HIPAA Compliance

At OneWell, the privacy and security of your personal and health information are fundamental to our mission and operations. We are fully committed to complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and all applicable federal and state privacy and security laws governing protected health information.

OneWell maintains administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Protected Health Information (PHI) that we create, receive, maintain, or transmit in the course of providing services. HIPAA compliance is embedded into our organizational policies, workforce training, technology systems, and operational practices.

What Is HIPAA?

HIPAA is a U.S. federal law that establishes national standards to protect individuals’ medical records and other personal health information. It regulates how covered entities and their business associates may use, disclose, store, and safeguard PHI, and it grants individuals specific rights regarding their health information.

HIPAA compliance is enforced through several key regulatory frameworks, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

OneWell’s HIPAA Compliance Framework

OneWell has implemented a comprehensive compliance program designed to meet or exceed applicable HIPAA requirements. This program is reviewed and updated periodically to reflect regulatory changes, industry best practices, and evolving security risks.

Our HIPAA compliance framework is designed to:

• Protect patient privacy and confidentiality
• Prevent unauthorized access, use, or disclosure of PHI
• Support safe, effective, and compliant healthcare operations
• Promote accountability and compliance across our workforce
• Ensure appropriate response to potential security incidents

Safeguards for Protecting Health Information

OneWell employs a layered approach to safeguarding PHI, incorporating administrative, technical, and physical protections.

Administrative Safeguards

Administrative safeguards establish the foundation of our compliance efforts and include:

• HIPAA training and ongoing privacy and security awareness for workforce members
• Role-based access controls limiting PHI access to authorized personnel only
• Written privacy and security policies and procedures
• Risk assessments and periodic compliance reviews
• Incident response and breach management protocols

Technical Safeguards

Technical safeguards are designed to protect electronic PHI and include:

• Secure systems utilizing encryption and other industry-standard protections
• Authentication mechanisms to verify authorized users
• Access controls to prevent unauthorized system use
• Monitoring, logging, and auditing tools to detect and respond to suspicious activity

Physical Safeguards

Physical safeguards help protect facilities, systems, and equipment and include:

• Controlled access to facilities and workspaces
• Secure storage and disposal of devices and records
• Protections for workstations and hardware that may access or store PHI

Use and Disclosure of Protected Health Information

OneWell uses and discloses PHI only as permitted or required by HIPAA and other applicable laws. PHI is accessed and shared solely for legitimate business and healthcare purposes and in accordance with established policies.

Permitted uses and disclosures may include:

• Treatment, care coordination, and related healthcare services
• Payment, billing, and reimbursement activities
• Healthcare operations, including quality improvement and compliance activities
• Legal, regulatory, or public health requirements

OneWell does not sell PHI and does not use PHI for marketing or other non-permitted purposes without appropriate authorization when required by law.

Business Associates and Third-Party Service Providers

OneWell may engage third-party vendors or service providers that require access to PHI in order to perform services on our behalf. In such cases, OneWell requires these entities to comply with HIPAA standards.

This includes:

• Executing Business Associate Agreements (BAAs) as required by HIPAA
• Requiring appropriate administrative, technical, and physical safeguards
• Limiting PHI access to the minimum necessary to perform contracted services

Individual Rights Under HIPAA

HIPAA grants individuals important rights regarding their protected health information. Subject to applicable legal requirements and limitations, individuals have the right to:

• Access and obtain a copy of their health information
• Request amendments to inaccurate or incomplete information
• Request restrictions on certain uses or disclosures of PHI
• Request confidential communications where applicable
• Receive an accounting of certain disclosures of PHI
• File a complaint regarding privacy practices without fear of retaliation

OneWell respects and supports these rights and has processes in place to address such requests in accordance with applicable laws.

Breach Notification

In the event of a breach involving unsecured protected health information, OneWell will investigate the incident promptly and, when required, notify affected individuals, regulatory authorities, and other parties in accordance with HIPAA’s Breach Notification Rule and applicable state laws.

Questions, Requests, or Concerns

If you have questions about this HIPAA Compliance statement, your privacy rights, or OneWell’s information protection practices, please contact us: