386-Billing (386-245-5464)
Book a Free Consultation

SECURITY & COMPLIANCE

Health & Billing
Effective Date: 1st April, 2026

1. OVERVIEW OF SECURITY AND COMPLIANCE POSTURE

LaCharme LLC, doing business as Health & Billing (“H&B,” “Company,” “we,” “us,” or “our”), maintains a comprehensive security and compliance framework designed to protect sensitive information, including Protected Health Information (“PHI”), and to support the operational, legal, and regulatory requirements of our Clients.

Our approach integrates:

  • compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
  • alignment with industry-recognized security frameworks, including SOC 2 principles;
  • implementation of administrative, technical, and physical safeguards;
  • continuous risk assessment and operational oversight.

HIPAA establishes national standards for safeguarding electronic PHI through administrative, technical, and physical controls , while SOC 2 provides a structured framework for evaluating how organizations ensure the confidentiality, integrity, and availability of data .

2. HIPAA COMPLIANCE FRAMEWORK

Health & Billing operates as a Business Associate under HIPAA in connection with services provided to covered entities.

In this capacity:

  • PHI is accessed, processed, and maintained solely as necessary to perform contracted services;
  • all use and disclosure of PHI is governed by executed Business Associate Agreements (BAAs);
  • the Company adheres to applicable provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

The Company does not process PHI through its public-facing Website, and all PHI-related activities occur exclusively within secured operational environments.

3. ADMINISTRATIVE SAFEGUARDS

The Company maintains administrative safeguards designed to ensure that security is governed as an ongoing, structured program.

Such safeguards include:

  • documented risk analysis and risk management processes;
  • designation of responsible personnel for security oversight;
  • workforce training and awareness programs;
  • access authorization and role-based controls;
  • incident response and breach management procedures;
  • internal auditing and compliance monitoring.

Administrative safeguards are a foundational requirement of the HIPAA Security Rule and ensure that risks to PHI are continuously identified and mitigated .

4. TECHNICAL SAFEGUARDS

The Company implements technical safeguards designed to protect the confidentiality, integrity, and availability of electronic information.

Such safeguards include:

  • controlled system access and authentication mechanisms;
  • multi-factor authentication where applicable;
  • encryption of data in transit and, where appropriate, at rest;
  • audit logging and monitoring of system activity;
  • secure data transmission protocols;
  • system integrity controls to prevent unauthorized alteration or destruction of data.

Technical safeguards are required under HIPAA to ensure that only authorized individuals may access PHI and that such data remains secure and unaltered .

5. PHYSICAL SAFEGUARDS

The Company maintains physical safeguards designed to protect systems, infrastructure, and data environments from unauthorized access.

Such safeguards include:

  • controlled access to facilities and work environments;
  • workstation and device security protocols;
  • secure storage and disposal of physical media;
  • environmental protections for systems and infrastructure.

These measures align with HIPAA’s requirement to protect the physical environments in which PHI is stored or processed.

6. DATA SECURITY PRINCIPLES

The Company’s security framework is designed to ensure:

  • Confidentiality — information is not disclosed to unauthorized individuals;
  • Integrity — information is not altered or destroyed in an unauthorized manner;
  • Availability — information is accessible when needed for authorized purposes.

These principles form the core of both HIPAA Security Rule requirements and SOC 2 security expectations .

7. SOC 2 ALIGNMENT AND TRUST SERVICES CRITERIA

The Company’s security and operational practices are designed to align with the principles of the SOC 2 Trust Services Criteria, including:

  • Security — protection against unauthorized access;
  • Availability — system accessibility and operational resilience;
  • Confidentiality — protection of sensitive data;
  • Processing Integrity — accurate and complete processing of data;
  • Privacy — appropriate handling of personal information.

SOC 2 is a widely recognized framework for demonstrating effective internal controls and data protection practices, particularly for service providers handling sensitive information .

The Company’s adoption of these principles reflects a commitment to industry best practices, though SOC 2 certification, where applicable, is subject to independent audit and may not be represented unless formally achieved.

8. ACCESS CONTROL AND LEAST PRIVILEGE

Access to systems and data is restricted based on the principle of least privilege, ensuring that individuals have access only to the information necessary to perform their designated roles.

Access is:

  • role-based;
  • periodically reviewed;
  • revoked promptly upon termination or role change.

9. DATA ENCRYPTION AND TRANSMISSION SECURITY

Where applicable, the Company utilizes encryption and secure communication protocols to protect data during transmission and storage.

Such measures are implemented in accordance with recognized standards and are designed to mitigate unauthorized access and data interception risks.

10. INCIDENT RESPONSE AND BREACH MANAGEMENT

The Company maintains formal incident response procedures designed to:

  • detect and respond to security incidents;
  • contain and mitigate potential impacts;
  • investigate root causes;
  • implement corrective actions;
  • fulfill applicable notification obligations under HIPAA and other laws.

11. THIRD-PARTY RISK MANAGEMENT

The Company may engage third-party vendors, service providers, and infrastructure partners.

Such relationships are managed through:

  • due diligence and vendor assessment processes;
  • contractual safeguards, including data protection obligations;
  • ongoing monitoring where appropriate.

The Company does not assume responsibility for the independent actions of third-party providers but exercises reasonable efforts to ensure alignment with applicable standards.

12. CONTINUOUS MONITORING AND IMPROVEMENT

Security and compliance are treated as continuous processes.

The Company undertakes ongoing efforts to:

  • assess evolving risks;
  • update policies and controls;
  • improve system resilience;
  • align with emerging regulatory and industry standards.

13. LIMITATION OF REPRESENTATIONS

While the Company implements robust security and compliance measures, no system can be guaranteed to be entirely secure.

Nothing contained in this page shall be construed as:

  • a guarantee of absolute security;
  • a representation of compliance beyond what is contractually established;
  • a substitute for formal audit reports, certifications, or contractual assurances.

14. CLIENT RESPONSIBILITIES

Clients remain responsible for:

  • their own regulatory compliance obligations;
  • proper use of services;
  • secure handling of information within their own environments.

Compliance is a shared responsibility governed by applicable agreements.

15. CONTACT INFORMATION

For questions regarding security or compliance practices, please contact:

Health & Billing
3919 Tampa Road, Oldsmar, FL 34677, USA
📧 legal@healthandbilling.com
📞 +1 (386) 245-5464

SECURITY AND COMPLIANCE