HIPAA Compliance & Data Security

1. Overview

TAYYAB VENTURES LLC, doing business as CareCall OS, understands the importance of protecting sensitive health information. This HIPAA Compliance document explains how we support our customers in meeting their obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

Legal Entity: TAYYAB VENTURES LLC
DBA: CareCall OS
Jurisdiction: Wyoming, USA
Address: 30 North Gould Street, Sheridan, Wyoming 82801, USA

Important: We support HIPAA compliance and act as a Business Associate for customers who are Covered Entities or Business Associates under HIPAA. However, there is no official "HIPAA certification." Any vendor claiming to be "HIPAA certified" is misrepresenting the law.

Not Legal Advice: This document provides information about our HIPAA-related practices. It is not legal advice. Consult with a qualified healthcare attorney or compliance expert to understand your specific HIPAA obligations.

2. Our Commitment to HIPAA Compliance

CareCall OS is committed to supporting HIPAA compliance for our customers in the healthcare industry. We take reasonable and appropriate measures to:

Protect the confidentiality, integrity, and availability of Protected Health Information (PHI)
Implement administrative, physical, and technical safeguards as required by HIPAA
Maintain a Business Associate Agreement (BAA) with customers who handle PHI
Ensure our sub-processors are also HIPAA-compliant and covered by appropriate BAAs
Provide incident response and breach notification procedures
Train our employees on HIPAA requirements and data security best practices

Data Protection

Encryption, access controls, and secure storage

Secure Infrastructure

HIPAA-compliant hosting and network security

BAA Available

Business Associate Agreements provided on request

3. HIPAA Safeguards

We implement the following safeguards to protect PHI in accordance with the HIPAA Security Rule:

3.1 Administrative Safeguards

Security Management Process: Risk analysis, risk management, and security incident procedures
Workforce Training: Regular HIPAA and security awareness training for employees
Access Management: Role-based access controls and authorization procedures
Security Policies: Written policies and procedures governing PHI handling
Contingency Planning: Data backup, disaster recovery, and emergency access procedures

3.2 Physical Safeguards

Facility Access Controls: Secure data centers with restricted physical access
Workstation Security: Policies and procedures to secure workstations accessing PHI
Device & Media Controls: Secure disposal and re-use procedures for devices containing PHI

3.3 Technical Safeguards

Access Controls: Unique user identification, emergency access procedures, automatic logoff
Audit Controls: Logging and monitoring of access to systems containing PHI
Integrity Controls: Mechanisms to ensure PHI is not improperly altered or destroyed
Encryption: PHI is encrypted in transit (TLS/SSL) and at rest (AES-256)
Authentication: Multi-factor authentication and strong password requirements

4. Business Associate Agreement (BAA)

If you are a Covered Entity or Business Associate under HIPAA and your use of our Services involves the creation, receipt, maintenance, or transmission of PHI, you are required to have a Business Associate Agreement (BAA) in place with us.

4.1 When is a BAA Required?

A BAA is required if:

You are a HIPAA Covered Entity (e.g., healthcare provider, health plan, healthcare clearinghouse)
You are a Business Associate acting on behalf of a Covered Entity
Our Services will be used to create, receive, maintain, or transmit PHI

4.2 How to Request a BAA

To request a Business Associate Agreement, please contact us:

HIPAA/BAA Email: hello@carecallos.com

Subject Line: "BAA Request for [Your Organization Name]"

Include: Your organization's name, contact information, and a brief description of how you plan to use our Services

We will provide our standard BAA for review and execution. Once executed, the BAA governs our handling of PHI on your behalf.

5. Sub-processors and Third-Party Service Providers

We engage certain third-party service providers (sub-processors) to help us provide the Services. When these sub-processors may have access to PHI, we ensure they are HIPAA-compliant and enter into appropriate Business Associate Agreements with them.

