Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat.
[contact-form-7 404 "Not Found"]

Security, Privacy, and Compliance

Healthcare is at a crossroads. New technologies and innovations continue to disrupt the industry in ways that bring fantastic new opportunities as well as challenges and risks. Among the most heavily regulated industries in the country, healthcare professionals must navigate a complex terrain of legal requirements, privacy concerns, and cybersecurity threats. ePatientFinder is helping drive these new opportunities for healthcare practitioners and patients alike, while making the protection and security of sensitive health information an overriding priority.


Two key laws apply extensively to healthcare compliance in the United States: HIPAA and Stark Law.

The Health Insurance Portability and Accountability Act (HIPAA) was passed to improve the effectiveness and efficiency of the healthcare system. HIPAA included rules governing the administration of healthcare operations and promoting the use of electronic records, as well provisions for protecting the privacy and security of personal health information (PHI). HIPAA lays out specific situations in which covered health care providers may use and disclose protected PHI, including the use of PHI for identifying alternative treatment options.

Stark Law is actually a set of laws that prohibit physicians from self-referring, particularly when involving Medicare or Medicaid patients being referred to a provider of designated health services with which the physician has a financial relationship.


In recent years, the healthcare industry has seen a substantial increase in cyberattacks by criminals and other hackers seeking to steal information, extort money, or disrupt operations. From ransomware to hacktivists, these threats have created a growing concern among policy makers, physicians, and consumers about security risks within healthcare.

HIPAA promulgates rules on the security and privacy of patients and PHI. Along with other laws, international standards, and industry frameworks, HIPAA is designed to significantly improve healthcare data security and reduce the number of security incidents as well as the proliferation of stolen healthcare data.



ePatientFinder puts compliance and security at the top of the company’s priorities. From dedicated security personnel to specialized secure technologies to a strong culture of data protection, ePatientFinder takes a proactive and innovative approach to protecting the patients and clients who trust us, and the PHI and sensitive data they entrust to us.



ePatientFinder operates as a health care operations organization under HIPAA, involved in the identification of alternative treatment options. The HIPAA Privacy Rule permits a covered health care provider to disclose PHI to health care operations entities like ePatientFinder for the purposes of finding new treatments for their patients. In this arrangement, ePatientFinder acts as a business associate of the physician or practice, under a standard business associate agreement (BAA).

The Privacy Rule permits a covered entity to contract with another entity to serve as its business associate to carry out functions on its behalf involving the use of PHI. Under HIPAA Safe Harbor provisions, no consent or authorization is needed for the provider to disclose patient PHI in a research capacity to identify alternative treatments for patients. Of course, providers may always obtain individual consent to use or disclose PHI at their own discretion.



Protecting sensitive data and PHI is ePatientFinder’s top priority. Our security efforts begin with dedicated staff, starting with our Chief Privacy and Security Officer, a 25-year cybersecurity veteran, who is responsible for keeping information safe. Our platform is developed in and hosted by Aptible, a cloud-based provider of highly secure, HIPAA compliant technologies designed to meet the rigorous security and privacy challenges of working with PHI. All PHI, whether in transit or at rest, is encrypted and access is limited to only those with specific needs to know or access certain data. ePatientFinder has a strong culture of security and regularly trains and tests employees to ensure our “human firewall” is robust.



ePatientFinder has undergone numerous audits and assessments of our business model, our quality management system, and our security and privacy. Internally we test ourselves against industry frameworks for security such as HITRUST and ISO 27001. Externally, we have passed audits by pharmaceutical companies, clinical research organizations, and major EHR vendors. Most recently, ePatientFinder completed a SOC 2 audit, an independent verification of our security controls.


ePatientFinder does not buy or sell patient data under any circumstances.

Stark Law applies to physician referrals and any direct or indirect financial arrangements between a physician or practice and a designated health services (DHS) entity for those services. While ePatientFinder is not an entity that would be directly covered by Stark Law, it’s financial arrangements with DHS entities and with physicians may invoke Stark Law. This will only happen, however, if ePatientFinder has clients who provide designated health services under Stark Law, for which physicians would refer their patients.

Where Stark Law applies, any compensation arrangement must fit into a Stark Exception, even in cases where the purpose of the arrangement is not intended to induce or reward referrals. ePatientFinder may therefore compensate physicians for performing consultations if all of the following conditions are established:

  • Compensation received by the referring physician is fair market value (FMV) for services and items provided and not determined in any manner that takes into account the volume or value of referrals. Additionally, compensation may not be tied to any patient successfully enrolling in a study. (Compensation is for pre-screening)
  • Compensation agreement is set out in writing and signed by the parties, specifying the services covered by the arrangement. (Clinic Participation Agreement, Business Associates Agreement)
  • The service is not reimbursable by a patient’s health insurance or third party payer.
  • Compensation is tied to identifiable work by the referring physician and the work is documented by the physician and submitted to ePatientFinder and the Principle Investigator through ePatientFinder’s application. (Physicians will utilize the checklist provided in the application.

Email sales@epatientfinder.com with any questions.