Clinical Standards: Compliance, Security, and Content Review

HIPAA compliance framework

The Health Insurance Portability and Accountability Act (HIPAA) distinguishes between covered entities—providers, payers, and clearinghouses that handle Protected Health Information—and business associates, which are vendors and service providers that access PHI on a covered entity’s behalf. Positive Check operates as a business associate. That designation is not a label; it carries legally enforceable obligations under the HIPAA Privacy Rule and Security Rule, obligations that can only be established through a signed Business Associate Agreement (BAA).

Before any PHI passes through our platform—call logs, patient responses, escalation records—we execute a BAA with the provider partner. The agreement specifies the permitted uses and disclosures of PHI, our breach notification timeline (within 60 days of discovery, consistent with the HIPAA Breach Notification Rule), subcontractor provisions (any subprocessor we use is also bound by equivalent obligations), and PHI return or destruction procedures at contract termination. This is not optional practice for us; it is the legal prerequisite for operating in the healthcare SaaS space.

The HITECH Act of 2009 strengthened HIPAA by extending direct liability to business associates and increasing civil monetary penalties for non-compliance. We design our systems and processes with HITECH in view—not merely the original HIPAA floor. The governing reference for our compliance posture is the HHS HIPAA for Professionals resource, which we review on each significant update cycle.

Security Rule safeguards

The HIPAA Security Rule governs electronic Protected Health Information (ePHI) specifically. It requires covered entities and business associates to implement three categories of safeguards: administrative, physical, and technical. Our implementation covers all three, as required by the HHS HIPAA Security Rule.

Administrative safeguards form the policy backbone. These include workforce access management (role-based access to ePHI, with least-privilege principles applied at the application layer), workforce training on privacy and security obligations, contingency planning covering data backup procedures and disaster recovery, and BAA subcontractor requirements ensuring every third-party processor of ePHI operates under equivalent security obligations. Policies are reviewed and updated on the same cadence as our content review rhythm—quarterly at baseline, accelerated when HHS issues significant guidance.

Physical safeguards address the physical environment where ePHI is accessed or processed. Since Positive Check operates as a cloud-native platform, physical safeguards primarily apply to workstation security policies for team members accessing provider data: screen lock requirements, clean-desk practices for remote workers, and device inventory management. Data infrastructure runs on cloud providers with their own physical access controls and compliance certifications—controls that are captured in our vendor management process and BAA chain. Technical safeguards include access control mechanisms (unique user identifiers, automatic logoff, role-based permissions), audit logs that record access and activity on ePHI, transmission security via TLS for all data in transit, and encryption at rest for stored ePHI. Audit logs are retained and available for provider review on request.

Call content design and review

Every call script on the Positive Check platform is designed in-house by the Positive Check team. We do not commission external writers, engage third-party clinical advisors who contribute content without editorial accountability, or publish guest posts that carry outside authorship. This is a deliberate choice: in healthcare content, the authority comes from the organization and its institutional relationships with primary sources—CMS regulations, HHS guidance, peer-reviewed evidence—not from attributed individuals whose credentials cannot be consistently verified or maintained. We build credibility through citations, organizational signals, and case-based demonstration, not through borrowed authorial authority.

Call content is configured per provider to match the clinical program the patient is enrolled in. An RPM engagement call captures different data points than a CCM care coordination touchpoint or a TCM post-discharge follow-up call. Providers review and approve the exact call script before any patient enrollment begins. If a provider needs script customization—different symptom thresholds, program-specific language, condition-specific response branches—that customization is documented and approved before deployment.

Updates to call content follow the same review process as initial deployment: provider review, documented approval, and version-controlled rollout. When CMS updates a program’s requirements (for example, a change to what counts as interactive communication for RPM), we assess whether call content needs adjustment and flag affected provider configurations for review. Content is not updated silently; providers are notified of material changes that affect their program configuration.

Escalation protocols

Positive Check surfaces clinical concerns; clinicians act on them. This boundary is not a limitation of the platform—it is a design principle. Our role as a business associate is to collect, process, and communicate patient response data in a structured, timely, and documented way. The clinical judgment about what to do with that information belongs exclusively to the provider and their designated clinical staff.

