HIPAA Business Associate Privacy Policy

Bridge Insurance & Financial Services, Inc. (“Bridge”) is committed to protecting the privacy and confidentiality of Protected Health Information (PHI). We share this responsibility with our Covered Entity partners and comply with the requirements outlined in our Business Associate Agreements (BAAs).

This policy explains how Bridge collects, uses, discloses, and safeguards PHI in accordance with HIPAA and the terms of our BAAs.

Definitions

Business Associate Agreement (BAA):
A written contract between Bridge and a Covered Entity that outlines our responsibilities for handling PHI in compliance with HIPAA.

Covered Entity:
A health plan, health care provider, or health care clearinghouse that is subject to the HIPAA Privacy Rule.

Protected Health Information (PHI):
Individually identifiable health information—whether electronic, paper, or oral—created, received, used, or disclosed in connection with health care services or payment for such services.

Use and Disclosure of PHI

Bridge may use or disclose PHI as allowed by our BAAs and applicable law, including:

  • For management, administration, data aggregation, and other functions permitted under the BAA.
  • To perform services for or on behalf of Covered Entities, provided such use or disclosure is allowed under HIPAA.
  • To subcontractors or agents, only after obtaining written assurances that they will safeguard PHI as required by the BAA.
  • To report violations of law to appropriate federal or state authorities.

Safeguards

Bridge implements administrative, physical, and technical safeguards to protect PHI’s confidentiality, integrity, and availability. These measures include:

  • Staff training on HIPAA privacy and security practices
  • Supervision and clearance procedures to ensure workforce compliance
  • Encryption when transmitting PHI electronically
  • Secure storage, backup, and disposal practices
  • Authentication and access controls
  • Security incident response procedures and staff training
  • Contingency and emergency access plans to ensure availability of PHI

Mitigation of Harm

If PHI is used or disclosed in violation of a BAA, Bridge will mitigate any harmful effects to the extent practicable. We will:

  • Promptly report unauthorized uses, disclosures, or security incidents to the affected Covered Entity
  • Document disclosures as needed to support an accounting of PHI, in accordance with HIPAA

Access to PHI and Compliance

As required by our BAAs, Bridge will make available to Covered Entities the information needed for individuals to exercise their HIPAA rights, including access, amendment, and accounting of disclosures.

We will also provide our internal policies, procedures, books, and records related to PHI to Covered Entities or to the U.S. Department of Health and Human Services (HHS), as necessary, to demonstrate compliance with HIPAA and our BAAs.