HIPAA Compliance Statement

Desired State IT LLC understands that our clients are healthcare providers operating under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This statement explains how we approach HIPAA compliance in our service delivery — what we protect, how we protect it, and what your obligations are as a covered entity entering a service relationship with us.

1. Our Role as a Business Associate

Under HIPAA, Desired State IT LLC operates as a Business Associate (BA) to our healthcare provider clients. As a Business Associate, we:

• Sign a Business Associate Agreement (BAA) with each client before any work involving PHI begins
• Use and disclose PHI only as permitted under the signed BAA and applicable law
• Implement appropriate administrative, physical, and technical safeguards to protect PHI
• Report any security incidents or breaches to the covered entity as required by HIPAA
• Ensure that any subcontractors or vendors who access PHI on our behalf also execute their own BAAs

Clients (covered entities) are responsible for their own HIPAA compliance obligations, including maintaining their own policies and procedures, training their workforce, and ensuring their own systems meet HIPAA requirements. Nothing in this statement constitutes legal advice. Clinics should consult qualified HIPAA legal counsel to assess their specific obligations.

2. PHI Boundary Architecture

Our service architecture is designed so that Protected Health Information remains within a controlled, HIPAA-eligible infrastructure boundary at all times:

• Google Cloud Platform (GCP) — all PHI processed by the Clinic Insight Manager (CIM) and related analytics services resides within client-dedicated GCP environments. Google Cloud Platform supports HIPAA compliance and we execute a BAA with Google for covered workloads.
• Data de-identification at the boundary — when patient data is passed to external AI or communication services, it is de-identified using hashing (HMAC-SHA256) or tokenization before leaving the GCP environment. PHI in its raw form does not cross into non-BAA-covered services.
• Communication tools — SMS communications are delivered via Twilio, which offers a HIPAA BAA on eligible plans. Transactional email is delivered via Postmark, which includes a BAA. Marketing-only email campaigns that do not contain PHI may use tools without a BAA, such as Klaviyo, with zero-PHI content only.
• GoHighLevel (GHL) — client sub-accounts operate under our agency-level BAA with GoHighLevel. PHI transmitted through GHL is limited to the minimum necessary information required for the automation use case (e.g., first name and appointment time — not diagnosis or treatment information).
• AI / Claude API — the Anthropic Claude API used in the Clinic Insight Manager operates on de-identified, aggregated data only. Raw PHI is never transmitted to the Claude API. Queries and responses are structured so that no patient identity can be reconstructed from the data passed.

3. Business Associate Agreements — Subcontractor Register

Desired State IT maintains BAAs with the following subcontractors who may handle PHI as part of our service delivery:

This register is subject to change as our vendor relationships evolve. Clients will be notified of material changes to subcontractors handling PHI.

4. Minimum Necessary Standard

We design all automations and data flows according to HIPAA's minimum necessary standard. Communication workflows triggered by EHR events (such as appointment reminders and cancellation recovery sequences) receive only the data required for that specific communication — typically: patient first name, appointment date and time, and a booking or scheduling URL. Treatment information, diagnosis codes, medication details, and other sensitive clinical data are never included in outbound communications through non-PHI-designated channels.

5. This Website Is Not a Covered System

The ClinicFlow marketing website (clinicflow.desiredstateit.com) is a public-facing informational resource. It is not a covered system under HIPAA. It does not:

• Accept, store, or process any Protected Health Information
• Connect to any EHR, clinical database, or patient record system
• Serve as a patient portal or intake system

Do not submit any patient information, medical records, or PHI through any form on this website.

6. Client Obligations

As covered entities, our clients retain the following responsibilities:

• Executing a signed BAA with Desired State IT before sharing any PHI or granting access to systems containing PHI
• Maintaining their own HIPAA compliance policies, workforce training, and risk assessments
• Ensuring their EHR vendor (e.g., Optimantra) and other clinical systems are configured in compliance with HIPAA
• Notifying Desired State IT promptly of any known or suspected security incidents involving shared systems
• Independently verifying that their use of ClinicFlow products meets their own legal and compliance obligations

7. Security Practices

Our client service environments implement the following security controls as part of our HIPAA technical safeguard posture:

• Encryption in transit (TLS 1.2+) and at rest for all PHI-adjacent data stores
• Role-based access controls (RBAC) at the GCP project level, with least-privilege service accounts
• Audit logging via Google Cloud Audit Logs for all data access events
• Secret management via Google Secret Manager for all credentials and API keys
• Separate GCP projects per client to ensure data isolation
• HMAC-SHA256 hashing of patient identifiers at data ingestion boundaries

8. Breach Notification

In the event of a security incident involving PHI, Desired State IT will notify the affected covered entity without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule. Notification will include the information required under 45 CFR §164.410.

9. Contact

For questions about our HIPAA compliance posture, BAA requests, or security practices, contact us: