HIPAA, structured for a hybrid entity.
ApiVoc operates as a hybrid Covered Entity. Payor Systems handles persistent PHI under full Covered Entity obligations. AmbiScript, SmartyRx, and Noventa operate as Business Associates with transient in-memory PHI only.
Hybrid CE/BA, by function.
Each ApiVoc business operates under the HIPAA role appropriate to what it actually does. The structure isn't accidental. It follows the function of each subsidiary.
Entity
HIPAA role
PHI handling
Description
Medical claims processing for health plans. Operates under the full HIPAA Privacy and Security Rules.
Ambient clinical documentation. Operates under BAAs with provider customers. PHI never persists.
Real-time pharmacy benefits API. Operates under BAAs with integrators. PHI never persists.
Patient risk analytics built on drug data. Will operate as a Business Associate at launch.
Eight areas, all documented.
The HIPAA program covers eight functional areas. Each has documented policies, designated owners, evidence captured continuously through Drata, and external audit when applicable.
Privacy Rule compliance
Notice of Privacy Practices, minimum necessary standard, individual rights (access, amendment, accounting of disclosures), authorization workflows for non-TPO uses.
Security Rule safeguards
Administrative, physical, and technical safeguards documented per §164.308–§164.312. Risk analysis updated annually, controls mapped to evidence.
Workforce training
HIPAA training for all workforce members at hire and annually. Role-specific training for personnel with PHI access. Sanctions policy for violations.
Access controls
Role-based access via Microsoft Entra ID. Least-privilege provisioning. Quarterly access reviews. Termination of access on workforce changes.
Encryption
AES-256-GCM at rest. TLS 1.2+ in transit. Azure Key Vault for key management. Documented in encryption policy.
Audit logging
Authentication, access, and PHI disclosure logging. Logs retained per HIPAA-aligned retention policy. Reviewed for anomalies.
Vendor management
BAAs executed with all vendors handling PHI on our behalf. Vendor risk assessments before onboarding. Annual reviews.
Business continuity
Documented business continuity and disaster recovery plans. RTO/RPO defined per system criticality. Tested annually.
Detection to notification.
Our breach response process aligns with the HIPAA Breach Notification Rule. Documented, rehearsed, and integrated with our incident response program.
Detection & containment
Incident identified through monitoring, workforce report, or external notice. Immediate containment to limit further exposure.
Investigation & risk assessment
Determination of whether PHI was acquired, accessed, used, or disclosed. Four-factor risk assessment per §164.402.
Notification
BA → CE notification within 60 days for confirmed breaches. CE → individual notification per the Breach Notification Rule.
Remediation & lessons
Root cause analysis, corrective action, policy or control updates, retrospective review with leadership.
HIPAA program inquiries.
For BAA requests, security questionnaires, or any HIPAA-specific inquiry, route directly to our Privacy & Compliance Officer.