CodeMax Medical Billing is fully committed to HIPAA compliance. As a trusted revenue cycle management partner for substance abuse treatment centers, mental health facilities, and eating disorder treatment programs, we understand that safeguarding Protected Health Information is not just a legal obligation — it is foundational to the trust between providers, patients, and every partner in the care continuum.
Healthcare data breaches continue to rise year over year, and behavioral health records carry an especially high sensitivity due to the nature of the diagnoses and treatments involved. At CodeMax, we have built our entire platform — from our proprietary billing software and Client Portal to our HIPAA-compliant mobile application — with security, privacy, and compliance at the core. With over 20 years of experience in behavioral health billing, our team of clinicians and billing experts applies the same rigor to data protection that we bring to maximizing your reimbursements.
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act, CodeMax Medical Billing operates as a Business Associate to the covered entities we serve. This means that every time a behavioral health provider entrusts us with patient billing data — from verification of benefits and claims submissions to utilization reviews and payment posting — we are legally and contractually bound to protect that information under the same standards that apply to the provider.
We execute formal Business Associate Agreements (BAAs) with every client before any Protected Health Information (PHI) is exchanged. These agreements define the permitted uses and disclosures of PHI, our obligations to safeguard it, the procedures for reporting any security incidents or breaches, and the terms under which PHI must be returned or destroyed upon termination of services. Our BAAs are reviewed and updated regularly to reflect changes in federal regulations, enforcement guidance from the U.S. Department of Health and Human Services (HHS), and evolving industry best practices.
Administrative safeguards form the foundation of our HIPAA compliance program. These are the policies, procedures, and organizational measures we maintain to manage the selection, development, implementation, and maintenance of security measures that protect PHI.
CodeMax maintains designated HIPAA Privacy and Security Officers responsible for overseeing all aspects of our compliance program. These officers are accountable for developing and enforcing privacy and security policies, conducting risk assessments, managing incident response, coordinating workforce training, and serving as the primary point of contact for all HIPAA-related matters.
Every member of the CodeMax team — from our billing specialists and utilization review clinicians to our software developers and administrative staff — undergoes comprehensive HIPAA training upon hire and receives ongoing education at regular intervals throughout their employment. Training covers the HIPAA Privacy Rule and permissible uses and disclosures of PHI, the HIPAA Security Rule and requirements for electronic PHI (ePHI), recognizing and reporting potential security incidents and breaches, proper handling of PHI across all formats including electronic, paper, and verbal, social engineering awareness and phishing prevention, and secure use of the CodeMax platform, Client Portal, and mobile application.
We conduct regular, comprehensive risk assessments to identify potential vulnerabilities and threats to the confidentiality, integrity, and availability of PHI across our entire operation. These assessments evaluate our software infrastructure, data storage and transmission practices, physical office security, workforce access controls, and third-party vendor relationships. Findings from each assessment drive targeted remediation plans that are implemented, documented, and tracked to completion.
CodeMax maintains a detailed library of written HIPAA policies and procedures that govern every aspect of how PHI is collected, accessed, used, disclosed, stored, transmitted, and disposed of across our organization. These policies are reviewed at least annually and updated in response to changes in regulations, business operations, or identified risks. All policies are accessible to workforce members and are enforced through documented disciplinary procedures.
Our physical safeguards are designed to protect the physical facilities, equipment, and media that house or interact with PHI.
Our office locations in Van Nuys, California, Palmdale, California, and Fort Lauderdale, Florida are equipped with controlled access systems to prevent unauthorized entry. Access to areas where PHI is processed or stored is restricted to authorized personnel only. Visitor access is logged and monitored, and all workstations are positioned to prevent unauthorized viewing of screens displaying sensitive information.
All workstations and devices used by CodeMax personnel are secured with automatic screen locks, encrypted hard drives, and strong password requirements. Portable devices that may access PHI are equipped with remote wipe capabilities in the event of loss or theft. Physical media containing PHI is stored in locked, access-controlled environments and is disposed of securely using methods that render the data unrecoverable.
Our technical safeguards represent the technology, policies, and procedures we use to protect ePHI and control access to it across our proprietary software platform, Client Portal, and mobile application.
CodeMax enforces strict role-based access controls (RBAC) across all systems. Every user is assigned a unique identifier and granted access only to the specific data and functions required for their role. Access privileges are reviewed regularly and adjusted or revoked immediately when job responsibilities change or employment ends. Multi-factor authentication (MFA) is required for access to systems containing PHI.
All PHI transmitted between our systems, the Client Portal, the CodeMax mobile app, and external partners is encrypted using industry-standard protocols. Data in transit is protected by TLS (Transport Layer Security) encryption, and data at rest is secured using AES-256 encryption or equivalent standards. This applies to all channels through which PHI flows — including claims submissions, verification of benefits requests, utilization review communications, and payment data.
Our systems maintain detailed audit logs that record all access to, creation of, modification of, and transmission of ePHI. These logs capture user identity, timestamps, actions performed, and the specific data involved. Audit logs are reviewed regularly to detect unauthorized access attempts, unusual activity patterns, or potential security incidents. Automated monitoring tools provide real-time alerts for suspicious behavior across our infrastructure.
We employ mechanisms to ensure that ePHI is not improperly altered or destroyed. This includes data validation checks during claims processing, automated backups with integrity verification, version control for all records, and checksums to detect unauthorized modifications to stored data. Our billing and claims management workflows are designed to maintain the accuracy of patient financial records from initial verification of benefits through final payment posting.
