Trust, Security & Privacy at Practice Management
At Practice Management, trust is foundational. We design our products and operations to protect sensitive information—especially Protected Health Information (PHI)—and to support organizations operating in regulated healthcare environments.
Our security and privacy program is risk‑based, continuously improved, and aligned to the principles of the HIPAA Security Rule and Privacy Rule.
Our Security & Privacy Approach
Practice Management maintains a formal security and privacy program designed to safeguard the confidentiality, integrity, and availability of customer data.
Our program is guided by industry‑recognized principles, including:
- Least‑privilege and role‑based access
- Defense‑in‑depth security controls
- Continuous risk assessment and improvement
- Strong operational and technical safeguards
HIPAA‑Aligned Security Program
Practice Management supports healthcare customers by operating in alignment with HIPAA expectations for both covered entities and business associates.
Governance & Risk Management
- A designated security leader oversees the security and privacy program.
- Periodic risk assessments identify threats and vulnerabilities to systems that handle electronic protected health information (ePHI).
- Security controls are reviewed and enhanced as risks and technologies evolve.
Administrative Safeguards
- Workforce access is granted based on job responsibilities and business need.
- Security awareness training is provided to employees and reinforced regularly.
- Security incidents are documented, investigated, and addressed through established response procedures.
Technical Safeguards
- Role‑based access controls protect systems that store or process sensitive data.
- Strong authentication mechanisms help prevent unauthorized access.
- Data is protected through encryption in transit and at rest.
- Logging and monitoring support threat detection and investigation.
Physical Safeguards
- Physical protections appropriate to our operating environment are used to safeguard systems and devices.
- Secure device handling and disposal practices reduce the risk of data exposure.
Privacy & Data Use
Practice Management is committed to responsible data handling and privacy by design.
- Access to PHI is limited to the minimum necessary to perform approved business functions, except where HIPAA permits broader access (such as treatment scenarios).
- PHI is used and disclosed only as permitted by contract and applicable law.
- Customer data is not sold or used for unauthorized purposes.
Healthcare Partnerships & Business Associate Support
Where applicable, Practice Management supports HIPAA‑regulated customers by entering into Business Associate Agreements (BAAs).
Our contracts define:
- Permitted uses and disclosures of PHI
- Required administrative, technical, and physical safeguards
- Incident and breach notification responsibilities
- Subcontractor security and confidentiality obligations
Incident & Breach Preparedness
Despite strong controls, no system is immune from risk. Practice Management maintains procedures to identify, assess, and respond to potential security incidents involving sensitive data.
If an incident affecting unsecured PHI is confirmed, we work promptly with customers to support HIPAA Breach Notification Rule obligations and mitigation efforts.
Continuous Improvement
Healthcare security is constantly evolving. Practice Management continuously monitors changes in technology, threats, and regulatory guidance to strengthen our controls and maintain trust with our customers.
Contact & Transparency
We believe transparency builds trust.
For security documentation, due‑diligence requests, or privacy inquiries, please contact: