HIPAA Compliance Statement
Desired State IT LLC understands that our clients are healthcare providers operating under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This statement explains how we approach HIPAA compliance in our service delivery — what we protect, how we protect it, and what your obligations are as a covered entity entering a service relationship with us.
1. Our Role as a Business Associate
Under HIPAA, Desired State IT LLC operates as a Business Associate (BA) to our healthcare provider clients. As a Business Associate, we:
- Sign a Business Associate Agreement (BAA) with each client before any work involving PHI begins
- Use and disclose PHI only as permitted under the signed BAA and applicable law
- Implement appropriate administrative, physical, and technical safeguards to protect PHI
- Report any security incidents or breaches to the covered entity as required by HIPAA
- Ensure that any subcontractors or vendors who access PHI on our behalf also execute their own BAAs
Clients (covered entities) are responsible for their own HIPAA compliance obligations, including maintaining their own policies and procedures, training their workforce, and ensuring their own systems meet HIPAA requirements. Nothing in this statement constitutes legal advice. Clinics should consult qualified HIPAA legal counsel to assess their specific obligations.
2. PHI Boundary Architecture
Our service architecture is designed so that Protected Health Information remains within a controlled, HIPAA-eligible infrastructure boundary at all times:
- HIPAA-eligible cloud infrastructure — all PHI processed by the Clinic Insight Manager (CIM) and related analytics services resides within client-dedicated environments hosted on a HIPAA-eligible cloud provider with a signed BAA covering the relevant workloads.
- Data de-identification at the boundary — when patient data is passed to external AI or communication services, it is de-identified using hashing (HMAC-SHA256) or tokenization before leaving the covered environment. PHI in its raw form does not cross into non-BAA-covered services.
- Communication services — SMS and transactional email are delivered through HIPAA-eligible communication providers operating under signed BAAs. Marketing-only email campaigns that do not contain PHI may use non-BAA-covered tools with zero-PHI content only.
- CRM and workflow platform — client workspaces operate under an agency-level BAA with the underlying CRM platform. PHI transmitted through the CRM platform is limited to the minimum necessary information required for the automation use case (e.g., first name and appointment time — not diagnosis or treatment information).
- AI analytics — the AI services used by the Clinic Insight Manager operate on de-identified, aggregated data only. Raw PHI is never transmitted to external AI services. Queries and responses are structured so that no patient identity can be reconstructed from the data passed.
3. Business Associate Agreements — Subcontractor Register
Desired State IT maintains BAAs with all subcontractors who may handle PHI as part of service delivery, organized by functional category:
| Category | Role | BAA Status |
|---|---|---|
| HIPAA-eligible cloud provider | Data warehouse, compute, storage (CIM) | BAA in place |
| CRM and workflow platform | CRM, automation, communication workflows | BAA in place |
| SMS gateway | SMS delivery | BAA in place |
| Transactional email provider | Transactional email delivery | BAA in place |
| AI analytics provider | AI analytics agent (de-identified data only) | Zero-PHI architecture — BAA not required |
The complete subcontractor register — including vendor identities, BAA effective dates, and service descriptions — is provided to each client as part of the BAA execution process and updated whenever vendor relationships change. Material changes to subcontractors handling PHI are communicated to active clients in advance.
4. Minimum Necessary Standard
We design all automations and data flows according to HIPAA's minimum necessary standard. Communication workflows triggered by EHR events (such as appointment reminders and cancellation recovery sequences) receive only the data required for that specific communication — typically: patient first name, appointment date and time, and a booking or scheduling URL. Treatment information, diagnosis codes, medication details, and other sensitive clinical data are never included in outbound communications through non-PHI-designated channels.
5. This Website Is Not a Covered System
The ClinicFlow marketing website (clinicflow.desiredstateit.com) is a public-facing informational resource. It is not a covered system under HIPAA. It does not:
- Accept, store, or process any Protected Health Information
- Connect to any EHR, clinical database, or patient record system
- Serve as a patient portal or intake system
The website does use standard web analytics (Google Analytics 4) and collects ordinary business contact details through its lead and strategy-call forms. This is prospective-client information, not patient data — no Protected Health Information is involved. See our Privacy Policy for how that information is handled.
Do not submit any patient information, medical records, or PHI through any form on this website.
6. Client Obligations
As covered entities, our clients retain the following responsibilities:
- Executing a signed BAA with Desired State IT before sharing any PHI or granting access to systems containing PHI
- Maintaining their own HIPAA compliance policies, workforce training, and risk assessments
- Ensuring their EHR vendor and other clinical systems are configured in compliance with HIPAA
- Notifying Desired State IT promptly of any known or suspected security incidents involving shared systems
- Independently verifying that their use of ClinicFlow products meets their own legal and compliance obligations
7. Security Practices
Our client service environments implement the following security controls as part of our HIPAA technical safeguard posture:
- Encryption in transit (TLS 1.2+) and at rest for all PHI-adjacent data stores
- Role-based access controls (RBAC) at the GCP project level, with least-privilege service accounts
- Audit logging via Google Cloud Audit Logs for all data access events
- Secret management via Google Secret Manager for all credentials and API keys
- Separate GCP projects per client to ensure data isolation
- HMAC-SHA256 hashing of patient identifiers at data ingestion boundaries
8. Breach Notification
In the event of a security incident involving PHI, Desired State IT will notify the affected covered entity without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule. Notification will include the information required under 45 CFR §164.410.
9. Contact
For questions about our HIPAA compliance posture, BAA requests, or security practices, contact us:
Desired State IT LLC
Email: hello@desiredstateit.com
Website: desiredstateit.com
Las Vegas, Nevada, USA