All electronic communications containing PHI — including data exchanged with insurance carriers, healthcare clearinghouses such as Change Healthcare, and our clients' systems — are transmitted over encrypted, secure channels. We do not transmit PHI via unencrypted email or unsecured file transfer methods. Our Client Portal and mobile application use secure HTTPS connections for all data exchanges.
Our Client Portal at customer-portal.codemaxmb.com and the CodeMax mobile application (available on the Apple App Store and Google Play Store) are purpose-built to give behavioral health providers real-time access to their billing data, utilization review information, and verification of benefits status — all within a HIPAA-compliant environment.
Security features built into our Client Portal and mobile app include secure authentication with unique user credentials for every authorized user, encrypted data transmission for all information exchanged between the app and our servers, role-based access ensuring users only see data relevant to their authorized scope, automatic session timeouts to prevent unauthorized access from unattended devices, and regular security updates and patches deployed through the respective app stores.
We recommend that all users access the Client Portal and mobile app through secure, private networks and keep their devices updated with the latest operating system and security patches. Users are responsible for maintaining the confidentiality of their login credentials and reporting any suspected unauthorized access immediately.
Despite the strongest safeguards, no system is immune to every possible threat. CodeMax maintains a comprehensive breach notification program in full compliance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).
In the event of a confirmed or suspected breach of unsecured PHI, our response protocol includes immediate containment and investigation of the incident by our designated Security Officer and incident response team, a thorough risk assessment to determine the nature and scope of the breach, the types of PHI involved, and the likelihood that the information was actually accessed or acquired by unauthorized individuals. We provide notification to the affected covered entity client without unreasonable delay and no later than the timeframes required by HIPAA and our BAA. We offer full cooperation with the covered entity in fulfilling their obligations to notify affected individuals, the HHS Secretary, and (where applicable) prominent media outlets. All incidents are documented with remediation actions, root cause analysis, and preventive measures to reduce the likelihood of future occurrences.
CodeMax exercises diligence in evaluating and managing any subcontractors or third-party vendors that may access, process, or store PHI on our behalf. In accordance with HIPAA requirements, we enter into Business Associate Agreements or appropriate data protection agreements with all downstream vendors who handle PHI. Vendors are evaluated based on their security practices, compliance posture, and track record before being engaged. Ongoing oversight includes periodic reviews of vendor compliance and security controls.
Key third-party relationships that involve the handling of healthcare data include healthcare clearinghouse integrations used for claims processing and benefit verification, cloud infrastructure providers that host our software platform and databases, and app distribution platforms (Apple App Store and Google Play Store) through which our mobile application is delivered. Each of these relationships is governed by agreements that mandate the protection of any PHI or sensitive data involved.
Behavioral health records — including those related to substance abuse treatment, mental health care, and eating disorder recovery — are subject to additional layers of federal and state privacy protections beyond standard HIPAA requirements. CodeMax is acutely aware of these heightened sensitivities and builds them into our compliance framework.
Substance use disorder (SUD) treatment records receive special federal protection under 42 CFR Part 2, which imposes stricter consent and disclosure requirements than HIPAA alone. CodeMax understands these regulations and works closely with our substance abuse treatment center clients to ensure that billing and claims processes respect the additional confidentiality requirements applicable to SUD records. We follow client-directed guidance on consent management and disclosure limitations to ensure that no PHI related to substance use disorder treatment is disclosed without proper authorization.
In addition to federal requirements, CodeMax complies with all applicable state privacy and data protection laws in the jurisdictions where our clients operate. Where state law provides greater privacy protections than HIPAA — as is the case in states like California under the California Confidentiality of Medical Information Act (CMIA) — we apply the more protective standard. Our compliance team monitors regulatory developments at both the federal and state level to ensure our practices remain current.
HIPAA compliance is not a one-time achievement — it is an ongoing commitment that requires continuous investment, vigilance, and adaptation. At CodeMax, our compliance program is designed for continuous improvement through annual comprehensive risk assessments and security audits, regular policy and procedure reviews and updates, ongoing workforce training and awareness programs, proactive monitoring of regulatory changes and enforcement trends, investment in updated security technologies and infrastructure, and lessons-learned integration from any incidents, near-misses, or industry developments.
Our leadership team is directly involved in overseeing our compliance program and is committed to allocating the resources necessary to maintain the highest standards of data protection for our clients and their patients.
While CodeMax takes every measure to protect PHI within our systems and operations, HIPAA compliance is a shared responsibility. As a covered entity, your organization plays a critical role in maintaining the security of patient data. We encourage all of our clients to ensure that only authorized personnel access the CodeMax Client Portal and mobile app, use strong and unique passwords for all platform accounts, access our platform through secure and private networks, promptly report any suspected unauthorized access or security concerns to our team, maintain current and complete Business Associate Agreements with CodeMax, and provide accurate and up-to-date patient and insurance information to support compliant billing processes.
Together, we can ensure that every patient's information is protected throughout the entire revenue cycle — from the initial verification of benefits to final reimbursement.
If you have any questions about our HIPAA compliance practices, need to report a security concern, or would like to request a copy of our Business Associate Agreement, please contact us:
CodeMax Medical Billing
7100 Hayvenhurst Ave, Suite 204
Van Nuys, CA 91406
Phone: 866-CODEMAX
Email: info@codemaxmb.com
Website: codemaxmb.com/contact-us
For additional information about how we collect, use, and protect your data, please review our Privacy Policy, Terms and Conditions, and Disclaimer.
Boost Revenues, Speed Payments, Focus on Patient Care
Designed and Built by SPEEDXMEDIA
