HIPAA COMPLIANCE STATEMENT

Red Stapler Project
Commitment to Protecting Health Information Privacy and Security

Last Updated: January 1, 2026

OUR COMMITMENT TO HIPAA COMPLIANCE

Red Stapler Project is committed to maintaining the highest standards of privacy and security for Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

As a professional consulting service that regularly handles medical records, treatment documentation, and other health information on behalf of plaintiff personal injury attorneys, we recognize our legal and ethical obligations under HIPAA and take these responsibilities seriously.

This page explains:

  • Our role under HIPAA
  • How we protect health information
  • Your rights regarding health information
  • Our compliance measures and safeguards
  • How to contact us with HIPAA-related concerns

1. OUR ROLE AS A HIPAA BUSINESS ASSOCIATE

1.1 What is a Business Associate?

Under HIPAA, a Business Associate is a person or entity that performs certain functions or activities involving the use or disclosure of Protected Health Information on behalf of a HIPAA Covered Entity (such as a healthcare provider or health plan).

1.2 Red Stapler Project’s Status

When providing consulting services to plaintiff attorneys who share medical records and health information with us:

Red Stapler Project operates as a Business Associate to:

  • The attorneys who engage our services (who may be Covered Entities if they are HIPAA hybrid entities)
  • Or as a conduit for health information that attorneys have received from their clients

Our Business Associate Functions include:

  • Reviewing and analyzing medical records for case evaluation
  • Assessing treatment documentation and medical bills
  • Evaluating health information for insurance claim purposes
  • Providing strategic guidance based on health information
  • Preparing reports that reference or summarize health information

1.3 Business Associate Agreements

Before we receive any Protected Health Information, we execute a Business Associate Agreement (BAA) with each client that includes:

  • Permitted uses and disclosures of PHI
  • Safeguards to prevent misuse of PHI
  • Reporting of security incidents and breaches
  • Return or destruction of PHI at engagement termination
  • Subcontractor requirements
  • Client’s right to audit our compliance
  • Termination provisions for breach

A BAA is a legal requirement under HIPAA and protects both parties by clearly defining obligations and responsibilities.

2. WHAT IS PROTECTED HEALTH INFORMATION (PHI)?

2.1 Definition

Protected Health Information (PHI) is individually identifiable health information that is:

  • Created or received by a healthcare provider, health plan, or healthcare clearinghouse
  • Relates to the past, present, or future physical or mental health of an individual
  • Identifies the individual or could be used to identify the individual
  • Is transmitted or maintained in any form or medium (electronic, paper, or oral)

2.2 Examples of PHI We May Receive

In the course of providing consulting services, we may receive PHI including:

Medical Records:

  • Hospital and emergency room records
  • Physician notes and treatment records
  • Therapy and rehabilitation documentation
  • Diagnostic test results (X-rays, MRIs, CT scans, lab work)
  • Surgical reports and operative notes
  • Discharge summaries
  • Mental health treatment records

Personal Identifiers:

  • Names, addresses, and contact information
  • Dates (birth dates, treatment dates, admission/discharge dates)
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers
  • Device identifiers and serial numbers
  • Biometric identifiers (fingerprints, voice prints)
  • Full-face photographs
  • Any other unique identifying numbers or characteristics

Health Information:

  • Diagnoses and medical conditions
  • Treatment plans and medications
  • Test results and findings
  • Prognosis and recovery information
  • Mental health status
  • Substance abuse treatment information
  • HIV/AIDS status
  • Genetic information

Billing and Insurance Information:

  • Medical bills and itemized statements
  • Insurance claims and explanations of benefits
  • Payment information
  • Health insurance policy information

2.3 Information That Is NOT PHI

The following is not considered PHI:

  • De-identified information (all 18 identifiers removed)
  • Employment records maintained in personnel files
  • Education records covered by FERPA
  • Information about deceased individuals (more than 50 years after death)

