Enterprise-Grade HIPAA Compliance
Vera RCM maintains the highest standards of data security and regulatory compliance. Your patient data is protected by industry-leading encryption, independently audited infrastructure with strict access controls, and rigorous security practices.
Last updated: January 1, 2026
Our Commitment to HIPAA
At Vera RCM, protecting patient privacy and the security of sensitive healthcare data is not just a compliance requirement—it is fundamental to our mission. We understand the critical importance of maintaining the confidentiality, integrity, and availability of protected health information (PHI). Every system, process, and policy we implement is designed with security and privacy at its core.
Our HIPAA compliance program encompasses administrative, physical, and technical safeguards designed to meet and strengthen upon regulatory requirements. We conduct regular audits, maintain detailed documentation, and continuously improve our security posture to protect your patients and your practice.
Administrative Safeguards
We maintain administrative controls that establish the framework for security and privacy compliance across the organization. Our security management process includes:
- • Security Management — Systematic identification, analysis, and mitigation of security risks to PHI
- • Designated Security Officer — Executive-level oversight of all security and compliance initiatives
- • Information Access Management — Role-based access controls ensuring employees only access data needed for their job duties
- • Security Awareness Training — Mandatory annual training for all staff members on HIPAA privacy and security obligations
- • Sanction Policy — Documented procedures for addressing violations of security policies
Physical Safeguards
We implement rigorous physical controls to protect our computing infrastructure and the servers that store and process patient data. Our physical security measures include:
- • Facility Access Controls — 24/7 biometric access, visitor logs, and surveillance systems at all data centers
- • Workstation Security — Encrypted laptops, automatic screen locks, and endpoint protection for all company devices
- • Environmental Controls — Climate control, fire suppression, and emergency power systems to maintain infrastructure integrity
- • Secure Disposal — Certified destruction procedures for all media containing PHI
Technical Safeguards
We deploy advanced technical security measures to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI). Our technical safeguards include:
- • Data Encryption — All data in transit uses TLS 1.2+ and all data at rest uses AES-256 encryption
- • Access Controls — Multi-factor authentication, role-based access control (RBAC), and password policies enforced across all systems
- • Activity Monitoring — Full access tracking for all PHI interactions with immutable records retained for compliance review
- • Intrusion Detection — Advanced monitoring systems detect and alert on suspicious activity in real-time
- • Regular Updates — All systems receive timely security patches and vulnerability remediation
Business Associate Agreements
We understand that healthcare providers have a legal obligation to ensure that their business associates maintain appropriate safeguards for PHI. Vera RCM maintains executed Business Associate Agreements (BAAs) with all clients. Our BAA clearly defines our responsibilities and obligations under HIPAA, including:
- • Permitted uses and disclosures of PHI
- • Requirements for safeguarding PHI
- • Obligations regarding breach notification and mitigation
- • Limitations on subcontractor use and management
- • Termination provisions and return or destruction of PHI
Breach Notification
In the unlikely event of a breach of unsecured PHI, Vera RCM is committed to responding quickly and transparently. Our breach response procedures include:
- • Immediate Detection — Security monitoring systems are continuously scanning for anomalous activity
- • Rapid Response — Dedicated incident response team engages to contain and investigate any potential breach
- • Risk Assessment — Thorough analysis to determine if notification is required under HIPAA rules
- • Timely Notification — Within 60 days, notification to affected individuals, regulatory agencies, and media as required by law
Employee Training
Our team members understand that they are the first line of defense in protecting patient data. All Vera RCM employees receive thorough training on HIPAA compliance, including:
- • HIPAA privacy and security rules and their application
- • Vera RCM security policies and procedures
- • Phishing awareness and social engineering defense
- • Proper handling, storage, and disposal of PHI
- • Breach reporting procedures
Training is provided annually and upon hire, with supplemental training offered throughout the year for new threats and updates to policies.
Data Encryption
Encryption is a cornerstone of our technical security strategy. We implement industry-standard encryption protocols to protect data both in transit and at rest:
- • In Transit: All data transmitted between clients and our systems uses TLS 1.2 or higher, ensuring full encryption and protection from interception
- • At Rest: All PHI stored in our systems uses AES-256 encryption, the federal standard for protecting classified information
- • Key Management: Encryption keys are generated, stored, and managed securely with restricted access and regular rotation
Access Controls
We maintain strict access controls to ensure that only authorized personnel can access PHI. Our access control strategy includes:
- • Multi-Factor Authentication — All users must authenticate with something they know (password) and something they have (authenticator app or security key)
- • Role-Based Access Control — Users are granted access only to the minimum data necessary to perform their job functions
- • Regular Access Reviews — Quarterly reviews of user access permissions to identify and remediate inappropriate access
- • Immediate Deprovisioning — Access is immediately revoked upon employee termination or role change
Audit Logging
Detailed event logging enables us to monitor all access to PHI and investigate any suspicious activity. Our logging capabilities include:
- • Complete Coverage — All access to PHI is logged, including reads, modifications, deletions, and exports
- • Immutable Records — Logs are protected from tampering and deletion, ensuring audit trail integrity
- • Long-Term Retention — All records are retained for a minimum of six years per HIPAA requirements
- • Real-Time Monitoring — Automated systems monitor logs in real-time to detect suspicious patterns and anomalies
Hosting & Infrastructure
Our infrastructure is built on a foundation of security, reliability, and compliance. Vera RCM leverages enterprise-grade hosting services to ensure the highest level of data protection:
- • Equinix Data Centers — We host our infrastructure on Equinix IBX platforms, which provide world-class security, redundancy, and compliance certifications
- • High Availability — Our systems are designed for 99.9% uptime with automatic failover and disaster recovery capabilities
- • SOC 2 Type II Compliance — Independent verification of physical and environmental security controls across all hosting facilities
- • Geographic Redundancy — Data is replicated across multiple secure data center locations to ensure availability and disaster recovery
- • Backup and Recovery — Daily backups with regular testing ensure rapid recovery from any potential data loss incident
- • Exclusive Database Isolation — Each client receives their own dedicated Vera RCM database instance, ensuring complete data separation with no commingling between practices
Contact Our Compliance Team
If you have questions about our HIPAA compliance practices or need to report a security concern, please reach out to our dedicated compliance team. We take all inquiries seriously and are committed to addressing your concerns promptly.
Location
2500 West Higgins Road
Suite 1230
Hoffman Estates, IL 60169