Security & Compliance

Behavioral-health data requires disciplined protection.

Axis handles revenue-cycle information under written client agreements and Business Associate Agreements when services require access to protected health information — with controls defined around the systems used, the work performed, and the minimum information required.

In short

Controls
around the
data.

PHI · ACCESS · TRANSFER
Defined by agreement, applied per engagement

First

BAA before any PHI is exchanged

Access

Minimum-necessary, role-based access

Boundary

PHI never through the public site

Controls

How Axis protects client and patient data.

Controls are established during contracting and onboarding and applied to the systems, work, and minimum information each engagement requires.

01

Business Associate Agreements

A written BAA defines permitted PHI use, security duties, incident and subcontractor obligations, and return-or-destruction terms before data is exchanged.

02

Named user accounts

Individual named accounts identify every person who accesses systems used for client work.

03

Multifactor authentication

Multifactor authentication is required on accounts with access to systems that handle PHI.

04

Role-based access

Permissions are limited to the information and actions each user is authorized to perform.

05

Approved secure transfer

PHI moves only through approved secure transfer methods — never the public website or review form.

06

Encryption verification

Encryption is verified for each system used to store or transmit PHI.

07

Access & activity records

Systems retain access and activity records appropriate to the work performed, where supported.

08

Vendor & subcontractor review

Vendors that handle PHI are reviewed for their role and placed under required contractual safeguards before use.

09

Incident & breach response

A documented process governs identification, response, and required notification for security incidents.

10

Workforce training

Workforce members are trained on PHI handling and the minimum-necessary standard.

11

Risk analysis & remediation

Security risk analysis is performed periodically, with identified issues tracked to remediation.

12

Data retention & destruction

Retention periods and secure destruction of PHI are defined by agreement.

Important. This page summarizes Axis practices and is not a certification, legal opinion, or substitute for the executed service agreement and Business Associate Agreement. Specific systems, controls, and responsibilities are confirmed during contracting and onboarding.

Ready to talk security before onboarding?

Get in touch.

We'll share the security and compliance detail your team needs to move forward — under the appropriate agreement.

Last updated: July 5, 2026