About this Statement
Parker Health, Inc. d/b/a Parker (“Parker,” “we,” “us,” or “our”) provides technology services to the healthcare industry. Our customers — including hospitals, health systems, health plans, healthcare providers, and other covered entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) — use our APEX Platform and related services to deliver, administer, or support healthcare.
Under HIPAA, Parker is a business associate. We are not a covered entity. This Statement is a voluntary, transparency-oriented description of how Parker protects and handles PHI on behalf of our covered entity customers. It is not a HIPAA “Notice of Privacy Practices” within the meaning of 45 CFR § 164.520 — that notice is issued by your healthcare provider or health plan directly.
What this means for you as a patient
If you are a patient and you want to exercise HIPAA rights regarding your health information — for example, to request access to, amend, restrict disclosure of, or receive an accounting of disclosures of your PHI — you should direct those requests to your healthcare provider or health plan. They are the covered entity responsible for granting those rights and maintaining your designated record set.
Parker, as a business associate, is contractually and legally obligated to cooperate with covered entities so they can fulfill your rights under HIPAA. If a covered entity directs a patient rights request to us for action, we will respond in accordance with HIPAA and the applicable Business Associate Agreement.
Parker's role and responsibilities as a business associate
As a business associate, Parker enters into a written Business Associate Agreement (“BAA”) with each covered entity customer before receiving, creating, maintaining, or transmitting PHI on their behalf. Under HIPAA and these BAAs, Parker is required to:
- Use and disclose PHI only as permitted by the BAA, by HIPAA, and by applicable law
- Apply administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect PHI
- Adhere to the HIPAA “minimum necessary” standard when using, disclosing, or requesting PHI
- Report to the covered entity any use or disclosure of PHI not permitted by the BAA, including breaches of unsecured PHI, in accordance with 45 CFR §§ 164.400–414 and the terms of the BAA
- Require any of our subcontractors that may receive PHI to agree in writing to the same restrictions and safeguards
- Cooperate with covered entities so they can satisfy patient rights under HIPAA (access, amendment, accounting of disclosures, restrictions, and confidential communications)
- Make our internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) for purposes of determining compliance
- Return or destroy PHI upon termination of a BAA where feasible, or continue to protect it for as long as we retain it
How we safeguard PHI
Parker maintains an information security program designed to protect PHI and other sensitive information against unauthorized access, use, disclosure, alteration, and destruction. Our safeguards include, but are not limited to:
Administrative safeguards
- Written information security policies and procedures
- Designated Privacy Officer and Security Officer
- Mandatory annual HIPAA privacy and security training for all workforce members with access to PHI
- Role-based access controls following the “least privilege” principle
- Background checks and confidentiality agreements for personnel with access to PHI
- Ongoing risk assessments and vulnerability management
- Incident response and breach notification procedures
- Contingency planning, backup, and disaster recovery procedures
Physical safeguards
- Controlled physical access to facilities housing systems that process or store PHI
- Workstation security policies
- Secure handling, transport, and disposal of media containing PHI
Technical safeguards
- Encryption of PHI in transit and at rest using industry-standard algorithms (e.g., AES-256)
- Unique user identification, strong authentication, and automatic log-off
- Audit logging and monitoring of access to systems containing PHI
- Network segmentation, intrusion detection, and endpoint protection
- Regular penetration testing and third-party security assessments
Permitted uses and disclosures of PHI
Parker uses and discloses PHI only as permitted by our BAAs with covered entities, by HIPAA, and by applicable law. Permitted uses and disclosures generally include:
- Providing services. Using PHI as necessary to deliver the contracted technology services to the covered entity.
- Operations. Using PHI for the proper management and administration of Parker and to carry out our legal responsibilities, consistent with HIPAA.
- Data aggregation. Where specifically permitted by a BAA, performing data aggregation services relating to the healthcare operations of the covered entity.
- De-identified information. Creating and using de-identified information in accordance with 45 CFR § 164.514, consistent with the applicable BAA.
- Subcontractors. Disclosing PHI to subcontractors who provide services to Parker, provided they execute a written agreement imposing the same restrictions that apply to Parker.
- As required by law. Disclosing PHI when required to do so by federal, state, or local law.
Breach notification
If Parker discovers a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and in accordance with the timeframes and content requirements set forth in the applicable BAA and 45 CFR §§ 164.400–414. The covered entity is responsible for notifying affected individuals, HHS, and (where applicable) the media, although Parker will provide the information and cooperation needed to support those notifications.
How to contact us
If you have questions about this Statement, Parker's privacy practices, or how PHI is handled in connection with a Parker-powered service, you may contact us:
Privacy Officer
Parker Health, Inc. d/b/a Parker
818 18th St NW, Suite 810, Washington DC 20006
Email: privacy@parkerapex.com
For security incidents: security@parkerapex.com
For compliance or legal questions: compliance@parkerapex.com · legal@parkerapex.com
Complaints
If you believe Parker has not handled PHI consistent with this Statement or with HIPAA, you may:
- File a complaint with Parker by contacting our Privacy Officer at privacy@parkerapex.com
- Contact your healthcare provider or health plan (the covered entity), who can investigate and escalate as needed
- File a complaint directly with the HHS Office for Civil Rights
Parker will not retaliate against any individual for filing a complaint.
Filing a complaint with HHS
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Room 509F, HHH Building
Washington, D.C. 20201
Phone: 1-800-368-1019 · TDD: 1-800-537-7697
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/
Changes to this Statement
Parker reserves the right to change this Statement at any time. The current version is available at parkerapex.com/legal/hipaa-notice. When we make material changes, we will update the Effective Date and Version Number at the top of this Statement and post the revised Statement on our website.
Related documents
- Corporate Data Privacy and PHI Policy
- Terms & Conditions
- Corporate Cookie Policy
- California Privacy Notice
- GDPR Compliance Statement
- Corporate Privacy Commitment (PIPEDA)
- Consumer Bill of Rights for Health AI