We Are HIPAA Compliant
At Crystal Voxx LTD, protecting your health information is a top priority. As a HIPAA-compliant medical billing and coding company, we strictly adhere to the Health Insurance Portability and Accountability Act (HIPAA) to safeguard all patient and client data. As a HIPAA Business Associate, we are committed to ensuring the privacy, integrity, and security of all protected health information (PHI) entrusted to us.
Our compliance practices go beyond basic requirements, incorporating robust physical, administrative, and technical safeguards. We also provide ongoing training to our staff to keep them up to date with the latest HIPAA regulations.
How Crystal Voxx LTD Ensures HIPAA Compliance
To maintain a secure and compliant environment, our services are structured with the following key protocols:
By choosing Crystal Voxx LTD, you are partnering with a team that values your trust and protects your data with the utmost care and compliance. We are committed to upholding the highest standards of data security and regulatory adherence.
1. Facility Access Controls
We implement strict physical access controls to protect systems and data from unauthorized access:
Access to our facility is regulated using biometric systems and RFID access cards.
Security personnel are present 24/7 to monitor and restrict unauthorized entry.
Sensitive areas like server rooms are accessible only to pre-authorized personnel.
Visitors are allowed only under supervision and must sign in and out.
2. Workstation Use and Controls
We follow strict protocols governing the use of workstations to prevent unauthorized data exposure:
Workstations automatically lock after periods of inactivity.
Usage policies restrict access to approved applications and systems only.
Employees are trained not to leave PHI visible or accessible when unattended.
Work areas are arranged to ensure screens are not visible to unauthorized individuals.
3. Device and Media Control
We maintain complete control over the use and movement of electronic devices and storage media:
Only authorized personnel can use external storage devices such as USB drives.
All media containing PHI is encrypted and tracked.
Media disposal procedures include secure wiping or physical destruction of drives.
Portable devices (laptops, tablets) are secured with encryption and tracking software.
4. Data Encryption
Data security is central to our operations:
All sensitive data is encrypted in transit and at rest using industry-standard protocols like AES-256.
Email communications containing PHI are encrypted using secure mail gateways.
Encrypted VPN connections are used for remote access by authorized staff.
5. User Authentication
We employ multi-layered authentication to verify user identities:
Unique user IDs and complex passwords are assigned to each employee.
Two-factor authentication (2FA) is required for accessing critical systems.
Login credentials are monitored, and access is revoked immediately upon employee termination or role change.
6. Audit Controls
Comprehensive audit trails are maintained for all systems handling PHI:
Logs capture access times, user identities, and actions performed.
Logs are regularly reviewed by our compliance and IT teams.
Anomalies or unauthorized access attempts are flagged and investigated immediately.
We retain audit data for a specified period in compliance with HIPAA guidelines.
7. Training Programs
We conduct regular training to ensure all team members understand and follow HIPAA rules:
Mandatory HIPAA training is provided during onboarding and annually refreshed.
Specialized sessions are held on topics such as data security, phishing awareness, and emergency procedures.
Training completion is documented and monitored as part of our compliance tracking system.
8. Breach Notification Policy
In the event of a data breach, we have a clear, compliant response plan:
Breaches are immediately reported to our HIPAA Compliance Officer.
A thorough investigation is conducted to determine the scope and cause.
Affected parties are notified in accordance with HIPAA Breach Notification Rule timelines.
Corrective measures are taken to prevent recurrence, and the incident is documented.