HIPAA Compliance & Privacy Policy.

ZIA is committed to protecting the privacy, security, and integrity of Protected Health Information ("PHI") and Electronic Protected Health Information ("ePHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and applicable updates, including modifications aligned with 42 CFR Part 2 where applicable.

As a Business Associate to Covered Entities, ZIA implements administrative, physical, and technical safeguards designed to ensure the confidentiality, integrity, and availability of PHI entrusted to us.

01

Scope of PHI handling

ZIA may access, receive, maintain, transmit, or process PHI in connection with:

• Operational support services
• Administrative or virtual workforce services
• Technology-enabled coordination or workflow management
• Client-directed healthcare administrative activities

PHI is not used or disclosed except as permitted or required by our Business Associate Agreements (BAAs) and applicable law.

02

Administrative safeguards

ZIA maintains documented policies and procedures that include:

• Annual HIPAA risk assessments and documented risk mitigation plans
• Workforce HIPAA training upon onboarding and annually thereafter
• Role-based access controls and least-privilege standards
• Documented incident response and breach notification protocols
• Vendor and subcontractor due diligence and compliance review

All workforce members are required to sign confidentiality agreements and acknowledge HIPAA compliance responsibilities.

03

Technical safeguards

In alignment with current regulatory guidance and evolving cybersecurity standards, ZIA implements:

• Multi-Factor Authentication (MFA) for systems containing ePHI
• Encryption of ePHI in transit and at rest
• Secure cloud-hosted environments that meet industry security standards
• Access logging and activity monitoring
• Routine vulnerability scanning and system updates
• Secure device management protocols

Security posture is continuously evaluated to remain aligned with regulatory updates and industry best practices.

04

Physical safeguards

Where applicable, ZIA maintains:

• Secure workstation standards
• Controlled access to devices containing ePHI
• Remote workforce security protocols
• Secure disposal and media sanitization procedures

05

Breach notification

In the event of a suspected or confirmed security incident involving PHI:

• A documented investigation is conducted.
• The Covered Entity is notified without unreasonable delay and in accordance with our BAA.
• ZIA cooperates in mitigation and regulatory reporting as required under HIPAA.

06

Patient rights and privacy practices

When applicable and directed by Covered Entity partners, ZIA supports:

• Access, amendment, and accounting of disclosure rights
• Restrictions on disclosure where required
• Compliance with applicable updates involving substance use disorder records under 42 CFR Part 2

For questions regarding individual rights, patients should contact their healthcare provider directly.

07

Compliance oversight

ZIA designates a Privacy and Security Officer responsible for:

• Oversight of HIPAA compliance
• Risk assessment review
• Incident management
• Policy updates

For compliance inquiries, please contact our Fractional Compliance Officer: