HIPAA Compliance Policy

Effective Date: May 11, 2026   •   Applies To: All clients, team members, and subcontractors of Cantum Technologies

Cantum Technologies, LLC is a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), the HIPAA Security Rule (45 CFR Part 164, Subpart C), and the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. As a medical billing and revenue cycle management company, Cantum Technologies receives, processes, maintains, and transmits Protected Health Information (PHI) on behalf of its covered entity clients. This policy describes our HIPAA compliance obligations, our internal safeguards, and the rights and responsibilities of our clients and their patients.

1.  Our Role as a Business Associate

Under HIPAA, Cantum Technologies functions as a Business Associate — a company that creates, receives, maintains, or transmits PHI on behalf of a covered entity (such as a physician practice, clinic, or hospital) in order to perform functions or services for that covered entity. As a Business Associate, we are directly subject to the HIPAA Security Rule and the Breach Notification Rule, and we are contractually bound by our Business Associate Agreements (BAAs) to comply with the Privacy Rule requirements applicable to our activities.

Business Associate Agreement (BAA)

Cantum Technologies executes a written Business Associate Agreement with every covered entity client before accessing any PHI.
The BAA defines:
The permitted and required uses and disclosures of PHI by Cantum Technologies. Our obligation to implement appropriate safeguards to protect PHI. Our obligation to report breaches, security incidents, and impermissible uses or disclosures. Our obligation to return or destroy PHI upon termination of the service relationship. The rights of covered entities to audit our compliance and terminate the agreement for material breach. No PHI is accessed, processed, or transmitted by Cantum Technologies prior to execution of a signed BAA. If you are a prospective client, your BAA will be provided as part of the onboarding agreement package.

2.  Protected Health Information (PHI)

Protected Health Information means any individually identifiable health information that is created, received, maintained, or transmitted by Cantum Technologies in connection with the provision of billing and RCM services. PHI includes, but is not limited to: Patient names, addresses, dates of birth, Social Security numbers, and other demographic identifiers Diagnosis codes (ICD-10), procedure codes (CPT/HCPCS), and clinical notes submitted for billing purposes Insurance information, payer IDs, member IDs, and group numbers Dates of service, dates of admission, and dates of discharge Account numbers, claim numbers, and financial information related to healthcare services. Any other information that could reasonably be used to identify an individual in connection with their healthcare. Cantum Technologies processes PHI solely for the purpose of performing contracted billing and RCM services on behalf of our covered entity clients. We do not use PHI for any marketing, research, or commercial purpose outside of our contracted services.

3.  Our HIPAA Safeguards

3.1  Administrative Safeguards

Cantum Technologies implements the following administrative safeguards as required by the HIPAA Security Rule: Designated HIPAA Privacy Officer and Security Officer responsible for developing, implementing, and enforcing our HIPAA compliance program Written HIPAA policies and procedures covering privacy, security, breach notification, and workforce conduct Workforce training: all employees, contractors, and subcontractors who access PHI receive HIPAA training at hire and annually thereafter Access management: workforce access to PHI is limited to the minimum necessary to perform job functions Sanction policy: workforce members who violate HIPAA policies are subject to disciplinary action up to and including termination Security incident response procedures: documented processes for identifying, reporting, and responding to security incidents Contingency planning: data backup, disaster recovery, and emergency operations procedures to ensure PHI availability. Business associate management: we review and manage all subcontractors who may access PHI and require them to execute BAAs with us

3.2  Physical Safeguards

Workstation security policies governing the use of devices that access PHI, including screen locking, clean desk requirements, and prohibitions on working with PHI in public locations. Device and media controls covering the secure disposal, reuse, and tracking of electronic media containing PHIPhysical access controls for any facilities where PHI is accessed or stored

3.3  Technical Safeguards

Access controls: unique user identifiers, automatic logoff, and encryption of PHI at rest and in transit. Audit controls: hardware, software, and procedural mechanisms to record and examine access to systems containing PHI Integrity controls: measures to ensure PHI is not improperly altered or destroyed Transmission security: PHI transmitted electronically is encrypted using industry-standard protocols (TLS 1.2 or higher)Multi-factor authentication for systems containing PHI. Regular vulnerability assessments and security risk analyses, as required by the HIPAA Security Rule

4.  Minimum Necessary

Cantum Technologies applies the HIPAA minimum necessary standard in all uses and disclosures of PHI. This means we only access, use, or disclose the minimum amount of PHI necessary to accomplish the intended billing or RCM function. We do not request or use more patient information than is required to process, submit, or appeal a claim. Our workforce is trained on the minimum necessary standard and has access to PHI scoped to their specific job function. A claims processor has access to the PHI needed to submit and track claims; they do not have access to patient records beyond that scope.