Escalation rules are configured per provider partner before enrollment begins. Not every flagged concern triggers the same response level. A provider might configure high-priority escalation—immediate dashboard alert plus SMS notification to a designated on-call clinician—for responses indicating acute distress or safety concerns. Lower-urgency flags—a missed medication report, a gradual trend in blood pressure readings, a patient-reported fall risk—might route to a nightly summary reviewed by the care coordinator at the start of business the following day. The thresholds, notification channels, and designated recipients are all provider-defined.

Every escalation generates a documentation record: timestamp, triggering patient response content, escalation level applied, and notification delivery confirmation. These records are available in the provider dashboard and constitute part of the audit trail CMS auditors may review when assessing whether the interactive communication requirement for RPM was met or whether CCM care coordination activity was documented appropriately. See the CMS Care Program Billing Guide for program-specific documentation elements.

Documentation standards (CMS-aligned)

Every call Positive Check conducts generates a structured summary designed to map directly to the documentation elements CMS auditors expect when reviewing care management claims. The principle is straightforward: if the documentation is not there, the service was not rendered—and our call records are built to ensure that is never the auditor’s conclusion.

Per-call data includes the call date and time, call duration, a summary of patient response content (covering the questions asked and responses received), any concerns flagged and the escalation action taken, and a system or staff identifier for the activity. For programs with monthly time thresholds—CCM’s 20-minute non-complex minimum or RPM’s interactive communication tracking—the platform aggregates per-call durations into monthly summaries that correspond directly to the time-threshold arithmetic the billing team needs. This prevents the common audit failure mode where time was spent but cannot be reconstructed from fragmented records.

Where technically supported, call data integrates with the provider’s care plan infrastructure, allowing the patient’s care plan to reflect updated information from monitoring calls without manual re-entry. Providers retain full access to call records and can export structured data for their own EHR documentation or audit preparation. The documentation framework covers all four CMS care programs—RPM, CCM, TCM, and PCM—with program-specific data elements layered on the shared base structure.

Content freshness and review cadence

Every substantive provider-facing page on the Positive Check site carries a Last Reviewed date. This is not decorative. CMS updates care management program rules annually—typically through the Medicare Physician Fee Schedule final rule published each November, effective the following January. HHS updates HIPAA guidance on a less predictable schedule but has issued significant omnibus updates that changed business associate obligations materially. Content that does not track these changes misleads providers about their billing and compliance posture.

Our baseline review cadence is quarterly: four scheduled reviews per year in which substantive pages are checked against current CMS and HHS primary sources. When either agency publishes notable guidance—a final PFS rule, a significant MLN booklet update, an HHS omnibus change, a CMS FAQ that materially clarifies program requirements—we conduct an accelerated review of affected content outside the quarterly rhythm. The goal is that no provider reading a Positive Check page is acting on outdated program requirements.

Patients, providers, and researchers who identify content that appears outdated or inaccurate are encouraged to flag it through our contact page. We treat substantive corrections as a priority review item, not a quarterly queue item. If a specific CPT code rate is wrong or a program eligibility criterion has changed, that gets corrected before the next scheduled review.

What we do not do

Boundary-setting is as important as capability claims. The following commitments define the limits of Positive Check’s role in a provider’s clinical program:

• We do not make clinical decisions or provide medical advice directly to patients. Every clinical judgment—what a patient’s flagged response means, what action to take, whether to adjust a care plan—belongs to the provider and their designated clinical staff.
• We do not name competitor platforms in our comparison or marketing content. We describe our capabilities and let providers evaluate fit based on their own program requirements.
• We do not publish commissioned guest posts or paid external reviewer pieces. All content is created in-house and reviewed against primary sources.
• We do not sell or share PHI beyond what the BAA and treatment, payment, and operations workflow expressly permit. PHI shared with subprocessors is governed by equivalent BAA obligations.
• We do not bill CMS directly. We support providers who bill by generating the documentation and engagement records their billing teams need. The billing relationship with CMS remains entirely with the provider.

Common questions

Further reading