Health Quest Billing LLC HIPAA Compliance

Last Updated: January 14, 2026

Health Quest Billing LLC (“HQB,” “we,” “our,” or “us”) is committed to protecting the privacy and security of Protected Health Information (“PHI”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and all applicable federal privacy and security regulations.

This HIPAA Compliance Statement explains how HQB safeguards PHI when providing revenue cycle management, medical billing, credentialing, payer enrollment, denial management, and related administrative services to healthcare providers.

1. Status as a HIPAA Business Associate

HQB performs services that require access to PHI on behalf of covered entities (healthcare providers).
As a Business Associate, HQB enters into a legally binding Business Associate Agreement (“BAA”) with every client requiring PHI access.
The BAA outlines:

• Permitted uses and disclosures of PHI
• Safeguards to prevent unauthorized access
• Breach notification requirements
• Restrictions on subcontractors and third parties
• Data return or destruction at termination

HQB does not use PHI for marketing, data mining, or any activity unrelated to contracted operations. HQB maintains a signed and current BAA with each client before accessing or processing PHI.

2. Administrative Safeguards

HQB maintains internal policies, controls, and workforce procedures that limit PHI access and protect data confidentiality:

• HIPAA workforce training for all staff with PHI access
• Confidentiality agreements for employees and subcontractors
• Role-based access control and least-privilege authorization
• Audit logs and session monitoring
• Unique user IDs and multi-factor authentication
• Sanctions for policy violations
• Incident response and breach reporting protocols
• Business continuity and disaster recovery planning

Only authorized personnel with documented job roles may access PHI.

3. Technical Safeguards

HQB employs secure technical infrastructure to prevent unauthorized access, tampering, or disclosure of PHI:

• Encryption of data in transit and at rest
• Secure U.S.-based hosting and data residency
• Multi-factor authentication for system access
• Encrypted SFTP/MFT for file transfers
• Intrusion detection and access monitoring
• Secure, logged access to client systems and EHRs
• Firewalls, antivirus, and endpoint protection
• No PHI stored on personal devices or local hard drives
• No PHI transmitted through unsecured email

Offshore personnel (if utilized) access systems only through secure Virtual Desktop Infrastructure (VDI) with:

• No download or export permissions
• No screenshot, clipboard, or file save permissions
• Time-stamped audit logs
• Encrypted connections

HQB conducts periodic reviews and performs penetration testing of its technical systems.

4. Physical Safeguards

To prevent unauthorized physical access to data:

• Secure office and data environments
• Controlled badges or access credentials
• Access limited to authorized staff only
• Device security and workstation protection
• No printed copies of PHI kept onsite unless required and secured

5. Subcontractors and Third Parties

HQB may engage subcontractors solely for operational support.
If a subcontractor requires access to PHI:

• They must sign a HIPAA-compliant Business Associate Agreement
• They must comply with HQB’s confidentiality, security, and access standards
• Access is monitored and revoked upon completion of duties

HQB does not sell, rent, exchange, or distribute PHI to any third party for marketing purposes.

6. Breach Notification

HQB follows HIPAA and HITECH breach notification requirements.
If unsecured PHI is accessed, acquired, used, or disclosed in a manner not permitted by the BAA or law:

• HQB will conduct a risk assessment
• Notify affected clients without unreasonable delay
• Support investigation, containment, and remediation
• Provide legally required documentation and reporting

7. Use of PHI

HQB uses PHI only for authorized billing and administrative operations, including:

• Claims submission and management
• Eligibility and benefits verification
• AR follow-up and payer correspondence
• Credentialing and payer enrollment
• Patient invoicing (if applicable)
• Reporting and analytics for client operations

PHI is not used for training unrelated to client operations, product development, sales, or marketing.

8. Return or Destruction of PHI

Upon termination of services, HQB will return or securely destroy PHI in accordance with:

• The Business Associate Agreement
• HIPAA data retention and disposal standards
• Client instructions were legally permissible

Secure destruction includes wiping encrypted servers and removing backups after contractual retention periods expire. Destruction is logged and, upon request, certification of destruction can be provided.

9. Commitment to Continuous Compliance

HQB monitors regulatory updates and adjusts policies and procedures as needed to remain compliant with:

• HIPAA Privacy & Security Rules
• HITECH breach notification standards
• Current healthcare cybersecurity best practices
• Payer and clearinghouse security requirements

Internal compliance reviews are performed to maintain ongoing adherence.

Contact Information

For HIPAA-related requests, security questions, or breach reporting:

Health Quest Billing LLC – Compliance & Security
Address: 611 S Dupont Hwy Ste 102, Dover, Delaware 19901.
Email: legal@healthquestbilling.com
Phone: (415) 508-6537
Website: www.healthquestbilling.com