← Back to Blog

How Hayden Barnes Law Keeps Your Information Safe

T. Hayden Barnes, Esq.

When you hand over a stack of medical bills, you are handing over a lot more than dollar amounts. Those documents contain diagnoses, procedure codes, insurance identifiers, and sometimes information you have not even shared with your family. We know that. Every decision we make about how this firm handles technology starts from that fact.

This post walks through what we actually do to protect your data. Not marketing language, just the real specifics.

Encryption Everywhere

Every piece of data you send us is encrypted in transit using TLS 1.2 or higher. That is the same protocol your bank uses. When your browser shows the little padlock icon, that is TLS doing its job, making sure nobody between your device and our servers can read the data moving back and forth.

Once your data reaches our systems, it does not sit around unprotected. Everything is encrypted at rest using AES-256, which is the encryption standard the U.S. government uses for classified information. Think of it as a lock where the key is 256 bits long. There are more possible key combinations than there are atoms in the observable universe. Nobody is brute-forcing that.

What HIPAA Actually Requires

HIPAA gets thrown around a lot, usually as a vague gesture toward “we care about privacy.” Here is what it actually means for how we operate.

HIPAA has three rules that matter here:

  • The Privacy Rule governs who can see your protected health information (PHI) and under what circumstances. We only access your records when it is necessary for your case. Period.
  • The Security Rule sets technical and administrative requirements for protecting electronic PHI. This covers everything from how we configure our servers to how we train anyone who touches the system.
  • The Breach Notification Rule requires us to notify you if there is ever an unauthorized disclosure of your information. We have never had to send that notification, and the entire system is designed to keep it that way.

Every vendor we work with that could potentially access your health information signs a Business Associate Agreement (BAA). That is a legal contract that holds them to the same HIPAA standards we follow. No BAA, no access to our systems.

No Passwords to Remember

We use magic link authentication for client portal access. When you need to log in, you enter your email address. We send you a unique, time-limited link. Click it, and you are in. That is it.

This is not a convenience shortcut. It is genuinely more secure than passwords. Here is why: most security breaches happen because someone reuses a password from another site that got compromised, or because they pick something guessable. With magic links, there is no password to reuse, no password to guess, and no password sitting in a database waiting to be stolen. Each link works exactly once and expires quickly.

You might be thinking “but what if someone gets into my email?” Fair question. If an attacker has access to your email, you have a much bigger problem than your medical billing portal. They can reset passwords on virtually every service you use. But the magic link still helps here: the links expire, so an old email is useless.

Audit Trails

Every access to your records is logged. Every time someone views your file, uploads a document, or makes a change, there is a timestamped record of who did it and what they did. This is not optional. It is built into the system at a fundamental level.

The Georgia Rules of Professional Conduct require attorneys to safeguard client information. Audit trails are how we prove we are doing that. If you ever want to know who has accessed your records, we can tell you.

Secure Document Handling

When you upload medical bills or records through the client portal, those files go straight to Azure Blob Storage with encryption enabled. They are not sitting on someone’s laptop or in an email attachment floating around an inbox.

Access to stored documents is controlled through role-based permissions. The system only lets authorized users retrieve files associated with their case. Documents are never downloaded to personal devices, and our infrastructure is configured to prevent that.

Our Vendor Partners

We are selective about who touches our infrastructure. Every vendor that handles data related to your case has signed a HIPAA Business Associate Agreement. A few specifics:

  • Stripe handles payment processing. They are PCI DSS Level 1 certified (the highest level) and never share your payment information with us. We literally cannot see your full card number.
  • Postmark handles transactional email (like your magic login links and case notifications). They sign BAAs and encrypt email content in transit.
  • Microsoft Azure provides our cloud infrastructure, with data centers that maintain SOC 2 Type II, HIPAA, and HITRUST certifications.

If a vendor cannot meet our security requirements, we do not use them. It is that simple.

What We Do Not Do

We do not use your data for marketing. We do not sell it. We do not share it with anyone who is not directly involved in your case.

On the client portal, we do not run Google Analytics or any third-party tracking scripts. Your activity inside the portal is between you and us. On the public website, we use privacy-first analytics that do not track individual users or use cookies. We can see that someone visited the FAQ page, but we cannot see that you visited the FAQ page.

Your Rights Under HIPAA

HIPAA gives you specific rights regarding your health information:

  • Access: You have the right to see and get copies of your protected health information that we maintain.
  • Correction: If something in your records is wrong, you can request that we correct it.
  • Accounting of disclosures: You can ask us for a list of everyone we have shared your information with, and when, and why.

These are not abstract principles. If you want to exercise any of these rights, reach out and we will make it happen. No runaround.

Questions?

If you have questions about how we handle your data, ask. This is not one of those topics where we give you a vague answer and hope you move on. We built this system to be explainable, and we are happy to walk you through any part of it.

You can reach us through the contact form or by calling the office directly.

← Back to Blog