📘 Array of Brighter Beginnings, Inc.
Online Privacy, Security & HIPAA Compliance Disclaimer (North Carolina)
Array of Brighter Beginnings, Inc. (“AOBB”) is committed to protecting client privacy and safeguarding Protected Health Information (PHI) in accordance with the HIPAA Privacy, Security, and Breach Notification Rules, and applicable North Carolina requirements. AOBB’s programmatic and technical safeguards are designed to maintain the confidentiality, integrity, and availability of PHI in all electronic systems and communications. [hhs.gov]
1) Use of Microsoft 365 (Internal PHI) with HIPAA BAA
AOBB stores and manages PHI internally using HIPAA‑eligible Microsoft cloud services (e.g., SharePoint Online, OneDrive for Business, Teams—in HIPAA configuration—and internal Exchange Online email). Microsoft provides a HIPAA Business Associate Agreement (BAA) through its Products & Services Data Protection Addendum; this BAA establishes contractual obligations for privacy, security, auditing, and breach notification when in‑scope services are used. [paubox.com], [learn.microsoft.com]
AOBB restricts PHI to BAA‑covered Microsoft services only, consistent with the shared‑responsibility model and encryption expectations under the HIPAA Security Rule. [hipaajournal.com]
2) Use of Hushmail (External PHI Email)
AOBB uses Hushmail for Healthcare for all external PHI emails to clients, payers, partners, and contractors. Hushmail enables encrypted delivery and recipient authentication to mitigate transmission risks in accordance with HIPAA’s Technical Safeguards and email best practices. External PHI is not sent via standard Microsoft email; internal PHI email remains within AOBB’s Microsoft tenant. [hipaaguide.net]
3) North Carolina DHHS Privacy & Security Alignment
AOBB aligns its internal privacy and security program with the NCDHHS Privacy & Security Office expectations and departmental manuals (including the DHHS Privacy Manual and Security Manual), which emphasize HIPAA‑based administrative, technical, and physical safeguards and incident reporting pathways. [ncdhhs.gov], [policies.ncdhhs.gov], [policies.ncdhhs.gov]
The State’s privacy standards are also guided by the N.C. Department of Information Technology, which references NIST frameworks and statewide privacy policies; AOBB’s practices are calibrated to those state references where applicable. [it.nc.gov]
4) NCTracks Participation & Electronic Transactions
As a North Carolina Medicaid provider, AOBB follows NCTracks participation requirements, including secure access to systems, multi‑factor authentication, and compliance with HIPAA transaction standards (ASC X12 5010) for electronic submissions, status inquiries, and eligibility transactions. [nctracks.nc.gov], [per.nctracks.com], [nctracks.nc.gov], [ncmmis.ncdhhs.gov], [per.nctracks.com], [cms.gov]
Providers are directly liable for safeguarding PHI/PII associated with NCTracks access under the updated NCDHHS Provider Administrative Participation Agreement, including safeguards against social engineering and breach obligations. [nctracks.nc.gov]
5) Joint Commission (TJC) Information Management Expectations
For programs accredited by The Joint Commission, AOBB’s policies and procedures are aligned to Information Management standards—IM.02.01.01 (protect privacy of health information) and IM.02.01.03 (maintain security and integrity)—including secure storage and access controls for PHI when staff are not present. [jointcommission.org], [kapextmedi...amaihd.net]
6) Telehealth, Clinical Operations & NC Standards of Care
When telehealth is used, AOBB follows North Carolina guidance for provider licensure/standard of care and state telehealth resources (including definitions and modalities recognized by NC Medicaid policy updates and professional boards). PHI discussed in telehealth encounters is protected through approved, HIPAA‑enabled platforms and AOBB’s internal controls. [ncmedboard.org], [ncdhhs.gov], [cchpca.org], [wellcarenc.com]
7) Patient Rights & Access to Information
AOBB supports patient access to health information consistent with HIPAA and Joint Commission expectations. Patients may request copies of records and information about AOBB’s privacy practices at any time. [hhs.gov], [ipfcc.org]
8) Data Security Limits & User Responsibilities
While AOBB employs recognized security practices (encryption in transit/at rest, access controls, MFA, logging), no internet technology is risk‑free. Clients and partners should protect their own devices, use private networks, keep credentials confidential, and promptly report suspected incidents. These practices reflect OCR’s emphasis on recognized security practices and risk management under the Security Rule. [hhs.gov]
9) Incident & Breach Reporting
AOBB investigates all suspected privacy or security incidents. If a breach of unsecured PHI is confirmed, AOBB will provide notifications consistent with the HIPAA Breach Notification Rule and state directives, and will cooperate with NCDHHS as required. [hhs.gov], [policies.ncdhhs.gov]
10) Emergencies
Do not use email (Microsoft or Hushmail), web forms, or telehealth platforms for emergencies. If you are experiencing an emergency, call 911 or proceed to the nearest emergency facility. (General safety notice)
Contact
For questions about this disclaimer or AOBB’s privacy and security program, please contact:
HIPAA Privacy Officer • IT Compliance Director • AOBB — Gastonia, NC
Optional: Website Placement & Short Footer Version
Placement: Post this disclaimer on your Privacy page, link it from HIPAA Notice of Privacy Practices, telehealth page, and all forms that collect PHI. (Aligns with TJC IM expectations to protect PHI and state program guidance to inform users.) [jointcommission.org], [it.nc.gov]
Footer (short form):
“AOBB protects PHI in accordance with HIPAA and North Carolina standards. Internal PHI is stored in HIPAA‑eligible Microsoft services under Microsoft’s BAA; all external PHI email is sent only via Hushmail with encryption and recipient authentication. Do not use electronic channels for emergencies; call 911.”
Microsoft HIPAA Business Associate Agreement
