About This Notice
MNDefense provides cybersecurity and compliance consulting services to covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
This Notice describes how MNDefense handles Protected Health Information (PHI) in its role as a Business Associate to our healthcare clients, and what rights those clients have under HIPAA.
MNDefense operates as a Business Associate, not a Covered Entity. We do not directly treat patients or create medical records. We handle PHI only as necessary to provide contracted security services on behalf of our healthcare clients.
What Is Protected Health Information (PHI)?
PHI is any information that relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare to that individual, or payment for healthcare, and that can identify the individual. This includes:
- Names, addresses, birth dates, and Social Security numbers
- Medical record numbers, health plan beneficiary numbers
- Account numbers, certificate or license numbers
- Device identifiers, URLs, IP addresses when associated with health information
- Biometric identifiers, full-face photographs
- Any other unique identifying number, characteristic, or code
How MNDefense May Use or Disclose PHI
As a Business Associate, MNDefense may use or disclose PHI only as permitted by our Business Associate Agreement (BAA) and applicable HIPAA regulations. Permitted uses include:
Service Delivery
- Performing security assessments of systems that process PHI
- Monitoring network traffic and logs for threat detection (MDR services)
- Conducting penetration testing and vulnerability assessments
- Providing incident response services following a security event
Legal and Compliance Obligations
- As required by law, including reporting obligations to HHS Office for Civil Rights
- To respond to a legal process with appropriate legal protections
- To prevent or lessen a serious and imminent threat to health or safety
We will not use or disclose PHI for any other purpose without your written authorization.
Our Safeguards for PHI
MNDefense implements administrative, physical, and technical safeguards as required by the HIPAA Security Rule:
Administrative Safeguards
- Designated Security Officer responsible for HIPAA compliance
- Workforce training on PHI handling and breach prevention
- Access management policies limiting PHI access to authorized personnel
- Regular risk assessments of our own systems
Physical Safeguards
- Restricted physical access to systems that process PHI
- Secure workstation policies and device management procedures
- Media disposal and reuse procedures for PHI-containing devices
Technical Safeguards
- Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
- Unique user identification and access audit logging
- Automatic logoff and emergency access procedures
- Integrity controls to detect unauthorized PHI alteration
Business Associate Agreements
Before accessing any PHI on behalf of a client, MNDefense will execute a Business Associate Agreement (BAA). The BAA governs:
- Permitted uses and disclosures of PHI
- Our obligation to report breaches and security incidents
- Subcontractor requirements (we flow down BAA obligations to any subcontractors)
- PHI return or destruction upon contract termination
- Access rights for HHS to audit our compliance
If your organization requires a BAA and one has not yet been executed, please contact us before sharing any PHI.
Breach Notification
In accordance with the HITECH Act and HIPAA Breach Notification Rule, MNDefense will:
- Notify your organization within 60 days of discovering a breach of unsecured PHI
- Provide notice to the HHS Secretary as required when the breach affects 500 or more individuals
- Document all breaches and maintain records for a minimum of 6 years
- Cooperate fully in your breach investigation and notification process
To report a suspected security incident or potential PHI breach involving MNDefense systems, contact us immediately at mnajeeb@mn-defense.com. We have a 24-hour incident response capability.
Your Rights Under HIPAA
If MNDefense is holding PHI on your organization's behalf, you have the right to:
- Access: Request a copy of PHI maintained by MNDefense on your behalf
- Amendment: Request correction of inaccurate PHI
- Accounting: Receive an accounting of disclosures we have made
- Restriction: Request restrictions on certain uses or disclosures
- Termination: Require return or destruction of PHI upon contract termination
To exercise these rights, submit a written request to the contact information below. We will respond within 30 days.
Complaints
If you believe your HIPAA rights have been violated or that MNDefense has not complied with its obligations under this notice, you may file a complaint with:
- MNDefense: Contact our Security Officer directly at mnajeeb@mn-defense.com
- HHS Office for Civil Rights: www.hhs.gov/ocr/complaints or call 1-800-368-1019
MNDefense will not retaliate against any individual or organization for filing a good-faith complaint.
Changes to This Notice
We reserve the right to update this HIPAA Notice at any time. Material changes will be communicated to active clients in writing and posted on this page with an updated effective date. The most current version is always available at mn-defense.com/hipaa-notice.html.
Contact Our Security Officer
MNDefense – Security & Compliance Officer
Email: mnajeeb@mn-defense.com
Website: www.mn-defense.com
For security incidents, include "INCIDENT" in the subject line for priority response.