Our Commitment
elev8 serves behavioral health treatment centers, detox facilities, and mental health programs across the United States. We understand that our clients operate in one of the most heavily regulated sectors of healthcare, and we take our responsibility to protect sensitive data seriously.
While elev8 is primarily a marketing services and technology company, our systems are designed with healthcare compliance in mind. We do not intentionally collect, transmit, or store Protected Health Information (PHI) through our marketing platforms. Our attribution and analytics systems are architected to track marketing performance without exposing patient-identifiable data.
Business Associate Agreement (BAA)
For clients whose workflows require elev8 to handle data that may constitute PHI, we offer a Business Associate Agreement. Our BAA outlines the specific safeguards, permitted uses, and breach notification procedures in accordance with the HIPAA Privacy Rule and Security Rule.
If your organization requires a BAA, please contact our compliance team at [email protected]. We will review your specific use case and execute an agreement that meets your compliance requirements.
PHI Safeguards
Our approach to PHI is straightforward: minimize collection, maximize protection.
- Marketing campaigns are designed to capture lead data (name, phone, email) without collecting clinical or diagnostic information
- Call tracking systems record calls for quality assurance but do not transcribe or store clinical content unless explicitly authorized under a BAA
- Attribution models use anonymized, aggregated data to measure campaign performance
- Landing pages and forms are configured to collect marketing-relevant information only
- CRM integrations are scoped to avoid syncing clinical records into marketing systems
Data Handling Practices
All data flowing through elev8 systems follows strict handling procedures:
Collection
Data is collected only for specified, legitimate business purposes. We apply data minimization principles at every collection point.
Storage
Data is stored in encrypted databases with role-based access controls. Production data is never used in development or testing environments.
Transmission
All data in transit is encrypted using TLS 1.2 or higher. API communications use authenticated, encrypted channels.
Disposal
Data is securely deleted according to our retention schedule. Client data is purged within 90 days of contract termination unless otherwise required by law.
Technical Safeguards
Encryption
AES-256 encryption at rest, TLS 1.2+ in transit. All database connections require SSL. Backup data is encrypted.
Access Controls
Role-based access with the principle of least privilege. Multi-factor authentication required for all staff accessing client data. Session timeouts enforced.
Audit Logging
All access to client data is logged with timestamp, user identity, and action performed. Audit logs are retained for 12 months and reviewed regularly.
Network Security
Production infrastructure is isolated behind firewalls with intrusion detection. Regular vulnerability scanning and penetration testing.
Backup & Recovery
Automated daily backups with geographic redundancy. Recovery procedures tested quarterly. RPO of 24 hours, RTO of 4 hours.
Employee Training
All elev8 employees complete HIPAA awareness training during onboarding and annually thereafter. Training covers the Privacy Rule, Security Rule, breach identification, proper data handling procedures, and the specific requirements of working with behavioral health organizations. Employees who handle client data sign confidentiality agreements and are subject to background checks.
Incident Response
In the event of a suspected data breach or security incident, elev8 follows a structured incident response plan:
- Detection & Containment: Immediate isolation of affected systems. Incident response team activated within 1 hour of detection.
- Assessment: Determine the scope, nature, and potential impact of the incident. Identify whether PHI or sensitive data was involved.
- Notification: Affected clients are notified within 24 hours of breach confirmation. All required regulatory notifications, including to HHS and, where applicable, to affected individuals, are filed in accordance with HIPAA’s Breach Notification Rule (45 CFR §164.404 / §164.410) within 60 days of discovery, as well as applicable state breach notification laws.
- Remediation: Root cause analysis performed. Security controls updated to prevent recurrence. Post-incident report shared with affected clients.
Compliance & Certifications
- HIPAA Compliant — BAA available for qualifying clients
- SOC 2 (Planned) — Type II certification in progress
- Encrypted — AES-256 at rest, TLS 1.2+ in transit
This page is provided for general informational purposes and does not constitute legal advice. Questions about this document or how elev8 handles your information?