legal · hipaa

HIPAA posture. What we actually do.

GetMax operates as a Business Associate for healthcare practices in the United States. This page describes how we satisfy our Privacy Rule and Security Rule obligations, how the BAA workflow works in practice, and what we ask of you. It is a description, not a substitute for the signed BAA.

last updated2026-05-17contactsriram@getmaxrcm.comentityGetMax Healthcare Solutions Pvt Ltd

1. Scope of HIPAA at GetMax

We are not a covered entity. We are a business associate to covered entities and, in some cases, a subcontractor business associate to other business associates (e.g. RCM firms). PHI we receive belongs to your patients; we touch it only to deliver the services you have contracted us for.

Products that handle PHI: Verify (eligibility), Orion (claims, denials, coding), Echo (payer + patient voice), Flux (email and fax intake), and Lisa (meeting capture, when configured for clinical sessions). Other products do not handle PHI by default.

2. The BAA workflow

  1. Default template. We use the open Bonterms BAA template (CC-BY-4.0). It is widely accepted by US healthcare counsel and is shorter than most bespoke BAAs, which gets us live faster.
  2. Self-serve signing. Routine BAAs are sent through a self-hosted DocuSeal instance running inside our AWS account. No third-party SaaS sees PHI or the signed BAA.
  3. Custom redlines. If your counsel needs custom language, send the redline to sriram@getmaxrcm.com. We turn most redlines within 2 business days.
  4. No PHI before signature. The product enforces a feature gate: PHI-bearing endpoints are disabled until a BAA is on file for the tenant.
  5. Subcontractor BAAs. Every subprocessor that touches PHI has a BAA with us. The current list is on the Privacy page.

3. Technical safeguards

HIPAA §164.312 — implemented as follows.

Access control (§164.312(a))

  • Unique user identification — every account is assigned a unique user ID.
  • Emergency access procedure — break-glass accounts gated behind dual-control approval and full audit logging.
  • Automatic logoff after a configurable inactivity period.
  • Encryption and decryption — AES-256 at rest plus field-level AES-256-GCM for sensitive PHI fields with per-tenant KMS keys.

Audit controls (§164.312(b))

  • Every PHI access, modification, export, and deletion is logged with actor, tenant, target object, and timestamp.
  • Logs are immutable from the application surface and retained 6+ years.
  • Customer admins can request a tenant-scoped audit log export at any time.

Integrity (§164.312(c))

  • Object versioning in S3 for any document uploaded with PHI. Originals preserved.
  • Database write paths require authenticated, audited transactions.
  • Checksum verification on file uploads and EHR sync writebacks.

Person or entity authentication (§164.312(d))

  • MFA enforced for all GetMax staff and for customer admin roles.
  • SSO (SAML / OIDC) available on the enterprise tier.

Transmission security (§164.312(e))

  • TLS 1.2+ on every external endpoint. HSTS in place.
  • X12 transmissions (270/271, 276/277, 837, 835) ride encrypted partner channels with our clearinghouses.
  • Voice traffic (Echo) on TLS-SIP via Twilio with BAA in place.

4. Administrative safeguards

HIPAA §164.308 — implemented as follows.

  • Security management process. Annual risk analysis using a NIST 800-30 methodology. Risk register reviewed quarterly. Documented sanction policy for policy violations.
  • Assigned security responsibility. The CEO (Sriram Raghavan) is the accountable Privacy Officer and Security Officer. Day-to-day operations roll up to engineering leads with documented delegation.
  • Workforce security. Background checks at hire (where lawful), role-based access provisioning, prompt termination of access on role change or separation.
  • Information access management. Least-privilege by default. Access reviews quarterly. Time-bounded just-in-time elevation for break-glass actions.
  • Security awareness and training. HIPAA Privacy and Security training is mandatory at hire and annually thereafter. Phishing simulations run quarterly.
  • Security incident procedures. Documented incident-response runbook. See the Security page for the lifecycle.
  • Contingency plan. Encrypted daily backups, 35-day retention, quarterly restore tests, documented disaster-recovery runbook covering data centre, dependency, and cloud-region failures.
  • Business associate contracts. Every subprocessor that touches PHI has a BAA with us. List on the Privacy page.
  • Evaluation. Annual review of administrative, technical, and physical safeguards. External pentest scheduled.

5. Physical safeguards

HIPAA §164.310 — implemented as follows.

  • No customer PHI in physical offices. All production data lives in AWS US regions. Offices do not store production PHI on local disks.
  • Data centre security.Inherited from AWS — biometric access, 24/7 manned security, fire suppression, redundant power. Documented in AWS's SOC 2 Type II and ISO 27001 reports, available through AWS Artifact.
  • Workstation security. Staff endpoints use full-disk encryption, screen locks, EDR, and MDM. Lost-device procedure rotates credentials and revokes tokens immediately.
  • Media disposal. Cloud-native — we do not run our own disks. AWS NIST-compliant media disposal is inherited via the AWS BAA.

6. Minimum necessary

Every feature is designed around HIPAA's minimum-necessary standard. Examples:

  • Verify reads payer ID, member ID, DOB, and CPT — not the full chart.
  • Orion codingreads the encounter note for the encounter being coded, not the patient's historical chart.
  • Echo works from a redacted call brief; the agent does not have the full PHI record in working memory.
  • Flux classifies based on metadata + a summary; full message content is surfaced only to authorised users in the practice.

7. Patient rights, supported through the covered entity

HIPAA grants patients rights of access, amendment, restriction, accounting of disclosures, and notice. The covered entity (the practice) owns the patient relationship and the records. We assist on request — typically within 10 business days of a verified covered-entity request.

8. Breach notification

If we discover a Breach of Unsecured PHI (as defined at §164.402), we will notify affected covered entities without unreasonable delay and in no case later than 60 days from discovery. We provide what we know, what we are doing, and a single point of contact. See Incident Response on the Security page for the lifecycle.

9. State-specific overlays

Several US states (Texas, California, New York, Washington) have privacy laws that extend or layer on HIPAA — for example Texas HB 300 and CMIA in California. We follow the stricter of HIPAA and the applicable state rule where they conflict. Tell us your state of operation on the order form and we'll flag anything material in your BAA or DPA.

10. What we don't do

  • We don't sell PHI. Ever.
  • We don't use PHI for marketing.
  • We don't train third-party AI models on PHI.
  • We don't allow staff to access PHI without role-based authorisation and audit logging.

11. Asking for evidence

For HIPAA security questionnaires, OCR audit prep, or your own internal risk review, email sriram@getmaxrcm.com. We share policies, the BAA template, our risk register summary, audit log samples, and architecture diagrams under NDA.

12. Contact

Privacy Officer and Security Officer: sriram@getmaxrcm.com.