HIPAA Compliant

HIPAA Notice of Privacy Practices

Last updated: January 1, 2025 · eKlotho Inc.

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Our Role Under HIPAA

eKlotho Inc. operates as a HIPAA Business Associate. We process Protected Health Information (PHI) on behalf of Covered Entities — including Independent Practice Associations (IPAs), Accountable Care Organizations (ACOs), and Health Plans — under the terms of executed Business Associate Agreements (BAAs). We do not independently qualify as a Covered Entity under HIPAA.

The PHI we handle includes member demographics, claims data, clinical records, credentialing information, and authorization records, processed solely to provide contracted administrative services to our Covered Entity clients.

Permitted Uses and Disclosures

As a Business Associate, we use and disclose PHI only as permitted by our BAAs and HIPAA regulations, including:

Treatment: Facilitating care coordination, utilization management, and clinical authorization workflows for providers.
Payment: Processing claims, adjudication support, and billing operations on behalf of contracted payers and providers.
Healthcare Operations: Quality reporting, HEDIS/STARS measure tracking, delegation oversight, credentialing, and compliance activities.
Required by Law: Disclosures to public health authorities, law enforcement, or government oversight bodies as required by applicable law.
Business Associate Activities: Activities necessary to perform services under our agreements, including subcontractors bound by equivalent privacy protections.

Safeguards We Maintain

We implement HIPAA-required administrative, physical, and technical safeguards to protect PHI:

Administrative

HIPAA training for all personnel
Workforce access policies
Incident response procedures
BAA management program

Physical

AWS GovCloud-aligned infrastructure
Restricted data center access
Workstation use policies
Media disposal protocols

Technical

TLS 1.3 encryption in transit
AES-256 encryption at rest
Role-based access control
Automated audit logging

Individual Rights

HIPAA grants individuals rights with respect to their PHI. Because eKlotho acts as a Business Associate, most rights are exercised through the Covered Entity (your health plan or provider organization). These rights include:

Right to access and receive a copy of your health records
Right to request corrections to inaccurate or incomplete information
Right to receive an accounting of disclosures of your PHI
Right to request restrictions on certain uses and disclosures
Right to receive communications by alternative means or locations
Right to receive a paper copy of the applicable Notice of Privacy Practices

To exercise these rights, contact the relevant Covered Entity directly. If you believe your privacy rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/privacy.

Breach Notification

In the event of a breach of unsecured PHI, eKlotho will notify affected Covered Entities promptly and in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and our BAA obligations. Covered Entities are responsible for notifying affected individuals and, where required, the Secretary of HHS.

Retention

PHI is retained for the periods required by applicable law and our BAAs, generally no less than six (6) years from the date of creation or the date it was last in effect, whichever is later. Upon termination of a BAA, PHI is returned or destroyed as required by the agreement.

Changes to This Notice

eKlotho reserves the right to modify this Notice. Changes will be posted on this page with an updated effective date. Material changes will be communicated to Covered Entities per BAA terms.

Contact — Privacy Officer

eKlotho Inc. — HIPAA Privacy Officer

hipaa@eklotho.com