HIPAA & BAA — RemoteFrontDesk

On this page

Our HIPAA commitment
Business Associate Agreements
Safeguards we maintain
Staff training and certification
Incident response
How to request our BAA
Contact

Our HIPAA commitment

RemoteFrontDesk operates as a HIPAA business associate to the medical practices we serve. Every Front Desk Pro on our team is trained on HIPAA requirements before placement, every client engagement is governed by a signed Business Associate Agreement (BAA), and every access to Protected Health Information (PHI) is logged and auditable.

We treat HIPAA not as paperwork but as a system of controls that protect both your patients and your practice. This page summarizes what we do, how to request our BAA, and how to reach our compliance team.

Business Associate Agreements

Before any RemoteFrontDesk staffer touches your patients' information, we execute a Business Associate Agreement with your practice. Our BAA covers:

Permitted uses and disclosures — what your Front Desk Pro is authorized to do with PHI, scoped to the workflows you delegate.
Safeguard requirements — the administrative, physical, and technical safeguards we maintain on your behalf.
Breach notification obligations — our timelines and procedures for notifying you in the unlikely event of an incident.
Subcontractor flow-down — when we use vetted subcontractors, the same BAA obligations flow through.
Termination and PHI return — what happens to PHI when you cancel your subscription.

You can request our standard BAA template by emailing compliance@remotefrontdesk.com. Most practices sign our standard template; if your legal team has specific requirements, we negotiate in good faith.

Safeguards we maintain

Administrative safeguards

Written HIPAA policies and procedures, reviewed annually
Designated Privacy Officer and Security Officer
Documented workforce training and sanctions for violations
Background checks on every staffer before placement
Role-based access provisioning, with least-privilege defaults

Physical safeguards

Workstation security policies for remote staff (locked screens, private workspace requirements)
Encrypted devices required for any work involving PHI
No PHI is stored locally on staff devices — all work happens in your secured systems

Technical safeguards

Access logging on every PHI interaction
Encryption in transit (TLS 1.2+) for all data exchanges
Multi-factor authentication required for any client-system access
Automatic session timeouts and forced re-authentication
Quarterly review of access logs and access privileges

Staff training and certification

Every Front Desk Pro completes a mandatory training program before they are cleared to work with any client:

40 hours of medical office training, covering common EHRs, payer portals, and the workflows small practices rely on.
HIPAA Privacy Rule training, with scenario-based exercises and a certification exam.
HIPAA Security Rule training, focused on the technical safeguards staff are required to follow.
Practice-specific orientation on your protocols, your communication norms, and your patient population.

HIPAA certification is renewed annually. Refresher modules are required quarterly. Underperforming staff are re-trained or replaced — your contract never absorbs the cost.

Incident response

If a security incident or potential breach is identified — whether by our team, your team, or an automated system — our incident response process kicks in within one hour:

Containment. The affected staffer's access is suspended; affected systems are isolated.
Assessment. Our Security Officer determines the scope of any PHI exposure and whether breach notification thresholds were met.
Notification. If your practice is affected, we notify your designated contact within 24 hours of confirmation, with full incident details.
Reporting. If a notifiable breach occurred, we support your practice in meeting HIPAA breach notification obligations under 45 CFR §164.404–410.
Remediation and review. We identify the root cause, implement controls to prevent recurrence, and share a post-incident report.

How to request our BAA

If your practice is evaluating RemoteFrontDesk and needs to review our BAA before committing, you can:

Email compliance@remotefrontdesk.com with "BAA Request" in the subject line, or
Book a 20-minute intro call and we'll send the BAA to your designated contact within one business day.

The BAA is executed before any of our staff touches your systems, not after. No exceptions.

Contact

Compliance questions, BAA requests, or to report a concern:

Email: compliance@remotefrontdesk.com
Mail: Privacy Officer, RemoteFrontDesk, 3801 N Capital of Texas Hwy, Ste E240-3836, Austin, TX 78746

For security-specific concerns, see our Security page.

Note: This page summarizes our HIPAA program for transparency. It is not a legal substitute for our Business Associate Agreement, which is the binding document governing our work with your practice. Email compliance@remotefrontdesk.com for the BAA template.