HIPAA Compliance Policy

Last Updated: May 1, 2026

Professional Healthcare Labs, Inc. (“PHL”) is a Covered Entity under HIPAA. We are committed to protecting your Protected Health Information (“PHI”) and complying with the Privacy Rule, the Security Rule and the Breach Notification Rule. This Policy supplements our Privacy Policy and applies whenever PHL collects, stores or transmits PHI on your behalf.

1. What is Protected Health Information?

PHI is individually identifiable health information transmitted or maintained in any form. For PHL, this includes:

Your name, date of birth, address, phone and email.
Tests ordered, sample collection records and chain-of-custody data.
Lab results and the clinician notes attached to them.
Payment information linked to a healthcare service.

2. Permitted use and disclosure

We use and disclose PHI only as permitted by HIPAA — specifically:

Treatment — sharing reports with a clinician you authorise.
Payment — processing your payment, submitting claims to your insurer or HSA/FSA administrator at your request.
Healthcare operations — quality assurance, accreditation audits and case-mix reviews on de-identified data.
As required by law — public-health reporting, court orders and other lawful legal processes.
With your written authorisation — any other use or disclosure not described above.

3. Your rights under HIPAA

Right to access — request a copy of your PHI; PHL will provide it within 30 days.
Right to amend — request a correction if you believe PHL holds inaccurate PHI.
Right to an accounting of disclosures — a list of disclosures made by PHL in the prior six years, excluding those for treatment, payment and operations.
Right to request restrictions — ask PHL to restrict certain uses or disclosures. We will consider every request but may decline where law or treatment requires otherwise.
Right to confidential communications — ask us to contact you at a specific phone number or address.
Right to a paper copy of this Notice — request one at any time.
Right to file a complaint — with PHL’s Privacy Officer or with the Secretary of the US Department of Health & Human Services Office for Civil Rights. PHL will not retaliate against any patient who files a complaint.

4. Administrative, physical and technical safeguards

Administrative: documented information-security policies, designated Privacy and Security Officers, annual HIPAA training for all workforce members, role-based access and quarterly access reviews.
Physical: badge-controlled lab access, locked sample-storage refrigerators, 24/7 video monitoring of laboratory areas and limited visitor protocols.
Technical: AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication for all employee accounts, immutable audit logs and intrusion detection on all systems handling PHI.

5. Breach notification

If a breach of unsecured PHI occurs, PHL will notify affected individuals without unreasonable delay and no later than 60 days after discovery, as required by the HIPAA Breach Notification Rule. For breaches affecting more than 500 residents of a state we will also notify the HHS Secretary and prominent media outlets in the area.

6. Business Associate Agreements (BAAs)

Every third-party service provider with access to PHI — payment processor, SMS provider, cloud host, email vendor, analytics — operates under a signed Business Associate Agreement requiring them to apply the same safeguards described in this Policy. PHL maintains an up-to-date list of subprocessors available on request.

7. Minimum necessary standard

PHL workforce members access only the minimum PHI necessary to perform their role. Access is logged and audited; unauthorised access triggers automatic alerts.

8. Data retention

Clinical records and chain-of-custody data are retained for seven (7) years as required by CLIA and Illinois state law. After this period PHI is securely destroyed using NIST-compliant media-sanitisation methods.

9. Contacting our Privacy Officer

Patrick Reilly, JD
Privacy Officer, Professional Healthcare Labs, Inc.
2220 Hicks Rd, Rolling Meadows, IL 60008, USA
Email: privacy@phl.health
Phone: +1 (800) 555-0199

10. Effective date

This Notice is effective from the “Last updated” date shown at the top of this page and applies to all PHI created or received by PHL on or after that date.

1. What is Protected Health Information?

PHI is individually identifiable health information transmitted or maintained in any form. For PHL, this includes:

Your name, date of birth, address, phone and email.

Tests ordered, sample collection records and chain-of-custody data.

Lab results and the clinician notes attached to them.

Payment information linked to a healthcare service.

2. Permitted use and disclosure

We use and disclose PHI only as permitted by HIPAA — specifically:

Treatment — sharing reports with a clinician you authorise.

Payment — processing your payment, submitting claims to your insurer or HSA/FSA administrator at your request.

Healthcare operations — quality assurance, accreditation audits and case-mix reviews on de-identified data.

As required by law — public-health reporting, court orders and other lawful legal processes.

With your written authorisation — any other use or disclosure not described above.

3. Your rights under HIPAA

Right to access — request a copy of your PHI; PHL will provide it within 30 days.

Right to amend — request a correction if you believe PHL holds inaccurate PHI.

Right to an accounting of disclosures — a list of disclosures made by PHL in the prior six years, excluding those for treatment, payment and operations.

Right to request restrictions — ask PHL to restrict certain uses or disclosures. We will consider every request but may decline where law or treatment requires otherwise.

Right to confidential communications — ask us to contact you at a specific phone number or address.

Right to a paper copy of this Notice — request one at any time.

Right to file a complaint — with PHL’s Privacy Officer or with the Secretary of the US Department of Health & Human Services Office for Civil Rights. PHL will not retaliate against any patient who files a complaint.

4. Administrative, physical and technical safeguards

Administrative: documented information-security policies, designated Privacy and Security Officers, annual HIPAA training for all workforce members, role-based access and quarterly access reviews.

Physical: badge-controlled lab access, locked sample-storage refrigerators, 24/7 video monitoring of laboratory areas and limited visitor protocols.

Technical: AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication for all employee accounts, immutable audit logs and intrusion detection on all systems handling PHI.

5. Breach notification

6. Business Associate Agreements (BAAs)