Do HealthSystemVAs virtual assistants sign a BAA?

Yes. A Business Associate Agreement (BAA) is signed as standard with every HealthSystemVAs client before any VA begins work. This is non-negotiable and required by HIPAA for all Business Associates handling PHI.

Are HealthSystemVAs VAs HIPAA certified?

Yes. Every VA completes HIPAA compliance training and certification before placement. This includes Privacy Rule, Security Rule, and Breach Notification Rule training specific to healthcare administrative roles.

How does HealthSystemVAs protect PHI?

VAs access PHI only through the clinic's secured, existing systems. No PHI is transferred or stored outside those systems. All communications are encrypted. VAs use dedicated work devices and VPN-secured connections.

HIPAA Compliance | HealthSystemVAs — Every VA Certified, BAA Signed as Standard

Our HIPAA Framework

What "HIPAA Compliant VA Placement" Actually Means at HealthSystemVAs

Many companies claim their VAs are "HIPAA aware." We hold ourselves to a higher standard — documented, enforceable compliance at every layer.

Business Associate Agreement (BAA)

A fully executed BAA is signed before your VA begins any work. We are a Business Associate under HIPAA whenever our VAs handle, process, or transmit Protected Health Information on your behalf. This obligation is not optional — and we treat it that way.

If your clinic has a specific BAA template, we can review and work from your version. Our legal team reviews all BAAs before execution.

HIPAA Certification — Before Placement

Every VA completes our HIPAA compliance training program covering:

Privacy Rule requirements (45 CFR Part 164)
Security Rule safeguards (Administrative, Physical, Technical)
Breach Notification Rule obligations
Minimum Necessary standard for PHI access
Role-specific PHI handling for administrative staff

VAs must pass a written assessment before any client placement. Refresher training is conducted annually.

Technical Safeguards

VAs access PHI only through your clinic's secured systems
No PHI transferred or stored outside clinic-approved platforms
Encrypted email and messaging for all clinical communications
VPN-secured internet connections
Dedicated work devices (no personal devices for clinical work)
Automatic screen lock and session timeout protocols
Multi-factor authentication where supported by clinic systems

Administrative & Physical Safeguards

Signed NDA and HIPAA workforce agreement for every VA
Background screening conducted before any placement
Minimum Necessary access principle enforced
Private, secure workspace requirements
No public Wi-Fi for clinical work
Clear desk / clear screen policy for all PHI
Immediate termination protocol for any compliance breach

Breach Response

What Happens If There's a Security Incident Involving My VA?

1

Immediate Access Suspension
At the first sign of a potential breach or compliance failure, the VA's access to all clinic systems is suspended immediately while an investigation is conducted.

2

24-Hour Client Notification
We notify your clinic within 24 hours of discovering any potential breach or security incident, providing all known details and our investigation timeline.

3

Full Investigation & Documentation
A formal root cause analysis is conducted. All documentation is provided to your clinic to support any HHS breach notification requirements you may have under HIPAA.

4

Free Replacement
The VA is replaced at no additional cost. Our free replacement guarantee applies to compliance failures, not just performance issues.

Note: This breach response describes our internal procedures. Your clinic's independent HIPAA compliance obligations (including any required HHS reporting) remain your responsibility as the Covered Entity. We cooperate fully with all breach response activities.

HIPAA FAQ

Common Questions About HIPAA & Our VAs

Yes. A Business Associate Agreement is signed as standard before any VA begins work. We are classified as a Business Associate under HIPAA when handling PHI on your behalf, and we meet all associated obligations.

Yes. If your organization has a standard BAA template, our team will review it and work from your version wherever possible. We want the agreement to meet your compliance team's requirements.

VAs may be located outside the U.S. HIPAA's Privacy and Security Rules apply to Covered Entities and Business Associates regardless of the physical location of workforce members, provided the BA relationship is properly documented and safeguards are in place — which they are in our model. We recommend consulting your compliance attorney for your specific situation.

VAs are given role-based user credentials in your EMR with minimum necessary access. They connect via encrypted VPN, use dedicated secure devices, and follow your clinic's existing EMR security policies. The access is the same type you'd grant any authorized administrative staff member.

When a VA relationship ends for any reason, we coordinate with your clinic to immediately revoke all system access. This is handled within 24 hours of notice. We provide confirmation when access has been terminated.

Get Started

Confident in Our HIPAA Standards?
See the Full Revenue Picture.

Book your free 30-minute Clinic Revenue Audit to discuss your specific compliance needs and get a custom VA placement plan.

Book Your Free Clinic Revenue Audit

Every VA Certified.Every BAA Signed. No Exceptions.