Business Associate Agreements
A written BAA defines permitted PHI use, security duties, incident and subcontractor obligations, and return-or-destruction terms before data is exchanged.
Security & Compliance
Axis handles revenue-cycle information under written client agreements and Business Associate Agreements when services require access to protected health information — with controls defined around the systems used, the work performed, and the minimum information required.
In short
Controls
around the
data.
PHI · ACCESS · TRANSFER
Defined by agreement, applied per engagement
First
BAA before any PHI is exchanged
Access
Minimum-necessary, role-based access
Boundary
PHI never through the public site
Controls
Controls are established during contracting and onboarding and applied to the systems, work, and minimum information each engagement requires.
A written BAA defines permitted PHI use, security duties, incident and subcontractor obligations, and return-or-destruction terms before data is exchanged.
Individual named accounts identify every person who accesses systems used for client work.
Multifactor authentication is required on accounts with access to systems that handle PHI.
Permissions are limited to the information and actions each user is authorized to perform.
PHI moves only through approved secure transfer methods — never the public website or review form.
Encryption is verified for each system used to store or transmit PHI.
Systems retain access and activity records appropriate to the work performed, where supported.
Vendors that handle PHI are reviewed for their role and placed under required contractual safeguards before use.
A documented process governs identification, response, and required notification for security incidents.
Workforce members are trained on PHI handling and the minimum-necessary standard.
Security risk analysis is performed periodically, with identified issues tracked to remediation.
Retention periods and secure destruction of PHI are defined by agreement.
Important. This page summarizes Axis practices and is not a certification, legal opinion, or substitute for the executed service agreement and Business Associate Agreement. Specific systems, controls, and responsibilities are confirmed during contracting and onboarding.
Ready to talk security before onboarding?
We'll share the security and compliance detail your team needs to move forward — under the appropriate agreement.
Last updated: July 5, 2026