Staffing For Doctors

Compliance-first · BAA included

HIPAA-Compliant Virtual Medical Assistants

A HIPAA-compliant virtual medical assistant is a trained remote healthcare professional who only handles protected health information (PHI) under a signed Business Associate Agreement (BAA), after completing HIPAA training, and through encrypted, access-controlled, audit-logged systems. Staffing For Doctors signs a BAA before any PHI is touched, trains and annually re-tests every assistant on HIPAA, and enforces SOC 2-aligned device, access, and logging controls - all at a flat $14 per hour, live in 48 hours.

What actually makes a virtual medical assistant HIPAA-compliant

HIPAA compliance is not a checkbox or a certificate a person earns once. It is a set of administrative, physical, and technical safeguards that govern how a workforce member accesses, transmits, and stores protected health information. A virtual medical assistant is HIPAA-compliant only when those safeguards are in force every time they touch a patient record - not just on the day they were hired.

In practice that means four things must all be true: there is a signed Business Associate Agreement between your practice and the staffing company before any PHI is accessed; the assistant has completed documented HIPAA training and is re-tested on a schedule; PHI moves only over encrypted, access-controlled systems; and every access is captured in an audit log you can review. Miss any one of those and the arrangement is not compliant, regardless of what a job title says.

The four-pillar compliance stack

Every Staffing For Doctors placement sits on these four pillars before they ever open your EHR. Each one is documented, enforced, and auditable.

HIPAA training + annual re-testing

Every assistant completes documented HIPAA Privacy and Security Rule training before placement and is re-tested at least annually. Training covers minimum-necessary access, PHI handling, breach reporting, and the specific workflows of your specialty. Completion records are retained and available on request.

Business Associate Agreement (BAA)

We sign a BAA with your practice before any assistant accesses PHI. The BAA defines permitted uses, safeguard obligations, breach-notification timelines, and the return or destruction of PHI at termination - making our HIPAA obligations contractually enforceable, not just promised.

SOC 2 Type II-aligned controls

Our access, change-management, and monitoring controls are built to the SOC 2 Type II framework (audit in progress). Role-based access enforces minimum-necessary, credentials are provisioned and revoked through a tracked process, and security policies are reviewed on a fixed cadence.

Encrypted, audited devices + audit logs

Assistants work from company-managed, encrypted devices over 256-bit SSL connections, with screen-lock, disk encryption, and endpoint controls enforced. Every EHR and portal session is captured in an audit log, so you can review exactly who accessed which record and when.

What a BAA is and when we sign it

A Business Associate Agreement is the contract HIPAA requires whenever a covered entity (your practice) shares protected health information with a vendor (the business associate) that performs work on its behalf. It is the legal instrument that extends your HIPAA obligations to us and makes them enforceable. Without a signed BAA in place, sharing PHI with any outside party is itself a HIPAA violation.

Staffing For Doctors signs the BAA before your assistant is granted any access to PHI - never after. We provide our standard BAA, and we are happy to execute yours instead if your compliance team prefers it.

  • Signed before any PHI is accessed - access is provisioned only after execution.
  • Defines permitted uses, safeguards, and breach-notification timelines in writing.
  • Covers return or secure destruction of PHI when an engagement ends.

How we enforce HIPAA day to day

  1. 1

    Provision access on minimum-necessary

    Each assistant receives only the EHR and portal permissions their role requires. We do not request blanket admin access, and unused permissions are removed.

  2. 2

    Encrypt every connection and device

    Work happens over 256-bit SSL on company-managed, encrypted endpoints with screen-lock and disk encryption enforced - no PHI is stored on personal machines.

  3. 3

    Log and review every access

    EHR and portal activity is captured in audit-grade logs. You can review who touched which record and when, and we cooperate fully with your own audit requirements.

  4. 4

    Revoke and report immediately

    Credentials are revoked the same day an assignment ends, and any suspected incident is escalated to your practice within the breach-notification window defined in the BAA.

Pricing

$14/hr
  • Full-time, 40 hours per week (≈$2,425 per month)
  • BAA, HIPAA training, and encrypted devices included - no compliance surcharge
  • Same week replacement if it isn't the right fit

Running a multi-site clinic, not a single practice?

See our clinic-focused program for HIPAA-compliant virtual medical assistants - dedicated, specialty-trained pods handling billing, scheduling, and patient coordination inside your EHR across every location.

HIPAA-Compliant VMAs for Clinics

Frequently asked questions

Need compliance documentation for an enterprise security review?

Our enterprise team can walk your security and compliance stakeholders through our BAA, HIPAA training records, device controls, and SOC 2 progress, and coordinate centralized contracting across multiple sites.

Talk to enterprise

Ready for a HIPAA-compliant virtual medical assistant?

BAA signed before any PHI. Live in 48 hours. Flat $14 per hour.

Book a Free Demo