Effective Date: July 3, 2026
Last Updated: July 3, 2026
Version: 2.0
About This Notice
MHC Information Services, LLC (MHCIS) is a security and software engineering firm. This notice explains how we approach the Health Insurance Portability and Accountability Act (HIPAA) when we build or operate systems that may handle Protected Health Information (PHI) on behalf of our clients.
There is no such thing as HIPAA certification. The U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) do not certify, accredit, or endorse any product, service, or organization as "HIPAA compliant." Any vendor that markets a federal "HIPAA certification" is misrepresenting the law. We therefore do not claim to be "HIPAA certified" or "HIPAA compliant."
What we do claim is specific and verifiable: we engineer the software and infrastructure we build to align with the HIPAA Security Rule, and we will sign a Business Associate Agreement (BAA) for engagements that involve PHI.
The Shared-Responsibility Reality
HIPAA compliance is not a property of a single vendor. It is a shared obligation across every party that touches PHI.
- The Covered Entity (a healthcare provider, health plan, or healthcare clearinghouse) or the Business Associate that engages us remains responsible for its own HIPAA program, including its own risk analysis, policies, workforce training, and required notifications to individuals and regulators.
- MHCIS, when acting as a Business Associate, is responsible for implementing reasonable and appropriate safeguards for the specific systems we build or operate, and for meeting the obligations set out in the BAA we sign.
No engagement with MHCIS relieves a client of its own HIPAA obligations. Whether HIPAA applies at all depends on the client, the use case, and the data involved. Many of our engagements do not involve PHI and are outside the scope of HIPAA.
What the HIPAA Security Rule Requires
The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires regulated organizations to protect electronic PHI (ePHI) through three categories of safeguards:
- Administrative safeguards (§164.308): risk analysis and risk management, workforce security, information access management, security awareness, incident procedures, and contingency planning.
- Physical safeguards (§164.310): facility access controls and workstation and device security.
- Technical safeguards (§164.312): access controls, audit controls, integrity controls, authentication, and transmission security.
The Security Rule is deliberately technology-neutral and scalable. It sets required outcomes, not a fixed checklist of products.
How MHCIS Builds to the Security Rule
For systems we build or operate that handle ePHI, we engineer toward the Security Rule using controls we can substantiate:
Technical Safeguards
- Encryption in transit: TLS/HTTPS is enforced for data moving between clients, services, and users.
- Encryption at rest: provided by the underlying cloud platforms we build on (Microsoft Azure and Vercel), in their U.S. regions.
- Access controls and least privilege: unique user identities, role-based access, and permissions scoped to the minimum necessary for a task.
- Audit logging: application and infrastructure activity is logged so that access to systems handling ePHI can be recorded and reviewed.
- Integrity controls: authentication and validation mechanisms to guard against improper alteration or destruction of data.
Administrative and Engineering Practices
- Secure software development lifecycle (SDLC): security is considered across design, code review, and dependency review rather than bolted on afterward.
- Infrastructure as code: environments are defined in version-controlled configuration to keep changes reviewable and repeatable.
- Least-privilege operational access to the systems we manage.
- Error and exception monitoring via Sentry to help detect and investigate abnormal system behavior.
We do not over-specify controls we cannot substantiate. Where a safeguard is provided by an underlying cloud platform rather than by MHCIS directly (for example, physical data center security or encryption-at-rest key management), we say so rather than claim it as our own.
Business Associate Agreement (BAA)
For engagements that involve PHI, MHCIS will sign a Business Associate Agreement. A BAA typically:
- Defines our responsibilities as a Business Associate under HIPAA and the HITECH Act.
- Specifies the permitted uses and disclosures of PHI.
- Describes the safeguards we will apply to the systems within scope.
- Establishes breach-notification cooperation and timelines.
- Defines termination, data return, and data destruction expectations.
To request a BAA: email contact@mhcis.com with "BAA Request" in the subject line.
Breach-Notification Cooperation
If we discover a breach of unsecured PHI affecting a system we operate for a client, we will cooperate with that client so it can meet its HIPAA breach-notification obligations. Our cooperation includes:
- Notifying the affected Covered Entity or Business Associate without unreasonable delay after discovery, consistent with the terms of the applicable BAA.
- Providing the information reasonably available to us about the nature of the incident and the PHI involved.
- Supporting the client's investigation, mitigation, and documentation.
The Covered Entity or Business Associate remains responsible for the notifications that HIPAA assigns to it, including notifications to affected individuals, to HHS, and, where applicable, to the media. Specific timelines are governed by the signed BAA.
Data Retention and Disposal
- PHI is retained and disposed of according to the client's instructions, the applicable BAA, and applicable law.
- On termination of an engagement, we return or securely destroy PHI within scope as the BAA specifies.
Subprocessors
Where a client engagement involves PHI, MHCIS will maintain the appropriate agreements with any subprocessor that handles that PHI on our behalf and will provide advance notice of subprocessor changes as set out in the applicable agreement. A current list of our subprocessors is available on request; see our Data Processing Agreement for data-processing terms.
Not Legal Advice
MHCIS is not a law firm, and this notice is not legal advice. HIPAA obligations depend on your organization, your data, and your specific circumstances. You should consult your own privacy counsel or compliance advisors to determine your obligations. This notice describes our engineering posture and our willingness to sign a BAA; it does not create any warranty of compliance.
Contact
- HIPAA and BAA questions: contact@mhcis.com
- Phone: +1 (803) 881-3889
- Mail: 1325 Park Street, Suite 200, Columbia, SC 29201
Related Policies
- Privacy Policy: data protection and privacy practices
- Terms of Service: service agreements and obligations
- Security Policy: security practices and vulnerability disclosure
- Data Processing Agreement: subprocessors and data processing terms
MHC Information Services, LLC
A security and software engineering firm.