3. HOW WE USE AND DISCLOSE PHI

3.1 Permitted Uses – Providing Services to You

We use and disclose PHI only as necessary to perform the consulting services you have engaged us to provide:

Case Audit Services:

  • Reviewing medical records to evaluate case strength
  • Analyzing treatment patterns and documentation
  • Identifying documentation gaps or weaknesses
  • Predicting insurance carrier evaluations
  • Assessing medical necessity of treatment
  • Preparing comprehensive case audit reports

Strategic Consultation:

  • Discussing health information during consultation calls
  • Providing guidance on medical record presentation
  • Analyzing carrier responses to medical documentation
  • Advising on additional medical documentation needed

Training and Education:

  • Using de-identified or hypothetical examples in training
  • Teaching proper handling of medical records
  • Explaining insurance evaluation of health information
  • Note: We never use identifiable PHI in training without explicit written authorization

3.2 Minimum Necessary Standard

We adhere to HIPAA’s “minimum necessary” standard:

  • We request only the minimum amount of PHI necessary to accomplish our consulting purpose
  • We use and disclose only the minimum necessary to achieve the intended purpose
  • We limit access to PHI within our organization to those who need it to perform their job functions
  • We have policies and procedures to ensure compliance with this standard

Example: If we only need to evaluate treatment gaps, we request treatment records and dates, not entire medical histories unless necessary for context.

3.3 Disclosures We Do NOT Make

We do NOT disclose PHI:

  • To insurance carriers or defense counsel (we work exclusively for plaintiff attorneys)
  • To other clients or third parties for marketing purposes
  • For our own commercial purposes unrelated to providing services to you
  • To opposing parties in litigation
  • For research purposes without authorization
  • To family members or friends of patients
  • On social media or public forums
  • In response to casual inquiries

3.4 Required Disclosures

We are required by law to disclose PHI:

To You (The Client):

  • When you request access to PHI we hold on your behalf
  • To provide accounting of disclosures (if requested)
  • To notify you of breaches

To Government Authorities:

  • When required by law (court orders, subpoenas with proper authority)
  • To the Secretary of Health and Human Services for HIPAA compliance investigations
  • As required by other applicable laws and regulations

We will notify you of legal demands for PHI when legally permitted to do so.

3.5 Permitted Disclosures to Subcontractors

If we engage subcontractors or vendors who may have access to PHI:

  • We obtain your approval before engagement
  • We execute a Business Associate Agreement with the subcontractor
  • We ensure the subcontractor maintains equivalent HIPAA safeguards
  • We monitor and oversee the subcontractor’s use of PHI
  • We require the subcontractor to report any breaches or incidents

Current subcontractors with potential PHI access:

  • Secure cloud storage providers (encrypted storage)
  • Email service providers (encrypted communication)
  • IT security and backup services

All subcontractors are HIPAA-compliant and contractually bound to protect PHI.

4. SECURITY SAFEGUARDS FOR PHI

4.1 The Three Types of HIPAA Safeguards

HIPAA requires three categories of safeguards to protect PHI:

  1. Administrative Safeguards – Policies, procedures, and training
  2. Physical Safeguards – Physical access controls and protections
  3. Technical Safeguards – Technology security measures

We maintain comprehensive safeguards in all three categories.

4.2 Administrative Safeguards

Security Management Process:

  • Risk analysis conducted annually
  • Risk management plan implemented
  • Security incident procedures established
  • Regular security evaluations performed

Workforce Security:

  • Renée Soileau and any staff undergo HIPAA training annually
  • Background checks conducted for anyone with PHI access
  • Clear job responsibilities and access levels defined
  • Termination procedures ensure PHI access revocation

Information Access Management:

  • Access to PHI limited to authorized personnel only
  • Role-based access controls implemented
  • Access rights reviewed periodically
  • Minimum necessary access enforced

Security Awareness and Training:

  • Annual HIPAA training for all personnel with PHI access
  • Training on security reminders, protection from malicious software
  • Training on log-in monitoring and password management
  • Incident response training

Security Incident Procedures:

  • Procedures to identify, respond to, report, and mitigate security incidents
  • Incident documentation and tracking
  • Regular review and updates to procedures

Contingency Planning:

  • Data backup plan with encrypted backups
  • Disaster recovery plan
  • Emergency mode operation plan
  • Testing and revision procedures

Business Associate Contracts:

  • BAA required with all vendors/subcontractors with PHI access
  • Contract provisions ensure HIPAA compliance
  • Regular review of business associate compliance

4.3 Physical Safeguards

Facility Access Controls:

  • Office space secured with locked doors
  • Access limited to authorized personnel
  • Visitor log maintained
  • After-hours security measures

Workstation Use and Security:

  • Clear desk policy – PHI not left unattended
  • Computer screens positioned away from public view
  • Automatic screen locks after inactivity
  • Secure workstation locations

Device and Media Controls:

  • All devices with PHI are encrypted
  • Portable media (USB drives, external hard drives) encrypted
  • Secure disposal of media containing PHI (shredding, wiping)
  • Physical media tracked and logged
  • Devices not left in vehicles or unsecured locations

Secure Document Handling:

  • Physical documents locked in filing cabinets
  • Documents transported in locked bags/cases
  • Secure shredding for disposal
  • Limited document printing (prefer electronic)

4.4 Technical Safeguards

Access Controls:

  • Unique user IDs for all system users
  • Strong password requirements (minimum 12 characters, complexity)
  • Multi-factor authentication where available
  • Automatic logoff after 15 minutes of inactivity
  • Emergency access procedures for critical situations

Audit Controls:

  • Logging of all PHI access and activities
  • Regular review of audit logs
  • Monitoring for unusual access patterns
  • Audit trails maintained for 6 years

Integrity Controls:

  • Mechanisms to verify PHI has not been altered or destroyed inappropriately
  • Digital signatures and checksums where appropriate
  • Version control for documents
  • Change logging and tracking

Transmission Security:

  • All PHI transmitted electronically is encrypted using 256-bit AES encryption or stronger
  • Secure email (encrypted) required for any PHI transmission
  • Secure file transfer protocols (SFTP, HTTPS)
  • No PHI transmitted via standard unencrypted email
  • No PHI transmitted via text message or public messaging apps
  • VPN used for remote access

Encryption at Rest:

  • All devices storing PHI encrypted (laptops, phones, tablets, external drives)
  • Cloud storage encrypted (at rest and in transit)
  • File-level encryption for sensitive documents
  • Encryption keys securely managed

Network Security:

  • Firewall protection
  • Intrusion detection and prevention systems
  • Regular security updates and patches
  • Antivirus and anti-malware software
  • Secure Wi-Fi networks (WPA3 encryption)
  • Network segmentation where appropriate

5. BREACH NOTIFICATION PROCEDURES

5.1 What is a Breach?

Under HIPAA, a breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the PHI.

A breach occurs when:

  • PHI is acquired, accessed, used, or disclosed in a way not permitted
  • The incident compromises the security or privacy of the PHI
  • There is more than a low probability that the PHI has been compromised

Examples of breaches:

  • Unauthorized person accesses PHI
  • PHI sent to wrong recipient
  • Lost or stolen unencrypted device containing PHI
  • Hacking or malware incident exposing PHI
  • Improper disposal of PHI (not shredded)
  • PHI publicly disclosed (posted online, left in public place)

5.2 Exceptions – Not Considered Breaches

These incidents are NOT breaches if:

  • Unintentional acquisition, access, or use by workforce member acting in good faith within scope of authority
  • Inadvertent disclosure from authorized person to another authorized person at same entity
  • Disclosure where unauthorized person could not reasonably have retained the information

5.3 Our Breach Response Procedures

If we discover a breach or potential breach involving PHI:

Immediate Actions (Within 24 Hours):

  1. Identify and contain the breach
  2. Notify you (the client) immediately
  3. Begin investigation to determine scope
  4. Implement mitigation measures

Investigation Phase (Within 48 Hours):

  1. Determine what PHI was involved
  2. Identify individuals whose PHI was affected
  3. Assess the nature and extent of the breach
  4. Determine whether encryption or other protections rendered PHI unusable/indecipherable
  5. Evaluate the unauthorized person who accessed PHI (if known)
  6. Assess whether PHI was actually acquired or viewed
  7. Determine risk of harm to individuals

Risk Assessment: We conduct a thorough risk assessment considering:

  • Type and amount of PHI involved
  • Who impermissibly used or disclosed the PHI
  • Whether PHI was actually acquired or viewed
  • Extent to which risk has been mitigated

Notification Phase (Within 60 Days):

To You (Client/Covered Entity):

  • Detailed written notification within 5 business days of discovery
  • Information about the breach, PHI involved, and individuals affected
  • Steps we’ve taken to investigate, mitigate, and prevent future breaches
  • Contact information for questions

To Affected Individuals (Your Responsibility as Covered Entity):

  • You are responsible for notifying affected individuals
  • We will provide you with information needed for notification
  • Notification must occur within 60 days of discovery
  • Must include description of breach, types of PHI involved, steps to protect from harm, and contact information

To HHS (Department of Health and Human Services):

  • If breach affects 500+ individuals: Notify HHS within 60 days
  • If breach affects <500 individuals: Log and report annually
  • You (as Covered Entity) are responsible for HHS notification
  • We will cooperate and provide necessary information

To Media (If Applicable):

  • If breach affects 500+ individuals in same state/jurisdiction
  • Notification to prominent media outlets required
  • You (as Covered Entity) responsible for notification
  • We will support as needed

5.4 Post-Breach Actions

After a breach, we:

  • Conduct thorough investigation to determine root cause
  • Implement corrective actions to prevent recurrence
  • Review and update security policies and procedures
  • Provide additional training to workforce
  • Document all breach-related activities
  • Cooperate fully with any regulatory investigations

We maintain breach documentation for 6 years including:

  • Date of breach discovery
  • Description of breach
  • PHI involved and individuals affected
  • Investigation findings
  • Mitigation and corrective actions taken

6. YOUR RIGHTS REGARDING PHI

6.1 Right to Access PHI

You have the right to:

  • Request access to PHI we maintain on your behalf
  • Inspect and review PHI in our possession
  • Obtain copies of PHI we hold

How to exercise this right:

  • Submit written request to our contact page
  • Specify what PHI you want to access
  • We will respond within 30 days
  • We may charge reasonable copy fees

We cannot deny your right to access PHI except in limited circumstances defined by HIPAA.

6.2 Right to Amendment

You have the right to:

  • Request that we amend PHI we maintain on your behalf
  • Correct inaccurate or incomplete PHI

How to exercise this right:

  • Submit written request identifying the PHI to be amended
  • Provide reason for the amendment
  • We will respond within 60 days
  • If we deny the request, we will explain why and inform you of your right to submit a statement of disagreement

Note: We may deny amendment if:

  • We did not create the PHI (it came from another source)
  • PHI is not part of information we maintain
  • PHI is accurate and complete as is

6.3 Right to Accounting of Disclosures

You have the right to:

  • Receive an accounting of disclosures of PHI we have made
  • Know to whom we have disclosed your PHI

Accounting includes:

  • Date of disclosure
  • Name and address of recipient
  • Description of PHI disclosed
  • Purpose of disclosure

How to exercise this right:

  • Submit written request to our contact form
  • Specify the time period (up to 6 years prior)
  • We will respond within 60 days
  • First accounting in 12-month period is free
  • Subsequent requests may incur reasonable fees

Accounting does NOT include:

  • Disclosures to you
  • Disclosures for treatment, payment, or healthcare operations
  • Disclosures pursuant to your authorization
  • Disclosures for national security or intelligence purposes
  • Disclosures to correctional institutions or law enforcement

6.4 Right to Request Restrictions

You have the right to:

  • Request restrictions on how we use or disclose PHI
  • Request limits on who we disclose PHI to

How to exercise this right:

  • Submit written request specifying the restriction
  • We will consider your request but are not required to agree
  • If we agree, we will comply with the restriction unless needed for emergency treatment
  • We will notify you if we cannot agree to the restriction

6.5 Right to Request Confidential Communications

You have the right to:

  • Request that we communicate with you about PHI by alternative means or at alternative locations

How to exercise this right:

  • Submit written request specifying how or where you wish to be contacted
  • We will accommodate reasonable requests
  • We may ask for information about how payment will be handled

6.6 Right to Notification of Breach

You have the right to:

  • Be notified if a breach of your PHI occurs
  • Receive notification within 60 days of discovery

Notification will include:

  • Description of what happened
  • Types of PHI involved
  • Steps you can take to protect yourself
  • What we are doing to investigate and prevent future breaches
  • Contact information for questions

6.7 Right to Obtain Paper Copy of This Notice

You have the right to:

  • Receive a paper copy of this HIPAA Compliance Statement at any time
  • Request via email: Contact Form
  • Request via phone: (858) 752-1772
  • Download from our website: redstaplerproject.com/hipaa-compliance

7. DATA RETENTION AND DESTRUCTION

7.1 Retention Period

We retain PHI only for the minimum time necessary:

During Active Engagement:

  • PHI retained securely throughout consulting engagement
  • Used only for purposes of providing services

Post-Engagement Retention:

  • PHI retained for 90 days after engagement conclusion
  • Retention allows for follow-up questions and quality assurance
  • PHI remains subject to all HIPAA safeguards during retention period

Extended Retention:

  • Available upon your written request
  • Must be justified by legitimate business need
  • Subject to separate retention agreement
  • Additional security measures may apply

7.2 Secure Destruction

At end of retention period, we permanently destroy PHI:

Electronic PHI:

  • Permanent deletion from all systems and devices
  • Overwriting of data to DOD 5220.22-M standard (or equivalent)
  • Deletion from all backup systems
  • Verification of complete destruction
  • Certificate of destruction available upon request

Physical PHI:

  • Cross-cut shredding of paper documents (minimum 5/32″ x 1-1/2″ particles)
  • Shredding performed by certified shredding service or in-house with documented chain of custody
  • Physical destruction of media (CDs, DVDs, hard drives)
  • Certificate of destruction maintained

7.3 Early Destruction

You may request immediate destruction of PHI at any time:

  • Submit written request via email
  • We will destroy PHI within 10 business days
  • Provide written confirmation of destruction
  • Certificate of destruction available upon request

7.4 Legal Hold Exception

We may retain PHI beyond normal retention period if:

  • Legal proceedings are pending or reasonably anticipated
  • Government investigation is ongoing
  • Required by law or regulation
  • You request extended retention in writing

PHI on legal hold:

  • Remains subject to all HIPAA safeguards
  • Access restricted to essential personnel only
  • Retained only for duration of legal requirement
  • Destroyed promptly when hold is lifted

8. TRAINING AND WORKFORCE COMPLIANCE

8.1 HIPAA Training Program

All personnel with access to PHI receive comprehensive HIPAA training:

Initial Training:

  • Provided before any access to PHI is granted
  • Covers HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
  • Reviews organizational policies and procedures
  • Explains roles and responsibilities
  • Tests comprehension

Annual Refresher Training:

  • Updated training provided yearly
  • Reviews policy changes and updates
  • Addresses new threats and security concerns
  • Reinforces best practices
  • Tests continued comprehension

Topic-Specific Training:

  • Encryption and secure transmission
  • Password security and access controls
  • Physical security measures
  • Breach identification and response
  • Minimum necessary standard
  • Patient rights and requests
  • Incident reporting

Training Documentation:

  • Training completion records maintained
  • Certificates of completion issued
  • Records retained for 6 years
  • Available for audit or review

8.2 Workforce Security Policies

Clear Policies and Procedures:

  • Written policies covering all HIPAA requirements
  • Procedures for routine operations and exceptional circumstances
  • Regular review and updates (at least annually)
  • Accessible to all workforce members

Sanctions for Non-Compliance:

  • Progressive discipline policy for HIPAA violations
  • Violations addressed promptly and consistently
  • Range from counseling to termination depending on severity
  • Documentation of sanctions maintained

Reporting Obligations:

  • Workforce members required to report suspected violations
  • Confidential reporting mechanism available
  • No retaliation for good faith reporting
  • Prompt investigation of all reports

9. HIPAA COMPLIANCE MONITORING

9.1 Internal Monitoring and Auditing

We conduct regular compliance monitoring:

Quarterly Security Reviews:

  • Access log reviews
  • Security incident reviews
  • Policy compliance assessments
  • Physical security checks

Annual Risk Assessments:

  • Comprehensive evaluation of potential risks to PHI
  • Analysis of current safeguards
  • Identification of vulnerabilities
  • Recommendations for risk mitigation

Periodic Audits:

  • Random audits of PHI access and use
  • Review of workforce compliance
  • Testing of security controls
  • Assessment of business associate compliance

Continuous Improvement:

  • Regular updates to policies and procedures
  • Implementation of enhanced security measures
  • Adoption of new technologies and best practices
  • Ongoing workforce education

9.2 External Reviews and Audits

We cooperate fully with:

HHS Office for Civil Rights (OCR):

  • Compliance reviews and investigations
  • Complaint investigations
  • Breach investigations
  • Corrective action plans

Your Audits:

  • As permitted under our Business Associate Agreement
  • You may request documentation of our compliance
  • You may conduct on-site reviews (with reasonable notice)
  • We will provide access to relevant records and personnel

Third-Party Security Assessments:

  • Periodic penetration testing
  • Vulnerability assessments
  • Security audits by qualified professionals

10. CHANGES TO THIS HIPAA COMPLIANCE STATEMENT

10.1 Updates and Revisions

We may update this statement to reflect:

  • Changes in HIPAA regulations
  • Changes in our business practices
  • New technologies or security measures
  • Recommendations from audits or assessments

When we make changes:

  • We update the “Last Updated” date
  • We post the revised statement on our website
  • We notify active clients via email of material changes
  • Previous versions available upon request

10.2 Effective Date of Changes

Changes are effective:

  • Immediately upon posting for future engagements
  • 30 days after notification for active engagements
  • Material changes may require updated Business Associate Agreements

11. COMPLAINTS AND CONCERNS

11.1 How to File a HIPAA Complaint With Us

If you believe we have violated HIPAA or your privacy rights:

Contact Us Directly:

  • Email: Contact Form
  • Subject Line: “HIPAA Complaint”
  • Phone: (858) 752-1772

Provide:

  • Your name and contact information
  • Description of the incident or concern
  • Date(s) of the incident
  • Any supporting documentation

Our Response:

  • We take all complaints seriously
  • We will acknowledge receipt within 5 business days
  • We will investigate promptly and thoroughly
  • We will respond within 30 days with findings and actions taken
  • No retaliation for filing complaints in good faith

11.2 How to File a Complaint With HHS

You have the right to file a complaint with the federal government:

Office for Civil Rights (OCR)
U.S. Department of Health and Human Services

Online:
https://ocrportal.hhs.gov/ocr/portal/lobby.jsf

By Mail:
Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F, HHH Building
Washington, D.C. 20201

By Phone:
1-800-368-1019 (TDD: 1-800-537-7697)

Filing Deadline:

  • Must file within 180 days of the incident
  • May request extension for good cause

No Retaliation:

  • We will not retaliate against you for filing a complaint with HHS
  • Your rights and our services will not be affected
  • Retaliation is prohibited by HIPAA

12. ADDITIONAL RESOURCES

12.1 HIPAA Information and Guidance

U.S. Department of Health and Human Services:
Website: https://www.hhs.gov/hipaa
Comprehensive information about HIPAA rules and compliance

Office for Civil Rights (OCR):
Website: https://www.hhs.gov/ocr
Enforcement, guidance, and complaint process

HIPAA Privacy Rule:
45 CFR Part 160 and Part 164, Subparts A and E

HIPAA Security Rule:
45 CFR Part 160 and Part 164, Subparts A and C

HIPAA Breach Notification Rule:
45 CFR Part 164, Subpart D

12.2 Questions About This Statement

For questions about our HIPAA compliance:

Red Stapler Project
HIPAA Privacy Officer: Renée Soileau
Email: Contact Form
Phone: (858) 752-1772
Address: La Mesa, CA

Response Time:

  • We respond to inquiries within 2 business days
  • Complex questions may require up to 5 business days
  • We provide clear, comprehensive answers

13. ACKNOWLEDGMENT

Red Stapler Project acknowledges that:

✓ We understand our obligations as a HIPAA Business Associate
✓ We have implemented comprehensive safeguards to protect PHI
✓ We maintain ongoing compliance with all HIPAA requirements
✓ We take our responsibility to protect health information seriously
✓ We will promptly address any compliance issues that arise
✓ We will cooperate fully with oversight and enforcement activities
✓ We will continuously improve our privacy and security practices

We are committed to earning and maintaining your trust through exemplary HIPAA compliance and protection of sensitive health information.

SUMMARY OF KEY COMMITMENTS

We Promise To:

🔒 Protect All PHI with technical, physical, and administrative safeguards
🔒 Use PHI Only for providing consulting services to you
🔒 Never Disclose PHI to unauthorized parties or for improper purposes
🔒 Maintain Encryption for all PHI transmission and storage
🔒 Train Our Workforce on HIPAA compliance and security measures
🔒 Report Breaches promptly and comply with notification requirements
🔒 Respect Your Rights regarding access, amendment, and accounting
🔒 Honor BAA Terms and comply with all contractual obligations
🔒 Monitor Compliance through regular audits and risk assessments
🔒 Continuously Improve our privacy and security practices

CONTACT INFORMATION

HIPAA Privacy Officer:
Renée Soileau
Red Stapler Project

Email: Contact Form
Phone: (858) 752-1772
Address: La Mesa, California

Office Hours: Monday-Friday, 9:00 AM – 5:00 PM PST
Emergency Contact: Available via email 24/7 for breach notifications

This HIPAA Compliance Statement demonstrates Red Stapler Project’s commitment to protecting the privacy and security of Protected Health Information in accordance with federal law. We take these obligations seriously and continuously work to maintain the highest standards of compliance.

Last Updated: January 1, 2026

For additional information about HIPAA or to download forms and templates, visit our Resources page or contact us directly.

https://redstaplerproject.com/wp-content/uploads/2026/01/rsp-logo120.png

Red Stapler Project

Serving plaintiff attorneys throughout California

https://redstaplerproject.com/wp-content/uploads/2026/01/casd.png
https://redstaplerproject.com/wp-content/uploads/2026/01/larazalogo.png
https://redstaplerproject.com/wp-content/uploads/2026/02/sdcba.jpg
https://redstaplerproject.com/wp-content/uploads/2026/01/caala.png

Navigation

Resources

Legal

© 2026 Red Stapler Project. All rights reserved.
Professional consulting services for plaintiff attorneys.

Disclaimer: Red Stapler Project provides consulting and educational services. We do not practice law, serve as expert witnesses, or provide legal advice. All services are designed to support attorneys in their representation of clients.