HIPAA Compliance

How LienLogix protects health information and maintains regulatory compliance.

HIPAA Compliant Platform

Last Updated: December 22, 2025

1. Our Commitment to HIPAA Compliance

LienLogix, operated by StaxxLogix, is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

As a platform that processes medical lien documents containing PHI, we understand the critical importance of maintaining the highest standards of data protection and regulatory compliance.

2. HIPAA Overview

HIPAA establishes national standards for the protection of health information. The key rules relevant to our operations include:

  • Privacy Rule: Establishes standards for protecting individuals' medical records and personal health information.
  • Security Rule: Sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards.
  • Breach Notification Rule: Requires notification following a breach of unsecured PHI.

3. Business Associate Agreement (BAA)

LienLogix operates as a Business Associate under HIPAA. We enter into Business Associate Agreements (BAAs) with our customers who are Covered Entities or other Business Associates.

Our BAA outlines:

  • Permitted uses and disclosures of PHI
  • Safeguards we implement to protect PHI
  • Breach notification procedures
  • Subcontractor requirements
  • Return or destruction of PHI upon termination

To request a BAA, please contact us at sales@staxxlogix.com.

4. Administrative Safeguards

We implement comprehensive administrative safeguards including:

  • Security Officer: Designated security officer responsible for developing and implementing security policies.
  • Workforce Training: All employees receive HIPAA awareness training and ongoing education.
  • Access Management: Formal procedures for granting, modifying, and revoking access to PHI.
  • Security Policies: Comprehensive written policies and procedures addressing all aspects of PHI protection.
  • Risk Assessment: Regular risk assessments to identify and address potential vulnerabilities.
  • Incident Response: Documented procedures for responding to and reporting security incidents.
  • Contingency Planning: Data backup, disaster recovery, and emergency mode operation plans.

5. Physical Safeguards

Our physical safeguards protect the systems and facilities that store and process PHI:

  • Cloud Infrastructure: Data hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and HIPAA compliance.
  • Data Center Security: GCP data centers feature 24/7 security, biometric access, and environmental controls.
  • Workstation Security: Policies governing the use and security of workstations accessing PHI.
  • Device Controls: Procedures for hardware disposal and media re-use that ensure PHI is properly destroyed.

6. Technical Safeguards

Encryption

AES-256 encryption at rest and TLS 1.3 in transit for all PHI.

Access Control

Role-based access with unique user IDs and automatic session timeouts.

Audit Logging

Comprehensive logging of all access to and modifications of PHI.

Integrity Controls

Mechanisms to ensure PHI is not improperly altered or destroyed.

Transmission Security

Secure protocols for all data transmission including SFTP for providers.

Authentication

Strong password policies and support for multi-factor authentication.

7. Data Processing and AI

Our AI document processing (powered by Google Document AI) is designed with HIPAA compliance in mind:

  • Google Document AI is covered under Google Cloud's BAA
  • Documents are processed securely within the Google Cloud environment
  • Extracted data is encrypted and stored in compliance with HIPAA requirements
  • No PHI is used for training AI models
  • Processing logs are maintained for audit purposes

8. Subcontractors and Third Parties

We maintain appropriate agreements with all subcontractors who may access PHI:

  • Google Cloud Platform: BAA in place for cloud infrastructure and Document AI services.
  • All Subcontractors: Required to agree to the same restrictions and conditions that apply to us regarding PHI.

9. Breach Notification

In the event of a breach of unsecured PHI, we will:

  • Notify affected customers without unreasonable delay (no later than 60 days after discovery)
  • Provide information about the nature of the breach and types of information involved
  • Describe steps individuals can take to protect themselves
  • Detail what we are doing to investigate and mitigate the breach
  • Provide contact information for questions

10. Your Responsibilities

As a customer using LienLogix, you also have HIPAA obligations:

  • Enter into a BAA with LienLogix before processing PHI
  • Ensure you have proper authorization to process PHI through our platform
  • Train your workforce on HIPAA requirements
  • Report any suspected security incidents to us promptly
  • Maintain appropriate access controls for your users
  • Use the security features we provide (strong passwords, role-based access)

11. Minimum Necessary Standard

We adhere to the HIPAA minimum necessary standard, limiting access to and disclosure of PHI to the minimum necessary to accomplish the intended purpose. Our role-based access control system supports this by ensuring users only access the PHI needed for their specific functions.

12. Patient Rights

We support our customers in fulfilling patient rights under HIPAA, including:

  • Right to access their PHI
  • Right to request amendments to their PHI
  • Right to an accounting of disclosures
  • Right to request restrictions on uses and disclosures

13. Contact Us

For questions about our HIPAA compliance program, to request a BAA, or to report a security concern: