Anexio Free Audit

HIPAA Notice

Last updated: March 2026

Anexio MSP operates as a Business Associate under HIPAA when providing managed IT services to covered entities. This notice describes how we handle Protected Health Information (PHI) in that capacity.

Our Role as a Business Associate

When Anexio provides managed IT services to healthcare organizations, dental practices, behavioral health providers, and other HIPAA-covered entities, we may access systems that contain Protected Health Information (PHI). In this capacity, we operate as a Business Associate and execute a Business Associate Agreement (BAA) with each covered entity before any work begins.

How We Protect PHI

  • Encryption: All data in transit and at rest is encrypted using industry-standard protocols
  • Access Controls: PHI access is restricted to authorized technicians on a need-to-know basis
  • Session Logging: All remote access sessions to systems containing PHI are logged and recorded
  • Secure Communications: PHI is never transmitted via standard unencrypted email
  • Endpoint Protection: All managed endpoints are protected with enterprise-grade EDR and identity threat detection
  • Backup Integrity: All backups of systems containing PHI are monitored daily and encrypted

Breach Notification

In the event of a security incident involving PHI:

  • Affected endpoints are immediately isolated
  • Our security team assesses whether PHI was accessed or exfiltrated
  • The covered entity is notified of the incident within the timeframes specified in the BAA
  • If a breach is confirmed, the covered entity is supported in meeting the HIPAA 60-day breach notification requirement
  • Complete incident documentation is preserved as an audit record

Record Retention

Records related to HIPAA client services are retained for a minimum of 7 years, in accordance with HIPAA record retention requirements. Archived records are stored securely and access-controlled.

Annual Security Reviews

We recommend and offer annual security risk assessments to all HIPAA clients. These reviews evaluate the current state of technical safeguards, identify gaps, and produce prioritized remediation plans aligned with the HIPAA Security Rule.

Website Disclaimer

This website does not collect, store, or transmit PHI. The contact form on this site is for general business inquiries only. Do not submit any Protected Health Information through this website. If you need to communicate PHI, please contact us directly to arrange a secure communication channel.

Contact

For HIPAA-related inquiries, contact us at info@anexio.co.