HIPAA & BAA — Pacific Revenue Partners

Healthcare practices are legally required to execute a Business Associate Agreement (BAA) with any vendor that accesses Protected Health Information (PHI) on their behalf. Pacific Revenue Partners operates as a Business Associate under HIPAA and signs a BAA with every client before any data is shared. Here's what that means in practice.

What Is a Business Associate?

Under the Health Insurance Portability and Accountability Act (HIPAA), a Business Associate is any entity that performs services for a covered healthcare provider that involve creating, receiving, maintaining, or transmitting PHI.

Because Pacific Revenue Partners accesses billing data, claim information, and remittance data to perform revenue cycle management on your behalf, we are a Business Associate. Before we review any patient-linked data, we execute a BAA with your practice — no exceptions.

How We Handle PHI

🔒

Minimum necessary access

We request only the access required to perform the agreed services — typically read-only access to AR reports and remittance data. We do not request write access to your billing system.

🚫

No marketing use of PHI

PHI is never used for marketing, benchmarking across clients, or any purpose outside the specific services agreed to in your Service Agreement and BAA.

🔐

Encrypted in transit and at rest

Any PHI we handle is encrypted both in transit and at rest. Access is restricted to authorized personnel involved in your engagement.

📋

Breach notification

In the event of a breach affecting your PHI, we will notify you within the timeframes required by HIPAA so you can meet your reporting obligations.

Our Security Practices

We maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including:

Role-based access controls limiting PHI access to personnel working on your account
Encryption of PHI in transit (TLS 1.2+) and at rest
Regular security awareness training for all staff
Written information security policies and procedures
Secure disposal of PHI at the end of the engagement per BAA terms
Subcontractor agreements ensuring any downstream vendors meet equivalent standards

What Our BAA Covers

Our standard Business Associate Agreement includes all provisions required under 45 CFR §164.504(e), including:

Permitted uses and disclosures of PHI
Prohibition on use or disclosure of PHI outside the scope of the agreement
Obligations to report security incidents and breaches
Requirements for subcontractors who may access PHI
Individual rights to access and amend their PHI
Obligations upon termination, including PHI destruction or return

Our BAA is reviewed periodically and updated to reflect changes in HIPAA regulations and HHS guidance.

Subcontractors

Where Pacific Revenue Partners uses subcontractors or third-party tools that may have access to PHI in the course of our work (such as AI tooling used to draft appeal letters), we execute equivalent Business Associate Agreements with those vendors and ensure they meet the same HIPAA security standards we maintain.

Questions About Our HIPAA Compliance

If you have questions about our HIPAA practices, want to review our BAA before our discovery call, or need to report a concern, contact us directly:

Sarabeth — Privacy & Compliance
Email: hello@sarabeth.com

Ready to execute a BAA?

We send our standard BAA during onboarding — typically in the first week of engagement. If you'd like to review it before booking a call, reach out and we'll send it over.

Request our BAA →