The discipline behind every Apellica matter.

All form submissions, evidence uploads, and client communications travel over TLS 1.2 or higher with modern cipher suites. Apellica never accepts Protected Health Information over plain HTTP or unencrypted email channels.

Matter files, medical records, and supporting documentation are stored under AES 256 server side encryption with HIPAA aligned cloud vendors operating under signed Business Associate Agreements. Backups inherit the same encryption standard.

Access to Protected Health Information is gated by role, authenticated through unique credentials with multi factor authentication, and logged. Reviewer access is scoped to assigned matters. Administrative access is limited to named operators.

Every read, write, and delete against a client matter generates an immutable audit log entry recording the actor, timestamp, and action. Audit logs are retained for the lifetime of the engagement and are available to clients on written request.

Cloud, email, payment, and analytics vendors are reviewed for HIPAA suitability before engagement. Business Associate Agreements are executed with every vendor that may touch Protected Health Information. Marketing and analytics vendors do not receive PHI.

Apellica maintains a written incident response plan with defined escalation paths, notification timelines, and remediation protocols. In the event of a suspected privacy or security incident, affected clients are notified in accordance with applicable HIPAA Breach Notification Rule timelines.

Apellica collects only the information needed to support an appeal. PHI is not used for marketing, sold, or shared with third parties for any purpose unrelated to the engagement. Marketing emails do not contain PHI.

The security and privacy program is reviewed at least annually by the Chief Compliance Officer and the General Counsel, with independent review of operational controls in connection with performance audit cycles.