1. PURPOSE
MD Ally is committed to protecting the privacy and security of patient information. This document provides an overview of how MD Ally safeguards protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and related regulations.
MD Ally implements administrative, technical, and operational safeguards designed to protect patient information while supporting the safe and effective delivery of healthcare services.
2. SCOPE
This policy applies to MD Ally’s handling of protected health information that is created, received, maintained, or transmitted through MD Ally systems and services. It reflects the standards and practices used across the organization to protect patient information and maintain compliance with applicable privacy and security regulations.
3. PRIVACY COMMITMENT
MD Ally recognizes the importance of protecting patient privacy. The organization maintains policies and operational practices designed to safeguard PHI from unauthorized use, disclosure, or access.
These protections support the confidentiality and integrity of patient information while allowing appropriate use of information to support healthcare operations.
MD Ally provides individuals with information about how their health information may be used and disclosed through its Notice of Privacy Practices available at:
https://www.mdally.com/privacy-terms/
This notice also explains individual rights related to their health information.
4. USE & DISCLOSURE OF PROTECTED HEALTH INFORMATION
MD Ally uses and discloses protected health information in accordance with HIPAA regulations and other applicable laws governing healthcare privacy and security.
PHI may be used or disclosed to support healthcare services and related operational activities. These activities may include:
• supporting the delivery, coordination, and management of healthcare services
• facilitating communication between healthcare providers, care coordinators, and other authorized participants involved in patient care
• healthcare operations such as quality improvement, program administration, and service evaluation
• payment-related activities when applicable
• activities permitted or required by law, including regulatory compliance or legal obligations
MD Ally may also share PHI with healthcare providers, partners, or service providers that assist in delivering healthcare services or supporting operational functions, when such sharing is permitted by HIPAA and subject to appropriate privacy protections.
When PHI is used or disclosed, MD Ally applies the HIPAA minimum necessary standard when appropriate. This means that information shared is limited to the amount reasonably necessary to accomplish the intended purpose of the use or disclosure.
5. DEFINITIONS
PProtected Health Information (PHI)
Protected Health Information is individually identifiable health information that:
• identifies or could reasonably be used to identify an individual
• is created, received, maintained, or transmitted by a healthcare provider, health plan, healthcare clearinghouse, or business associate
• relates to an individual’s past, present, or future physical or mental health condition, the provision of healthcare to the individual, or payment for healthcare services
PHI may exist in several forms, including electronic records, written documentation, images, or verbal communications.
Business Associate
A Business Associate is a person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity in connection with services regulated by HIPAA.
Examples of business associate services may include:
• data processing or analytics
• quality assurance or program evaluation
• billing or payment support
• utilization review or operational services
• technology platforms that involve the handling of PHI
Business associates, and subcontractors that handle PHI on their behalf, are required to safeguard PHI in accordance with HIPAA requirements. MD Ally may enter into Business Associate Agreements with vendors or partners that access PHI to help establish appropriate privacy and security responsibilities.w, or operational services. Business associates and their subcontractors are required to safeguard PHI in accordance with HIPAA requirements.
6. SECURITY SAFEGUARDS
MD Ally maintains a security program designed to protect protected health information through administrative, physical, and technical safeguards.
These safeguards are intended to help prevent unauthorized access, disclosure, alteration, or destruction of PHI while supporting secure operation of MD Ally services.
Security protections may include:
• role-based access controls that limit access to authorized personnel based on job responsibilities
• authentication and identity verification controls for system access
• encrypted transmission of sensitive information across networks
• secure storage of data within protected infrastructure environments
• monitoring of system activity and access logs
• infrastructure protections designed to detect or respond to potential security events
MD Ally systems operate within a HIPAA-compliant and SOC 2 audited infrastructure designed to support the secure handling of healthcare information.
Security controls are periodically evaluated as part of ongoing security and risk management activities intended to support protection of patient information handled through MD Ally systems.
7. WORKFORCE RESPONSIBILITIES
MD Ally workforce members play an important role in protecting the privacy and security of protected health information.
Employees, contractors, and other authorized personnel who may access PHI receive training related to privacy and security requirements. Training may include guidance on HIPAA standards, appropriate handling of patient information, proper use of MD Ally systems, and procedures for identifying and reporting potential privacy or security concerns.
Workforce members are expected to:
• access PHI only when necessary to perform assigned job responsibilities
• follow established policies governing the use and disclosure of patient information
• use approved systems and authentication controls when accessing MD Ally platforms
• protect the confidentiality of patient information during operational activities
• report suspected privacy incidents, security concerns, or unauthorized access through established internal reporting channels
Access to PHI is managed through role-based permissions intended to limit information access to authorized personnel who require it to perform their responsibilities.
MD Ally may periodically provide refresher training or operational guidance to reinforce workforce responsibilities related to privacy and security.
8. POLICY UPDATES
MD Ally monitors regulatory requirements and industry practices related to the protection of protected health information. Privacy and security policies may be updated when necessary to maintain alignment with:
• changes in applicable laws or regulations
• guidance issued by regulatory agencies
• updates to MD Ally services, systems, or operational practices
• emerging risks related to data protection or cybersecurity
When policy updates occur, MD Ally may communicate changes internally and update related procedures as appropriate. Updates may also be reflected in MD Ally’s Notice of Privacy Practices when required by law.
Policy revisions support MD Ally’s efforts to maintain compliance with HIPAA and related privacy and security requirements while adapting to operational and technological changes.
9. POLICY MAINTENANCE & OVERSIGHT
MD Ally maintains governance processes intended to support oversight of privacy and security practices across the organization.
Responsibility for privacy and security oversight is assigned to designated leadership responsible for compliance, information security, and operational risk management. These functions support implementation of policies, monitoring of safeguards, and coordination of privacy and security activities.
Oversight activities may include:
• periodic review of privacy and security policies
• evaluation of administrative, technical, and physical safeguards
• monitoring of system access and operational activity logs
• coordination of incident response and investigation when needed
• review of vendor and business associate relationships that involve PHI
These oversight processes support MD Ally’s efforts to maintain compliance with applicable privacy and security requirements while protecting patient information handled through MD Ally systems and services.
10. ADDITIONAL INFORMATION
Questions regarding MD Ally’s privacy and security practices may be directed to MD Ally through the contact information provided in the Notice of Privacy Practices.
For additional information regarding how MD Ally handles protected health information, please refer to:
https://www.mdally.com/privacy-terms/
