HIPAA Compliance Policy

This HIPAA Compliance Policy describes how Complete Intake, Inc. safeguards Protected Health Information and supports HIPAA compliant healthcare operations.

Introduction

Effective Date: January 17, 2026

Complete Intake, Inc., a Delaware corporation ("Complete Intake" or the "Company"), is committed to ensuring the confidentiality, integrity, and availability of all Protected Health Information ("PHI") that we create, receive, maintain, or transmit on behalf of our healthcare agency clients.

This HIPAA Compliance Policy describes our compliance program under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the HITECH Act, and their implementing regulations.

As a provider of AI-powered home health referral management services, Complete Intake acts as a Business Associate to Covered Entities under HIPAA. This policy establishes the administrative, technical, and physical safeguards governing our handling of PHI.

Scope

This policy applies to:

  • All PHI processed through the Complete Intake platform
  • All workforce members, including employees, contractors, and agents, with access to PHI
  • All systems, networks, and applications that store, process, or transmit PHI
  • All subcontractors and vendors that handle PHI on our behalf

Definitions

Terms used in this policy have the meanings set forth in 45 C.F.R. § 160.103, including:

  • Protected Health Information (PHI)
  • Business Associate
  • Covered Entity
  • Security Incident

Business Associate Relationships

Business Associate Agreement (BAA)

Complete Intake enters into a Business Associate Agreement ("BAA") with each healthcare client prior to receiving or processing PHI. The BAA governs permitted uses and disclosures of PHI, required safeguards, breach notification responsibilities, and compliance obligations.

Subcontractors

All subcontractors that create, receive, maintain, or transmit PHI on behalf of Complete Intake must execute written agreements imposing HIPAA-equivalent obligations. Complete Intake obtains satisfactory assurances that subcontractors will appropriately safeguard PHI.

PHI Management in Complete Intake

Types of PHI Processed

The platform may process PHI including:

  • Patient demographic information
  • Diagnoses and conditions
  • Treatment and care planning information
  • Insurance and payment information
  • Clinical notes relevant to referrals

Permitted Uses and Disclosures

PHI is used or disclosed only as permitted by the applicable BAA and law, including:

  • Referral intake, validation, and routing
  • Insurance verification and coverage determination
  • AI-assisted document analysis and summarization
  • Administrative and operational functions specified in the BAA

Minimum Necessary Standard

Complete Intake applies the minimum necessary standard through system design, access controls, and workflow restrictions.

Administrative Safeguards

Privacy and Security Officers

Complete Intake designates a Privacy Officer and Security Officer responsible for HIPAA compliance oversight.

Workforce Training

All workforce members with PHI access receive training upon hire and at least annually, covering:

  • HIPAA requirements
  • Internal policies and procedures
  • Incident identification and reporting
  • Secure use of AI-enabled systems

Access Management

  • Role-based access controls
  • Periodic access reviews
  • Immediate revocation upon role change or termination

Risk Analysis and Management

  • Regular HIPAA Security Rule risk analyses
  • Implementation of reasonable and appropriate mitigation measures

Contingency Planning

Including:

  • Data backups
  • Disaster recovery
  • Emergency operations
  • Periodic testing and revision

Technical Safeguards

Access Controls

  • Unique user IDs
  • Emergency access procedures
  • Automatic logoff
  • Encryption at rest and in transit
  • Multi-factor authentication for administrative access

Audit Controls

  • Logging of PHI access
  • Monitoring of system events
  • Administrative activity tracking

Integrity Controls

  • Data validation mechanisms
  • Secure transmission protocols
  • Controls to prevent improper alteration or destruction

Transmission Security

  • TLS 1.3 or higher
  • Secure APIs
  • Encrypted file transfer
  • VPNs where appropriate

AI-Specific Safeguards

Given the AI-enabled nature of the platform, Complete Intake implements additional controls, including:

  • Logical segregation of PHI in AI processing
  • Restrictions on AI training using PHI
  • Monitoring for unintended PHI disclosure
  • Secure handling of embeddings and vector databases
  • Output validation and contextual access controls

Physical Safeguards

Facility Access Controls

Physical access to systems and facilities is restricted to authorized personnel.

Workstation Security

Including:

  • Screen locking
  • Secure configurations
  • Physical security measures

Device and Media Controls

  • Secure disposal
  • Media re-use procedures
  • Asset tracking
  • Encrypted backups

Breach Notification

Incident Identification

Procedures are maintained to identify, mitigate, and document security incidents.

Notification

In the event of a breach of unsecured PHI, Complete Intake will:

  • Notify affected clients without unreasonable delay and no later than 24 hours after discovery
  • Provide information necessary for HIPAA notification compliance
  • Cooperate with investigations and remediation

Documentation

All breach investigations and responses are documented in accordance with HIPAA.

Document Retention and Disposal

PHI Retention

PHI is retained in accordance with applicable law and client agreements. Default retention for referral data is seven (7) years, unless otherwise required.

Secure Disposal

PHI is securely destroyed in accordance with NIST media sanitization guidelines when no longer required.

Policy Enforcement

Sanctions

Violations may result in disciplinary action, up to termination.

Documentation

HIPAA compliance documentation is retained for at least six (6) years.

Non-Retaliation

Retaliation against individuals reporting compliance concerns is strictly prohibited.

Feature-Specific Safeguards

Document Processing & AI Analysis
  • Encrypted uploads and storage
  • Isolated OCR environments
  • Controlled access to AI outputs
Referral Management
  • Encrypted databases
  • Minimum necessary access
  • Audit logging
Insurance Verification
  • Secure RPA environments
  • Encrypted credentials
  • Monitoring and logging
AI Welcome Calls
  • Minimum necessary PHI usage
  • Secure storage of recordings, if applicable
  • Authentication prior to PHI disclosure
  • De-identified AI training data

Compliance Evaluation

Complete Intake conducts ongoing evaluations, including:

  • Annual formal risk assessments
  • Quarterly security reviews
  • Penetration testing
  • Third-party audits

Contact Information

For questions or concerns regarding this HIPAA Compliance Policy, please contact:

Privacy Officer
Complete Intake, Inc.
(a Delaware corporation)
2727 LBJ Freeway, Suite 324
Dallas, Texas 75234

Email: [email protected]
Phone: (469) 257-3153

Policy Updates & Document Control

Policy Owner: Chief Privacy Officer
Version: 1.2
Effective Date: January 17, 2026
Last Review: January 10, 2026
Next Review: January 17, 2027

Complete Intake Logo with checkmark

Contact Details

Disclaimer: In very rare cases, Complete Intake and all its modules can make mistakes. It is the responsibility of the user and organization to verify the accuracy of all information.

Copyright Complete Intake Inc. All Rights Reserved.