OcuPine Practice Services is built around a non-negotiable principle: we work inside your existing EHR and PMS — we never replicate, export, or store PHI on our infrastructure. Here’s exactly how we operate, documented for your compliance records.
Request a BAAOur operational model is designed so that PHI never needs to leave your systems. Compliance isn’t a feature we added — it’s how the service is architected.
OcuPine Practice Services does not store, replicate, or back up patient health information. We log in to your EHR/PMS (Crystal PM, RevolutionEHR, EyeMD EMR, etc.) via secure remote access and work entirely within your existing systems.
Every authorization, billing task, and scheduling action happens inside your practice’s own software environment. Your audit logs, your access controls, your compliance posture — we operate under your rules.
Your OcuPine Practice Services client dashboard shows operational metrics exclusively: prior auth approval rates, billing turnaround times, denial rates, scheduling utilization. No patient names, dates of birth, or diagnosis codes.
Each team member is granted only the access required for their specific work — scheduling staff access scheduling modules, billing staff access billing modules. Access is reviewed and revoked at offboarding.
Need our compliance documentation for your own audit or accreditation? We provide BAA templates, access logs for your systems, and team certification records upon request — no waiting period.
We conduct quarterly internal reviews of access logs, session records, and role assignments to verify ongoing compliance with the minimum necessary standard. Results are available to clients on request.
A fully executed Business Associate Agreement is a prerequisite for onboarding — not an afterthought. Here’s our process from first contact to signed agreement.
During your initial call, we document which systems you use (EHR, PMS, clearinghouse) and which services you need. This determines the scope of PHI access required for your BAA.
We send a HIPAA-compliant BAA drafted to reflect your specific service scope. It covers permitted uses, safeguarding obligations, breach notification timelines, and termination procedures. Your attorney is welcome to review it.
We do not accept access credentials or begin any operational work until the BAA is signed by both parties. This is enforced without exception.
We proactively schedule BAA reviews annually and whenever your service scope changes materially (e.g., adding a new EHR, adding team members with different access needs).
Our team receives structured HIPAA training with an eye care focus — covering the specific workflows and systems used in optometry and ophthalmology practices.
Every team member completes annual HIPAA Privacy and Security Rule training with a passing exam score before their credentials are renewed. No certification = no active access.
Training includes practice scenarios specific to ophthalmic billing (prior auth workflows, EHR navigation, insurance portal access) — not generic healthcare examples.
Quarterly phishing simulation and security awareness updates covering social engineering, credential hygiene, and safe remote access practices for healthcare environments.
Annual tabletop exercises simulate breach scenarios — including compromised remote access credentials — so our team knows exactly what to do and who to notify within the required timeline.
Before a new team member accesses any client system, they complete a structured HIPAA onboarding module and sign a workforce member confidentiality agreement.
Completion records for every team member working on your account are available upon request — useful for your own HIPAA compliance documentation and audits.
Every remote access session follows a structured security protocol. We follow your security policies and supplement them with our own controls.
All remote access sessions are conducted over encrypted VPN tunnels. Team members connect to client systems only through designated, monitored access pathways — no direct public internet access to your EHR.
MFA is required for every system login — our own internal tools and every client system we access. Hardware tokens or authenticator apps. SMS-only MFA is not accepted for HIPAA-covered systems.
Access permissions are scoped to job function. A scheduling coordinator cannot access billing modules. Access is provisioned on request, documented, and removed immediately upon role change or offboarding.
Client credentials are stored in an encrypted vault with access limited to named individuals. Credentials are rotated when team assignments change. We never share credentials via email or unencrypted channels.
Remote access sessions are logged with timestamps and session metadata. Unusual access patterns (off-hours logins, high-volume data queries) trigger automatic review by our compliance lead within 24 hours.
When a team member leaves, all client system access is revoked within 2 hours of their last day. Access to shared credential vaults is rotated within 24 hours. No trailing access. We confirm completion in writing.
Federal HIPAA sets the floor. Several states where OcuPine Practice Services serves practices have enacted additional privacy and health data laws that we comply with.
HIPAA requires covered entities and their business associates to notify affected individuals of a breach within 60 days. We treat that as a ceiling, not a target.
We’ve built the compliance infrastructure so you don’t have to worry about it. Request a BAA and we’ll have it to you within 24 hours.