5.1 Current Sub-processors

Service Provider	Service Type	Location
Stripe	Payment Processing	USA
Twilio / LiveChat	Telephony Services	USA
[Your Hosting Provider]	Cloud Hosting & Infrastructure	USA
GoHighLevel	CRM & Marketing Automation	USA

5.2 Changes to Sub-processors

We may change or add sub-processors from time to time. When we make material changes to our sub-processors, we will update this page and notify you via email or notice on our website. If you object to a new sub-processor, you may terminate your agreement with us in accordance with our Terms of Service.

6. Breach Notification and Incident Response

6.1 Security Incident Procedures

We maintain policies and procedures to detect, respond to, and report security incidents involving PHI. In the event of a suspected or confirmed breach of unsecured PHI, we will:

Investigate the incident promptly and thoroughly
Contain and mitigate the breach to the extent possible
Notify affected customers without unreasonable delay, but no later than 60 days after discovery
Cooperate with you to fulfill your breach notification obligations under HIPAA
Provide information about the breach, including affected individuals, data types, and remedial actions

6.2 Customer Notification

If a breach affects your PHI, we will notify you via:

Email to your registered email address
Direct communication with your designated security contact
Written notice if email is unavailable

Note: As a Covered Entity or Business Associate, you are ultimately responsible for notifying affected individuals, the Department of Health and Human Services (HHS), and (if applicable) the media in accordance with HIPAA's Breach Notification Rule. We will assist you with information needed to fulfill these obligations.

7. Customer Responsibilities

While we support your HIPAA compliance efforts, you remain responsible for your own HIPAA compliance. Your responsibilities include:

7.1 General Compliance

Ensuring your use of the Services complies with all applicable HIPAA requirements
Conducting your own risk analysis and implementing appropriate safeguards
Training your workforce on HIPAA requirements and the proper use of our Services
Obtaining necessary patient authorizations and consents
Maintaining required documentation and audit logs

7.2 BAA Execution

Requesting and executing a BAA with us before transmitting PHI through our Services
Ensuring any sub-contractors or downstream Business Associates also have BAAs in place

7.3 Data Minimization

Using the minimum necessary PHI required to accomplish your intended purpose
Avoiding unnecessary transmission or storage of sensitive PHI
De-identifying or anonymizing data when possible

7.4 Access Controls

Maintaining strong passwords and enabling multi-factor authentication
Limiting access to PHI to authorized personnel only
Promptly revoking access for terminated or unauthorized users

7.5 Incident Reporting

Reporting any suspected security incidents or breaches to us immediately at hello@carecallos.com
Cooperating with our investigation and remediation efforts

8. Limitations and Disclaimers

IMPORTANT DISCLAIMERS

No Certification: There is no official "HIPAA certification" for companies. We support HIPAA compliance but do not claim to be "HIPAA certified."
No Guarantee: While we implement reasonable safeguards, we cannot guarantee absolute security or that breaches will never occur.
Customer Responsibility: You are ultimately responsible for your own HIPAA compliance. Our Services are tools to assist you, but they do not guarantee compliance.
Not Legal Advice: This document is informational only and does not constitute legal advice. Consult a qualified attorney or compliance expert for legal guidance.

8.1 Scope of BAA

Our BAA covers only PHI that is created, received, maintained, or transmitted through our Services as described in the BAA. It does not cover:

PHI transmitted outside of our Services (e.g., via email, fax, or other methods)
PHI stored or processed by third-party services not covered by our BAA
Your internal HIPAA compliance obligations beyond our role as a Business Associate

9. Contact Us

For questions, BAA requests, or to report a security incident related to HIPAA compliance, please contact us:

TAYYAB VENTURES LLC (DBA CareCall OS)

Address: 30 North Gould Street, Sheridan, Wyoming 82801, USA

HIPAA/BAA Email: hello@carecallos.com

Legal Email: hello@carecallos.com

Support Email: hello@carecallos.com

Phone: +44 7401 060526

Security Incident Reporting: If you believe there has been a security incident or breach involving PHI, please email hello@carecallos.com immediately with "URGENT - SECURITY INCIDENT" in the subject line. Do not delay reporting.