DefendMyRep
Take the 90-sec Audit Book Strategy Call
Legal · Updated 2026-05-24

HIPAA Compliance

DefendMyRep operates HIPAA-aligned engagement protocols for healthcare practices, hospital systems, behavioral health providers, and medical-device manufacturers. We are not a Covered Entity, but we operate as a Business Associate when engaged by Covered Entities, and we sign Business Associate Agreements (BAAs) as part of every healthcare engagement.

1. Business Associate Agreement

We sign a BAA before any work begins for a Covered Entity. The BAA includes the standard HIPAA-required terms: permitted uses and disclosures, safeguard obligations, breach notification, and termination provisions. Our standard BAA template is available on request to executive contacts via intel@defendmyrep.com.

2. Protected Health Information (PHI)

We do not seek, request, or store PHI in the course of reputation defense work. Engagement materials, review responses, and SERP analysis routinely involve information about a practice's reputation — not patient records. If a client inadvertently shares PHI in an engagement artifact (e.g., a screenshot containing a patient name), we redact and securely destroy the original.

3. Administrative safeguards

  • Annual HIPAA awareness training for all personnel with potential PHI exposure
  • Documented sanction policy for HIPAA violations
  • Designated HIPAA Security Officer (engagement director)
  • Written incident response plan with 60-day breach notification window
  • Annual risk analysis

4. Physical safeguards

  • Remote-first team with documented workstation security policies
  • No PHI stored on local devices; encrypted-at-rest storage only
  • Document destruction policy with audit trail

5. Technical safeguards

  • AES-256 encryption at rest, TLS 1.3 in transit
  • Role-based access control with audit logging
  • Multi-factor authentication on all admin accounts
  • Quarterly access reviews
  • Centralized identity provider with SAML 2.0 / OIDC

6. Breach notification

In the event of a breach of unsecured PHI, we will notify the affected Covered Entity within 60 days of discovery, with sufficient detail to permit the Covered Entity to fulfill its own notification obligations under 45 CFR § 164.410.

7. Subcontractors

Any subcontractor with potential PHI exposure (e.g., a media-monitoring vendor) signs a downstream BAA before engagement.

8. Audit & inspection

Covered Entities engaging DefendMyRep may audit our HIPAA compliance posture upon 30 days' written notice. We make commercially reasonable accommodations for HHS-OCR investigations of Covered Entity clients.

9. Contact

HIPAA Security Officer: intel@defendmyrep.com (subject: "HIPAA Inquiry")