← Back to Home

HIPAA Notice

Notice Regarding Protected Health Information Practices

Last Updated: May 4, 2026

1. Our Commitment to HIPAA Compliance

MedAuxilium LLC ("MedAuxilium") is committed to protecting the privacy and security of Protected Health Information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (collectively, "HIPAA Rules").

Through our ClaraCare OS platform, MedAuxilium may act as a Business Associate to healthcare providers, including Residential Care Facilities for the Elderly (RCFEs) and other Covered Entities. This notice describes our practices regarding the handling of PHI.

2. Our Role as a Business Associate

When MedAuxilium processes PHI on behalf of a Covered Entity (such as a healthcare provider using ClaraCare OS), we act as a Business Associate under HIPAA. In this capacity, we:

  • Enter into Business Associate Agreements (BAAs) with all Covered Entities before accessing PHI
  • Use and disclose PHI only as permitted by the BAA and HIPAA Rules
  • Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Report any breaches of unsecured PHI to the Covered Entity
  • Ensure that any subcontractors who access PHI agree to the same restrictions and conditions
  • Make PHI available to individuals who request access to their own information, as directed by the Covered Entity

3. Types of PHI We May Process

In connection with ClaraCare OS, we may process the following types of PHI on behalf of Covered Entities:

  • Resident/patient demographic information (name, date of birth, address, contact information)
  • Health records and medical history
  • Care plans and treatment documentation
  • Medication administration records
  • Incident and accident reports
  • Assessment and evaluation data
  • Insurance and billing information
  • Emergency contact information

4. Administrative, Physical, and Technical Safeguards

4.1 Administrative Safeguards

  • Designated Privacy Officer and Security Officer
  • Workforce training on HIPAA requirements and security awareness
  • Documented policies and procedures for PHI handling
  • Regular risk assessments and management plans
  • Sanction policy for workforce members who violate HIPAA policies
  • Contingency planning including data backup and disaster recovery
  • Business Associate Agreement management and oversight

4.2 Physical Safeguards

  • Secure data center facilities with restricted access
  • Workstation security policies and procedures
  • Device and media controls for hardware containing PHI
  • Environmental controls (fire suppression, climate control, power backup)

4.3 Technical Safeguards

  • AES-256 encryption for PHI at rest
  • TLS 1.2+ encryption for PHI in transit
  • Unique user identification and authentication
  • Role-based access controls (minimum necessary standard)
  • Automatic session timeout and logoff
  • Audit logging and monitoring of all PHI access
  • Integrity controls to prevent unauthorized alteration of PHI
  • Multi-factor authentication for administrative access

5. Breach Notification

In the event of a breach of unsecured PHI, MedAuxilium will:

  • Notify the affected Covered Entity without unreasonable delay, and no later than 60 days after discovery of the breach
  • Provide the Covered Entity with identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
  • Provide a description of what happened, including the date of the breach and date of discovery
  • Describe the types of unsecured PHI involved in the breach
  • Describe the steps taken to investigate the breach, mitigate harm, and prevent future breaches
  • Cooperate with the Covered Entity in meeting its notification obligations to affected individuals and the Department of Health and Human Services (HHS)

6. Individual Rights

Under HIPAA, individuals have certain rights regarding their PHI. While these rights are primarily exercised through the Covered Entity (your healthcare provider), MedAuxilium supports the following rights as directed by the Covered Entity:

  • Right to Access: Individuals may request access to their PHI maintained in our systems
  • Right to Amendment: Individuals may request corrections to their PHI
  • Right to an Accounting of Disclosures: Individuals may request a list of certain disclosures of their PHI
  • Right to Request Restrictions: Individuals may request restrictions on certain uses and disclosures
  • Right to Confidential Communications: Individuals may request alternative means of receiving communications

To exercise these rights, individuals should contact their healthcare provider (the Covered Entity) directly. The Covered Entity will coordinate with MedAuxilium as necessary.

7. Use of AI Technology and PHI

ClaraCare OS incorporates artificial intelligence (AI) capabilities to enhance care management. Regarding AI and PHI:

  • AI processing of PHI is conducted in compliance with HIPAA requirements
  • PHI used for AI-assisted features is encrypted and processed within secure environments
  • AI models are not trained on individual patient PHI without explicit authorization
  • De-identified data (per HIPAA de-identification standards) may be used for system improvement
  • All AI-generated recommendations are advisory and do not replace professional medical judgment
  • Audit trails are maintained for all AI-assisted processing of PHI

8. Data Retention and Disposal

MedAuxilium retains PHI in accordance with the terms of our Business Associate Agreements and applicable law:

  • PHI is retained for the duration specified in the BAA
  • Upon termination of the BAA, PHI is returned or destroyed as directed by the Covered Entity
  • If return or destruction is not feasible, protections are extended to the PHI for as long as it is retained
  • Destruction of PHI is performed using NIST-approved methods ensuring data cannot be recovered
  • Documentation of PHI destruction is maintained for a minimum of six (6) years

9. Complaints

If you believe that your privacy rights have been violated, you may:

  • Contact your healthcare provider (the Covered Entity) directly
  • Contact MedAuxilium's Privacy Officer at the address below
  • File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint

You will not be retaliated against for filing a complaint.

10. Contact Information

For questions about this HIPAA Notice or our privacy practices regarding PHI:

MedAuxilium LLC — Privacy Officer

Email: [email protected]

Website: medauxilium.net