5.  Breach Notification

In the event of a breach of unsecured PHI, Cantum Technologies will comply with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–164.414) as follows:

5.1  Notice to Covered Entity

We will notify the affected covered entity (our client) of a breach of PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notification will include, to the extent possible: A description of the breach, including the date of the breach and the date of discoveryA description of the types of PHI involved The number of individuals whose PHI was affected Steps we have taken to investigate the breach and mitigate its effectsSteps we are taking to prevent future breaches

5.2  Notice to Individuals (via covered entity)

Notification to affected individuals is the responsibility of the covered entity (our client). We will provide all information necessary to enable the covered entity to fulfill its notification obligations under HIPAA.

5.3  Breach Risk Assessment

Not every impermissible use or disclosure of PHI constitutes a reportable breach. We perform a documented four-factor risk assessment for every potential breach to determine whether there is a low probability that the PHI has been compromised. If our assessment concludes that the probability of compromise is not low, we treat the incident as a reportable breach and proceed with notification obligations.

6.  Patient Rights Under HIPAA

The patients of our covered entity clients retain all rights afforded to them under the HIPAA Privacy Rule. Cantum Technologies supports our covered entity clients in fulfilling the following patient rights: Right of access: patients have the right to inspect and obtain a copy of their PHI held in a designated record set. Right to amendment: patients have the right to request amendment of their PHI if they believe it is inaccurate or incomplete. Right to an accounting of disclosures: patients have the right to receive an accounting of disclosures of their PHI made by covered entities and business associates. Right to request restrictions: patients may request restrictions on uses or disclosures of their PHI Right to confidential communications: patients may request that communications about their PHI be made through alternative means or to alternative locations. Requests from patients related to the PHI we process should be directed to the covered entity (the healthcare provider), not to Cantum Technologies directly. We will support our covered entity clients in responding to patient rights requests as required by our BAA.

7.  Subcontractors and Downstream Business Associates

Cantum Technologies may engage subcontractors or downstream service providers who access PHI in the course of providing services to us. Before any subcontractor accesses PHI, we require them to execute a Business Associate Agreement with us that imposes the same HIPAA obligations we are subject to.We assess the HIPAA compliance posture of all subcontractors prior to engagement and monitor their compliance on an ongoing basis. If a subcontractor fails to comply with our BAA, we will take corrective action and notify affected covered entities as appropriate.

8.  Retention and Destruction of PHI

Cantum Technologies retains PHI for the period necessary to fulfill our contracted billing and RCM services and as required by applicable law. Medical billing records are generally retained for a minimum of 7 years from the date of service or the date of last activity, consistent with CMS and state regulatory requirements. Upon termination of a client relationship, Cantum Technologies will, at the election of the covered entity client: Return all PHI to the covered entity in a mutually agreed upon format within 30 days of termination, or Destroy all PHI in our possession using secure destruction methods, and provide written certification of destruction PHI that cannot feasibly be returned or destroyed will be held under the protections of our BAA and used only as permitted by our BAA and HIPAA law.

9.  HIPAA Complaints and Reporting

Cantum Technologies prohibits retaliation against any individual who files a complaint related to our HIPAA compliance. If you believe that Cantum Technologies has violated your rights under HIPAA or has engaged in an impermissible use or disclosure of PHI, you have the right to file a complaint:

With Cantum Technologies directly:

HIPAA Privacy Officer:

Cantum Technologies, LLC Email: hipaa@cantumtech.com Phone: +1 (832) 981-4888 Mailing Address: Houston, Texas, USA Response Time: We will acknowledge all HIPAA complaints within 5 business days and investigate within 30 days.

With the U.S. Department of Health and Human Services (HHS):
You also have the right to file a complaint with the HHS Office for Civil Rights (OCR), which enforces HIPAA, at:

Website: hhs.gov/ocr/privacy/hipaa/complaints Phone: 1-800-368-1019 (toll-free)  •  1-800-537-7697 (TDD)Filing a complaint with HHS does not require you to first complain to Cantum Technologies. We strongly support your right to report concerns to federal authorities.

10.  Training and Accountability

All Cantum Technologies team members who access PHI complete HIPAA training before being granted access and annually thereafter. Training covers: What constitutes PHI and ePHI Permitted and required uses and disclosures of PHI. The minimum necessary standard. Patient rights under HIPAA. Physical, administrative, and technical safeguards. How to recognize and report a potential HIPAA breach or security incident. Consequences of non-compliance. Violations of this HIPAA Compliance Policy or our internal HIPAA procedures will result in disciplinary action, up to and including termination of employment or contract, and may be referred to law enforcement where applicable.