstation security and positioning
• Device and media controls
• Secure disposal of PHI-containing materials

For more details, see our Security & Compliance page.

Breach Notification

In the unlikely event of a breach of unsecured PHI, we will:

• Notify you without unreasonable delay and no later than 60 days after discovery
• Provide details of the breach, affected individuals, and mitigation steps
• Assist with required notifications to patients and regulatory authorities
• Implement corrective actions to prevent future breaches

Patient Rights

As a Business Associate, we support your patients' HIPAA rights, including:

• Right to access their PHI
• Right to request amendments
• Right to an accounting of disclosures
• Right to request restrictions

We will cooperate with you to fulfill patient requests as required by HIPAA.

Subcontractors

If we engage subcontractors who may access PHI (e.g., cloud hosting providers), we ensure they:

• Sign Business Associate Agreements
• Implement appropriate safeguards
• Comply with HIPAA requirements
• Are vetted for security and compliance

Data Retention and Disposal

We retain PHI only as long as necessary to provide services and comply with legal requirements. Upon termination of services, we will return or securely destroy PHI as specified in our BAA, unless retention is required by law.

Questions or Concerns

If you have questions about our HIPAA compliance or wish to report a concern: