☁️
Oracle Cloud
HIPAA-Assessed
🔐
AES-256
Encryption at Rest
🔒
TLS / HTTPS
Encryption in Transit
📋
BAA Available
For PHI Engagements
📝
Audit Logging
All Systems Active
✅
Written Policies
HIPAA Compliant
Infrastructure
Cloud Provider
ROI is hosted on Oracle Cloud Infrastructure (OCI), one of the most security-rigorous enterprise cloud platforms available, with US-based data centers and an extensive compliance portfolio.
HIPAA-Assessed Environment
OCI has been independently assessed to meet HIPAA Security, Privacy, and Breach Notification Rule requirements. A Business Associate Agreement is in place between ROI and Oracle Cloud.
Data Location
All data is stored in the United States. No data is processed or stored outside of US-based data centers.
Environment Isolation
Production systems are isolated in a dedicated cloud compartment, separate from any development or testing environments, limiting the blast radius of any potential incident.
Data Protection
Encryption at Rest
All stored data — including databases and file storage — is encrypted using AES-256, the same standard used by financial institutions and federal agencies.
Encryption in Transit
All data transmitted between your browser and our platform is encrypted using TLS (HTTPS). Unencrypted connections are not accepted.
Customer-Managed Key Vault
Encryption keys are managed using a dedicated cloud vault with controlled key policies. Object storage uses customer-managed AES-256 encryption keys for an additional layer of control.
Data Versioning
Object versioning is enabled on all stored data, protecting against accidental deletion and supporting data integrity verification.
Access & Authentication
Authenticated Access Only
All platform features require a verified account login. Unauthenticated access to subscriber tools and content is not permitted.
Multi-Factor Authentication
MFA is supported and strongly recommended for all user accounts. Enabling MFA adds a critical layer of protection against unauthorized access.
Session Security
Sessions automatically expire after a period of inactivity to prevent unauthorized access on shared or unattended devices.
Least Privilege Access
Internal access to production systems follows the principle of least privilege — no one has more access than required for their specific role.
Monitoring & Incident Response
Comprehensive Audit Logging
All system activity — including API calls, user actions, and resource changes — is logged and archived for long-term security review, as required by HIPAA Technical Safeguards at 45 CFR §164.312(b).
Annual Security Reviews
Documented security reviews of infrastructure, policies, and risk posture are conducted at least annually and more frequently following significant changes.
Written Incident Response Plan
ROI maintains a written Incident Response Plan covering detection, containment, investigation, recovery, and notification procedures in compliance with HIPAA requirements.
Breach Notification Policy
A documented Breach Notification Policy is maintained in compliance with 45 CFR §§164.400–414. Affected individuals and HHS are notified within required timeframes.
HIPAA Compliance Documentation
- ✓Privacy Officer Designation — formally designated per 45 CFR §164.530(a)
- ✓Security Official Designation — formally designated per 45 CFR §164.308(a)(2)
- ✓Breach Notification Policy — per 45 CFR §§164.400–414
- ✓Workforce Training Policy — per 45 CFR §164.308(a)(5)
- ✓Workforce Sanction Policy — per 45 CFR §164.308(a)(1)(ii)(C)
- ✓Data Retention Policy — 7-year consulting records; 90-day post-cancellation
- ✓Business Associate Agreement (BAA) — template available for consulting clients
- ✓Oracle Cloud BAA — in place with hosting provider
HIPAA & Business Associate Agreements
ROI's core platform tools — the EDI Code Intelligence Lab, Revenue Integrity Audit, 90-Day Action Plan generator, and appeal templates — are designed to operate without requiring patient-identifiable information. The platform is built for operational and administrative use by billing professionals, not for storing or processing individual patient records.
For consulting services or custom engagements where Protected Health Information (PHI) may be involved, a signed Business Associate Agreement (BAA) is required before any PHI is shared with ROI. No PHI will be accepted in any context without a signed BAA on file.
Request a BAA →
Responsible Disclosure — Report a Security Issue
If you believe you have discovered a security vulnerability in the ROI platform, please report it responsibly to compliance@roithatworks.com with the subject line "Security Disclosure." We commit to acknowledging your report within 48 hours and working with you in good faith to understand and resolve the issue. We ask that you not publicly disclose the issue until we have had a reasonable opportunity to address it. We do not pursue legal action against researchers acting in good faith.
Contact
MC
Mindy Corbett, CSPO, CPC, CPB, CPPM
Founder & HIPAA Privacy / Security Official
Revenue Optimization & Intelligence
For BAA requests, security inquiries, privacy rights requests, breach reporting, or compliance questions, email compliance@roithatworks.com. All security and compliance inquiries receive a response within 2 business days.
