HIPAA Compliance

HIPAA Compliance Policy

Coaching Loft - Fluent XP DWC-LLC (“Company”, “we”, “our”, or “us”), operating the Coaching Loft platform (“Service”), is committed to protecting the privacy and security of Protected Health Information (“PHI”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations.

This HIPAA Compliance Policy describes the administrative, technical, and physical safeguards we have implemented to protect electronic Protected Health Information (“ePHI”) processed through our Service. 

1. Scope of This Policy

This policy applies to all systems, applications, infrastructure, and processes used by Coaching Loft that may store, process, or transmit ePHI on behalf of our customers.

Our Service is designed to support customers who may be subject to HIPAA compliance obligations. We implement security controls aligned with HIPAA Security Rule requirements.

 

2. Administrative Safeguards

We maintain administrative measures designed to manage and protect the confidentiality, integrity, and availability of ePHI, including: 

2.1 Security Management Process

  • Continuous security monitoring of cloud infrastructure.
  • Threat detection mechanisms enabled across systems.
  • Defined service-level objectives for identifying and resolving security issues.
  • Centralized security logging for audit and incident response purposes.

2.2 Information Access Management

  • Role-based access controls following the principle of least privilege.
  • Access to systems and data is limited to authorized personnel only.
  • Separation of duties where applicable.

2.3 Security Awareness and Training

  • Security monitoring and alerting systems are in place to detect potential risks.
  • Ongoing review of security posture and system configurations.

2.4 Contingency Planning

  • Backups are maintained for stateful cloud resources.
  • Backup systems are designed to support data recovery and business continuity in the event of system failure or incident.

 

3. Technical Safeguards

We employ technical controls to protect ePHI and regulate access to systems:

3.1 Access Controls

  • Access is restricted using the principle of least privilege.
  • Multi-factor authentication (MFA) is required for access to cloud resources.
  • User and system authentication mechanisms are enforced.

3.2 Audit Controls

  • Security logging is enabled for cloud infrastructure and application environments.
  • Audit logs are used to monitor access and detect potential security incidents.

3.3 Integrity Controls

  • Data is encrypted at rest.
  • Modern cryptographic libraries are used and maintained up to date.
  • Access controls are applied to prevent unauthorized modification or destruction of data.

3.4 Transmission Security

  • Data in transit is encrypted using secure protocols.
  • HTTPS is enforced across all cloud instances.
  • The latest supported TLS versions are required.
  • Secure cookie handling mechanisms are in place to prevent misuse.

 

4. Data Encryption

We implement encryption controls to protect ePHI:

  • Encryption at rest is enabled for stored data.
  • Encryption in transit is enforced using HTTPS and TLS.
  • Up-to-date cryptographic libraries are used for all encryption processes.

 

5. Infrastructure and Cloud Security

Our Service is hosted on secured cloud infrastructure with the following controls in place:

  • Restricted public access to sensitive cloud resources.
  • Firewalls and network security rules prevent unauthorized access (including SSH, RDP, FTP, and database services).
  • Cloud services enforce HTTPS-only communication.
  • Automatic operating system and runtime updates are enabled where applicable.
  • Backups are enabled for critical services.
  • Access to key management services is tightly restricted.

 

6. Monitoring and Incident Detection

We maintain continuous monitoring of our systems to identify potential security threats:

  • Security logging and alerting are enabled.
  • Threat detection systems monitor abnormal activity.
  • Access and configuration changes are tracked for auditability.

In the event of a security incident affecting ePHI, we follow established incident response procedures to investigate, mitigate, and remediate the issue.

 

7. Business Associate Responsibilities

Customers who use the Service to store or process ePHI are responsible for ensuring their own HIPAA compliance obligations, including executing a Business Associate Agreement (BAA) where required.

Coaching Loft - Fluent XP DWC-LLC will make a Business Associate Agreement available upon request.

 

8. Limitations

While we implement security measures aligned with HIPAA Security Rule requirements, HIPAA compliance is a shared responsibility between the Company and its customers. Proper configuration, access management, and lawful use of the Service remain the responsibility of each customer.

No system can be guaranteed to be 100% secure. We continually review and improve our security controls to reduce risk.

 

9. Updates to This Policy

We may update this HIPAA Compliance Policy from time to time to reflect changes in our security practices, technology, or legal requirements. Updates will be posted on this page with a revised “Last Updated” date.

 

10. Contact Information

For questions regarding this HIPAA Compliance Policy or to request a Business Associate Agreement (BAA), please contact:

Coaching Loft - Fluent XP DWC-LLC
Email: [email protected]