Security & Compliance

Protected Health Information Statement

How we handle your sensitive health information

TAG understands the sensitive nature of health information. We've designed our processes and systems with security and privacy as top priorities, implementing practices that align with HIPAA standards even though we may not be a covered entity under the law.

Minimal Collection

We limit data collection by default. Our initial inquiry forms explicitly request that you do NOT include medical details or account numbers.

Explicit Authorization

Before accessing any Protected Health Information (PHI), we request formal written authorization that complies with HIPAA and state regulations.

Secure Storage

All PHI is stored in encrypted databases with row-level security policies. Files are uploaded through our secure member portal with access controls and audit logging.

No Server-Side Storage Option

For highly sensitive matters, we offer options that minimize server-side data storage, using secure communication channels instead.

Our PHI Protection Process

1. Initial Contact (No PHI)

When you first reach out through our website or phone, we collect only basic contact information and a general description of your concern. We explicitly instruct you NOT to include medical details, diagnosis information, or account numbers at this stage.

2. Authorization Request

If your case requires access to PHI, we will send you a formal authorization form that:

Specifies exactly what information we need access to
Explains how we will use the information
States the duration of the authorization
Informs you of your right to revoke authorization at any time

3. Secure Upload

Members can upload documents securely through our portal, which features:

End-to-end encryption
Access restricted to authorized TAG staff only
Automatic audit logging of all file access
Secure file deletion upon case closure or request

4. Limited Access

Only TAG staff members directly working on your case have access to your PHI. All staff are trained in privacy practices and sign confidentiality agreements.

5. Secure Disposal

When your case is complete, we securely delete PHI unless you request otherwise or we have a legal obligation to retain it. You can request deletion of your information at any time.

Technical Safeguards

Encryption: All data is encrypted in transit (TLS) and at rest
Access Controls: Role-based access with the principle of least privilege
Authentication: Multi-factor authentication for portal access
Audit Logs: Comprehensive logging of all data access and modifications
Regular Security Reviews: Periodic assessments and updates of security measures

Your Rights Regarding PHI

You have the right to:

Access your PHI that we maintain
Request correction of inaccurate PHI
Request an accounting of PHI disclosures
Revoke your authorization for PHI use at any time
Request secure deletion of your PHI
File a complaint if you believe your privacy rights have been violated

HIPAA Compliance Note

TAG is not a HIPAA-covered entity under federal law (we are not a health plan, healthcare provider, or healthcare clearinghouse). However, we voluntarily implement HIPAA-aligned practices because we believe they represent best practices for handling sensitive health information.

If you require formal HIPAA compliance (for example, if your organization is a covered entity), we can execute a Business Associate Agreement (BAA). Please discuss this with us during your initial consultation.

Questions or Concerns?

If you have questions about how we handle PHI, or if you believe your privacy has been compromised, please contact us immediately:

Email: privacy@tagdomain.com
Phone: (555) 123-4567
Address: 123 Healthcare Plaza, Suite 456, City, State 12345

Ready to work with us securely?

Start with a no-PHI inquiry, and we'll guide you through our secure authorization process.

Start an Inquiry View Privacy Notice