HIPAA COMPLIANCE

Our Commitment to HIPAA Compliance

This page describes our organizational compliance program. For your individual rights and how your information may be used, see the HIPAA Notice of Privacy Practices at /privacy/hipaa-notice.

Aperion Health is committed to full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all applicable federal and state privacy and security regulations.

As a healthcare navigation and spend optimization company, we routinely handle Protected Health Information (PHI). Safeguarding that information is foundational to how we operate, build technology, and serve our members.

Our HIPAA Compliance Program

Aperion Health maintains a comprehensive, documented compliance program aligned with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

The program is overseen by designated Privacy and Security Officers and is reviewed and updated regularly to reflect changes in regulation, technology, and our services.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and oversight that govern how our workforce protects PHI.

Physical Safeguards

Physical safeguards protect the systems, equipment, and facilities that store or process PHI from unauthorized physical access, tampering, and theft.

Technical Safeguards

Technical safeguards are the technology controls that protect PHI and govern access to it within our systems.

Minimum Necessary Standard

We apply the HIPAA "minimum necessary" standard: workforce members and systems are granted access only to the PHI required to perform a specific function.

Reporting provided to employers and plan sponsors is aggregated or de-identified so that individual PHI is not disclosed without authorization or a permitted legal basis.

Business Associates & Vendors

We never sell PHI. Vendors handling PHI are contractually bound to HIPAA-equivalent safeguards.

When a vendor or partner creates, receives, maintains, or transmits PHI on our behalf, we require a Business Associate Agreement (BAA) before any PHI is shared.

Workforce Training & Accountability

Every workforce member with access to PHI completes privacy and security training and acknowledges our policies.

Violations of HIPAA policies are subject to a documented sanction process, up to and including termination and, where applicable, referral to authorities.

Risk Analysis & Ongoing Monitoring

We conduct periodic risk analyses to identify potential vulnerabilities to the confidentiality, integrity, and availability of PHI, and we implement risk management measures to address identified risks.

Security monitoring, assessments, and program reviews are performed on an ongoing basis as part of continuous improvement.

Incident Response & Breach Notification

Aperion Health maintains an incident response process to detect, contain, investigate, and remediate security incidents involving PHI.

In the event of a breach of unsecured PHI, we follow the HIPAA Breach Notification Rule, including notifying affected individuals, the U.S. Department of Health and Human Services (HHS), and, where required, the media within the timeframes set by law.

Your Rights as a Member

HIPAA gives you specific rights regarding your health information. These rights, and how to exercise them, are described in detail in our HIPAA Notice of Privacy Practices.

Reporting a Concern or Complaint

No retaliation: You will not be penalized or retaliated against for raising a concern or filing a complaint.

If you believe your health information has been handled improperly, or you have a question about our compliance program, contact the Aperion Health Privacy Officer. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).

Contact Our Privacy Officer

Questions about our HIPAA compliance program can be directed to the Aperion Health Privacy Officer.