Pono Medical Billing Solutions

HIPAA Compliance

Last updated: May 11, 2026

1. Our Commitment

Pono Medical Billing Solutions ("Pono") is committed to protecting the confidentiality, integrity, and availability of Protected Health Information (PHI) we receive, create, maintain, or transmit on behalf of our clients. As a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and as amended by the HITECH Act and the Omnibus Rule, Pono complies with the HIPAA Privacy, Security, and Breach Notification Rules.

2. Business Associate Agreements

Before any PHI is exchanged, Pono executes a Business Associate Agreement (BAA) with each covered entity client. The BAA defines permitted uses and disclosures of PHI, the safeguards we implement, breach notification responsibilities, and the obligations of each party. Pono also requires BAAs from any subcontractor that may access PHI on our behalf.

3. Permitted Uses and Disclosures

Pono uses and discloses PHI only as necessary to perform the services outlined in the applicable BAA and service agreement, including claims submission, follow-up, payment posting, denial management, patient statements, and reporting. We do not sell PHI and do not use PHI for marketing without authorization.

4. Administrative Safeguards

  • Designated HIPAA Privacy and Security Officers responsible for our compliance program.
  • Workforce training on HIPAA, security awareness, and acceptable use upon hire and annually thereafter.
  • Documented policies and procedures covering access management, sanctions, incident response, and workforce clearance.
  • Periodic risk analyses and risk management activities aligned with NIST guidance.
  • Background checks and confidentiality agreements for all team members with PHI access.

5. Technical Safeguards

  • Encryption of PHI in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Unique user accounts, strong password requirements, and multi-factor authentication for systems that access PHI.
  • Role-based access controls enforcing the minimum necessary standard.
  • Audit logging and monitoring of access to systems containing PHI.
  • Endpoint protection, automatic session timeouts, and patch management on all workstations.

6. Physical Safeguards

  • Facility access controls limiting physical entry to authorized personnel.
  • Workstation security policies governing the use and placement of devices that access PHI.
  • Secure media handling, disposal, and re-use procedures for any device or media containing PHI.

7. Breach Notification

In the event of a breach of unsecured PHI, Pono will notify the affected covered entity without unreasonable delay and in no case later than the timeframes required by 45 CFR § 164.410. Our incident response plan includes containment, investigation, mitigation, documentation, and post-incident review.

8. Patient Rights

Requests by individuals to access, amend, or receive an accounting of disclosures of their PHI should be directed to the covered entity that holds the designated record set. Pono will support covered entities in fulfilling those requests as required by HIPAA and the applicable BAA.

9. Subcontractors and Vendors

Pono evaluates the security and compliance posture of any vendor or subcontractor that may access PHI, executes BAAs where required, and reviews vendor controls on a recurring basis.

10. Reporting a Concern

To report a suspected privacy or security incident, request a copy of our BAA, or ask a HIPAA-related question, contact our Privacy Officer:
Email: info@medicalbillingsolutions.ai
Phone: 385-533-6411

See also our Privacy Policy and Terms & Conditions.