Last updated: March 3, 2026
Evident RCM is committed to maintaining the highest standards of privacy and security for Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all applicable federal and state regulations.
As a revenue cycle management company, Evident RCM operates as a Business Associate under HIPAA. We execute a Business Associate Agreement (BAA) with every client prior to accessing any Protected Health Information. Our BAA outlines the permitted uses and disclosures of PHI, our obligations to safeguard that information, breach notification procedures, and the terms under which PHI is returned or destroyed upon termination of services.
We maintain comprehensive administrative safeguards including a designated Privacy Officer and Security Officer responsible for HIPAA compliance, documented policies and procedures for handling PHI, workforce training on HIPAA requirements conducted at onboarding and annually thereafter, regular risk assessments to identify and mitigate potential vulnerabilities, and an incident response plan with defined breach notification procedures.
Our technical safeguards include encryption of PHI in transit (TLS 1.2+) and at rest (AES-256), unique user identification and role-based access controls, automatic session timeouts and multi-factor authentication, audit logging of all access to systems containing PHI, and secure data backup and disaster recovery procedures.
We implement physical safeguards including controlled access to facilities and workstations where PHI is processed, secure disposal of physical media containing PHI, and device and media controls for all hardware and electronic media.
In the event of a breach of unsecured PHI, Evident RCM will notify affected clients without unreasonable delay and no later than 60 days following discovery of the breach, in accordance with HIPAA Breach Notification Rule requirements. Our notification will include the nature of the breach, the types of information involved, steps taken to mitigate harm, and recommendations for affected individuals.
We adhere to the HIPAA Minimum Necessary Standard, ensuring that our workforce members access only the minimum amount of PHI necessary to perform their specific job functions. Access controls are configured to enforce this principle across all systems.
Any subcontractors who may access PHI on our behalf are required to execute Business Associate Agreements and demonstrate compliance with HIPAA Security Rule requirements before being granted access to any protected information.
We support our clients in fulfilling patient rights under HIPAA, including the right to access their health information, request amendments to their records, receive an accounting of disclosures, and request restrictions on certain uses or disclosures of their information.
We conduct annual HIPAA risk assessments, regularly review and update our policies and procedures, monitor regulatory changes and update our compliance program accordingly, and maintain documentation of all compliance activities as required by HIPAA.
If you have questions about our HIPAA compliance program or wish to report a concern, please contact our Privacy Officer at hipaa@evidentrcm.com.