Skip to main content
Zedtreeo

HIPAA Practices

Last updated: May 2026

Zedtreeo provides healthcare staffing in roles that may handle Protected Health Information (PHI): medical billers and coders, prior-authorization specialists, virtual medical assistants, healthcare RCM staff, and HIPAA compliance support. This page describes the operational controls we put in place for those engagements, the boundary between Zedtreeo’s responsibilities and the client’s, and the language we deliberately do not use in our marketing.

1. What “HIPAA Compliance” Means — And Why We Don’t Claim It

HIPAA is a U.S. federal regulation that applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. There is no central HIPAA certification body: the Department of Health and Human Services (HHS) does not issue HIPAA certificates, and no third-party body can grant a binding “HIPAA compliant” status that exempts a participant from enforcement.

For that reason, you will not see Zedtreeo describe itself as “HIPAA certified” or, without important qualification, “HIPAA compliant.” HIPAA compliance is a continuously maintained operational program tied to the specific PHI flows of a specific covered entity. We position our role as a HIPAA-aligned business associate that supports that program; the covered entity owns ultimate compliance responsibility under 45 CFR §§ 164.306, 164.308, 164.310, and 164.312.

2. Business Associate Agreement (BAA) Framework

Before any Zedtreeo professional accesses PHI, we execute a Business Associate Agreement with the client (or with the client’s designated covered entity). The BAA covers:

  • Permitted uses and disclosures of PHI tied to the engagement scope.
  • Required safeguards (administrative, physical, technical) consistent with 45 CFR § 164.314(a).
  • Breach notification timelines aligned to 45 CFR § 164.410 (notification to the covered entity within 60 days, with details required by § 164.404).
  • Subcontractor-flow-down obligations: any subcontractor that creates, receives, maintains, or transmits PHI on Zedtreeo’s behalf executes an equivalent BAA before access.
  • Termination rights and PHI return/destruction obligations.

Clients who cannot or will not sign a BAA cannot route PHI to Zedtreeo professionals. We turn down those engagements rather than proceed informally.

3. Workforce Controls (Administrative Safeguards)

Every Zedtreeo professional placed in a HIPAA-scoped engagement:

  • Completes documented HIPAA Privacy and Security Rule training before PHI access begins, with a knowledge assessment and a record retained for at least six years.
  • Signs a confidentiality and acceptable-use agreement covering PHI handling, minimum-necessary principles, and prohibited disclosure scenarios.
  • Receives role-based access provisioned to the minimum scope needed for the role.
  • Completes annual HIPAA refresher training, with retraining triggered after any incident or material control change.
  • Has a documented sanction policy applied for confirmed violations, up to and including immediate termination of the placement.

4. Technical Safeguards

For roles that touch PHI, the standard technical baseline includes:

  • Workstation hardening with full-disk encryption (AES-256 or equivalent) and screen-lock policy enforcement.
  • Multi-factor authentication for all access to client systems and any system that stores or transmits PHI.
  • VPN-only access to client EHR/PM environments; no direct internet exposure of credentials.
  • Network egress controls: USB mass-storage and uncontrolled cloud-storage uploads disabled on workstations used for PHI.
  • Audit logging on PHI access with timestamps, user identity, and action; logs retained for at least six years.
  • Endpoint anti-malware and patch management enforced via centrally managed device policy.

These are baseline controls. Specific engagements may require additional technical measures driven by the client’s Security Rule risk assessment under 45 CFR § 164.308(a)(1)(ii)(A).

5. Physical Safeguards

  • Workstations used for PHI are located in monitored facilities with role-based physical access controls.
  • Removable media handling is restricted; on-prem disposal follows secure-wipe procedures.
  • Remote workforce engagements use additional verification (geofencing checks, scheduled-access windows) before granting PHI access.

6. Incident Response & Breach Notification

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. If Zedtreeo discovers an incident that may constitute a breach of unsecured PHI:

  • Containment actions begin immediately and are logged.
  • Notification to the affected covered entity is made without unreasonable delay and in any case within the timeframe required by the executed BAA (commonly 60 calendar days from discovery, often shorter by contract).
  • The notification provides identifying detail consistent with 45 CFR § 164.404(c): a description of what happened, types of PHI involved, steps individuals should take, what we are doing to investigate and mitigate, and contact procedures.
  • The covered entity retains responsibility for notifying affected individuals, the HHS Secretary, and (where applicable) media in accordance with 45 CFR §§ 164.404, 164.406, and 164.408.

7. Subcontractor & Vendor Diligence

Where Zedtreeo engages subcontractors that may receive PHI (for example, infrastructure providers), we maintain executed BAAs and assess their security postures before onboarding. Material vendor changes that affect PHI handling are reviewed before they go live.

8. Boundary of Responsibility

Zedtreeo’s responsibility:implement the business-associate-side controls described above; train and supervise placed professionals; honor BAA obligations; notify on suspected incidents; cooperate with the covered entity’s audits.

The covered entity’s responsibility:maintain the overall HIPAA compliance program (Privacy Rule, Security Rule, Breach Notification Rule); conduct and document the Security Rule risk analysis; configure access permissions inside client-controlled systems; oversee minimum-necessary use of PHI; report breaches to HHS, affected individuals, and (where required) media; and remediate findings from OCR investigations.

We deliberately do not market Zedtreeo as a substitute for the covered entity’s compliance program. We are part of the control environment, not the whole of it.

9. Documentation & Audit Cooperation

On request, in connection with an active engagement, we provide:

  • The executed BAA and any amendments.
  • Workforce training records for placed professionals (with PHI redacted as appropriate).
  • A summary of administrative, physical, and technical safeguards in place for the specific engagement.
  • Audit-log excerpts where reasonably scoped to the client’s investigation.
  • Cooperation with HHS Office for Civil Rights (OCR) investigations of incidents within the engagement scope.

We do not publish detailed control documentation publicly because that documentation is itself security-sensitive. Active or prospective clients with a signed mutual NDA can review the full control set with our compliance contact.

10. What This Page Is Not

This page is a description of operational practice, not a HIPAA certification. It is not a representation that any particular engagement will satisfy every requirement of the Privacy, Security, or Breach Notification Rules — that is a function of the specific engagement design, the covered entity’s program, and the controls implemented for the actual PHI flow. We update this page as our practices evolve.

11. Contact

Compliance questions, BAA requests, and incident reports relating to active engagements:

Zedtreeo
Cheyenne, WY, USA
Email: contact@zedtreeo.com
Phone: +1-725-977-3776

For background on the engagement model, see the hire remote medical staff page or healthcare & telemedicine industry overview.