Your Patient Data Is Safe.
Here's Exactly How.
RCMAXIS operates under the strictest HIPAA-compliant frameworks in the industry. Every workflow, every coder, every data touchpoint is governed by policy โ not just intention.
Our Compliance Framework
Four Pillars of RCM Compliance
Medical billing involves more PHI touchpoints than almost any other healthcare function. We've built every process around protecting that data โ and your practice's liability exposure.
HIPAA Compliance
Every member of the RCMAXIS team completes annual HIPAA training and attestation. Our workflows are built to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule โ not just the baseline.
- Business Associate Agreement (BAA) executed with every client before data access
- Minimum Necessary Standard enforced โ coders access only what they need for billing
- Workforce HIPAA training: onboarding + annual recertification
- Breach notification protocol: 60-hour internal escalation, 60-day HHS reporting window
- No use or disclosure of PHI beyond treatment, payment, and healthcare operations
- Designated HIPAA Privacy Officer and Security Officer
SOC 2 Type II Pathway
RCMAXIS is currently implementing the controls and audit trail required for SOC 2 Type II certification across the Trust Service Criteria of Security, Availability, and Confidentiality.
- SOC 2 Type I controls implemented and documented
- Annual third-party security risk assessment
- Continuous monitoring via SIEM (Security Information & Event Management)
- Penetration testing conducted annually by independent vendor
- Change management policies aligned with SOC 2 CC6 and CC8 criteria
- Vendor risk management program for all third-party integrations
Coder Certifications
We do not employ uncertified coders. Every RCMAXIS coding specialist holds a recognized credential from AAPC or AHIMA and is required to maintain CE credits for recertification.
- CPC (Certified Professional Coder) โ AAPC credential for physician billing
- CCS-P (Certified Coding Specialist โ Physician-Based) โ AHIMA credential
- Specialty-specific credentials: COSC (orthopedic), CIRCC (interventional radiology), CGSC (GI)
- 36 CE credits per 2-year recertification cycle, all documented
- Internal coding audits conducted quarterly per coder
- CPT code update training completed by Nov 15 each year for January 1 readiness
Technical Security Controls
PHI is never stored in unencrypted form. Access is role-based, logged, and auditable. Our infrastructure follows NIST 800-66 guidelines for healthcare data security.
- AES-256 encryption at rest; TLS 1.3 in transit
- Role-based access control (RBAC) โ no shared login credentials
- Multi-factor authentication required for all PHI-system access
- Full audit logs: every access, export, and modification is timestamped and logged
- Automatic session timeout: 15 minutes inactivity on clinical workstations
- No PHI stored on personal devices โ managed device policy enforced
Technical Controls
How We Protect Your Data Every Day
Not just policies on paper โ active technical controls running 24/7 across every system that touches your practice's PHI.
End-to-End Encryption
All PHI is encrypted with AES-256 at rest. Data in transit is protected by TLS 1.3. Encryption keys are managed separately from data stores.
24/7 Access Monitoring
Every login, file access, and data export is logged and reviewed. Anomalous access patterns trigger automated alerts and human review within 1 hour.
Multi-Factor Authentication
MFA is mandatory for all staff with PHI access. No exceptions โ including administrators and C-suite. FIDO2-compliant authentication methods preferred.
Zero Trust Network
Network access follows Zero Trust principles โ no implicit trust based on network location. Every request is authenticated, authorized, and encrypted.
Backup & Disaster Recovery
Automated daily encrypted backups with 30-day retention. Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 24 hours. Tested quarterly.
Vulnerability Management
Weekly automated vulnerability scans on all internet-facing systems. Critical patches applied within 48 hours. Annual third-party penetration testing.
Business Associate Agreement
Your BAA โ Signed Before We Touch Anything
Under HIPAA, any vendor that handles your patients' protected health information must execute a Business Associate Agreement. We provide a HIPAA-compliant BAA as standard โ before any data access is granted, without exception.
What Our BAA Covers
Our standard BAA addresses all required HIPAA provisions including: permitted uses and disclosures of PHI, safeguard obligations, subcontractor management, breach notification procedures, and agreement termination with return/destruction of PHI. Legal review by your counsel is welcome and encouraged.
- Identifies RCMAXIS as Business Associate and your practice as Covered Entity
- Defines all permitted uses โ billing, payment processing, operations only
- Requires RCMAXIS to report any breach or security incident within 60 hours
- Mandates destruction or return of all PHI upon contract termination
- Flows down to all subcontractors โ no uncovered data handoffs
Our People
Compliance Is Built Into Every Role
Certifications, training hours, and audit scores โ the numbers behind our compliance posture.
Incident Response
If Something Goes Wrong โ Here's Exactly What Happens
We follow a documented, tested incident response protocol. You will never find out about a breach from a news article. Our commitment is transparency and speed.
Detection & Containment
Security alert fires. Affected system is isolated within 60 minutes of detection. On-call security officer is notified immediately. Access logs preserved and locked for forensic review.
Scope Assessment
Forensic review determines what PHI โ if any โ was accessed or exfiltrated. Volume, nature, and affected patients documented. Legal counsel and privacy officer engaged.
Client Notification
You are notified of any confirmed or suspected breach within 24 hours of discovery โ well ahead of HIPAA's 60-day requirement. Full incident report provided with known facts and open questions clearly identified.
Remediation & Root Cause
Root cause analysis completed. System rebuilt or patched. Controls strengthened. Written remediation plan delivered to you and your counsel.
HHS Notification (if required)
If the breach involved 500+ individuals in a single state or 500+ total, HHS is notified within 60 days as required. Individual patient notices sent via first-class mail. Your practice is supported throughout this process.
Questions about compliance? Let's talk.
We'll walk you through our security posture, answer any questions from your legal or compliance team, and execute your BAA โ typically within 24 hours of agreement.