+1 321 233 1516
Contact Us

Security &
Compliance

Health & IT

Effective Date: 1st April, 2026

1. OVERVIEW OF SECURITY AND COMPLIANCE POSTURE

LaCharme LLC, doing business as Health & IT (“H&IT,” “Company,” “we,” “us,” or “our”), maintains a structured and continuously evolving security and compliance framework designed to safeguard sensitive information, protect system integrity, and support the regulatory and operational requirements of its Clients.

The Company’s approach integrates:

  • adherence to applicable provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
  • alignment with recognized cybersecurity and operational control frameworks, including SOC 2 principles;
  • implementation of administrative, technical, and physical safeguards;
  • continuous monitoring, risk assessment, and control validation.

HIPAA establishes mandatory safeguards for protecting electronic protected health information (“ePHI”), including administrative, technical, and physical controls , while SOC 2 provides a structured framework for demonstrating security, availability, confidentiality, integrity, and privacy controls .

2. HIPAA COMPLIANCE AND BUSINESS ASSOCIATE ROLE

Health & IT may operate as a Business Associate in connection with services provided to covered entities within the healthcare sector.

In this capacity:

  • PHI is accessed, processed, or maintained solely as necessary to perform contracted services;
  • all PHI-related activities are governed by executed Business Associate Agreements (“BAAs”);
  • the Company adheres to applicable provisions of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

The Company does not process PHI through its public-facing Website. All PHI-related activities occur exclusively within secured environments, systems, or infrastructures under contractual control.

3. SECURITY FRAMEWORK AND CONTROL STRUCTURE

The Company’s security posture is structured to align with recognized control-based frameworks, including the SOC 2 Trust Services Criteria.

These criteria encompass:

  • security controls designed to protect systems from unauthorized access;
  • availability controls ensuring systems are operational and accessible when required;
  • processing integrity controls ensuring accurate and reliable system operation;
  • confidentiality controls restricting access to sensitive information;
  • privacy controls governing the handling of personal data .

SOC 2 serves as a widely adopted industry benchmark for evaluating the effectiveness of operational and security controls within service organizations .

The Company’s implementation of these principles reflects alignment with industry expectations, though formal certification, where applicable, is subject to independent audit and shall not be implied unless expressly stated.

4. ADMINISTRATIVE SAFEGUARDS

The Company maintains administrative safeguards designed to govern security as a structured and continuous process.

Such safeguards include formal risk analysis and risk management procedures, assignment of security responsibilities, workforce training and awareness programs, access governance protocols, incident response procedures, and internal compliance monitoring.

These measures are designed to ensure that risks are systematically identified, evaluated, and mitigated in accordance with regulatory expectations.

5. TECHNICAL SAFEGUARDS

Technical safeguards are implemented to protect the confidentiality, integrity, and availability of information systems.

Such safeguards may include authentication controls, role-based access mechanisms, encryption of data in transit and, where appropriate, at rest, audit logging, monitoring of system activity, and secure communication protocols.

SOC 2 frameworks emphasize controls such as access management, logging, monitoring, and incident response as core mechanisms for protecting systems and data .

6. PHYSICAL SAFEGUARDS

The Company implements physical safeguards designed to protect infrastructure, systems, and environments from unauthorized access.

These safeguards may include controlled facility access, device security protocols, secure handling of hardware and media, and environmental protections designed to maintain operational continuity.

7. DATA SECURITY PRINCIPLES

The Company’s security framework is designed to uphold the foundational principles of:

  • confidentiality, ensuring that information is not disclosed to unauthorized individuals;
  • integrity, ensuring that information is not altered or destroyed in an unauthorized manner;
  • availability, ensuring that systems and data remain accessible for authorized use.

These principles are central to both HIPAA and SOC 2 security expectations and are fundamental to maintaining trust in data systems .

8. ACCESS CONTROL AND LEAST PRIVILEGE

Access to systems and data is restricted based on the principle of least privilege, ensuring that individuals have access only to the information necessary to perform their designated roles.

Access rights are subject to periodic review and are revoked upon termination or change in role.

9. ENCRYPTION AND DATA TRANSMISSION

The Company employs secure communication protocols and, where appropriate, encryption mechanisms designed to protect data during transmission and storage.

Such measures are implemented in accordance with recognized industry practices and are intended to reduce the risk of unauthorized interception or access.

10. INCIDENT RESPONSE AND BREACH MANAGEMENT

The Company maintains structured incident response procedures designed to ensure timely detection, escalation, containment, and resolution of security events.

Such procedures include:

  • (a) identification and detection of potential security incidents through monitoring and alerting systems;
  • (b) classification and prioritization of incidents based on severity and potential impact;
  • (c) escalation to appropriate internal teams and, where applicable, designated client contacts;
  • (d) containment, mitigation, and remediation actions designed to limit operational and security impact;
  • (e) investigation and root cause analysis; and
  • (f) compliance with applicable legal, regulatory, and contractual notification requirements, including those arising under HIPAA where applicable.

Notification timelines, responsibilities, and communication protocols are governed by executed agreements and applicable law.

11. THIRD-PARTY RISK MANAGEMENT

The Company may engage third-party vendors, service providers, and infrastructure partners in the delivery of services.

Such relationships are subject to reasonable due diligence, contractual safeguards, and monitoring processes designed to ensure alignment with applicable security expectations.

However, the Company does not assume responsibility for the independent actions of third-party providers.

12. CONTINUOUS MONITORING AND IMPROVEMENT

Security and compliance are treated as ongoing processes.

The Company undertakes continuous efforts to assess risks, enhance controls, update policies, and align with evolving legal, regulatory, and industry standards.

SOC 2 frameworks emphasize continuous control validation and monitoring as a means of maintaining audit readiness and operational resilience .

13. LIMITATION OF REPRESENTATIONS

While the Company implements commercially reasonable safeguards and aligns with recognized frameworks, no system can be guaranteed to be completely secure.

Nothing contained in this page shall be construed as:

  • a guarantee of absolute security;
  • a representation of compliance beyond what is contractually established;
  • a substitute for formal audit reports, certifications, or contractual assurances.

SOC 2 compliance and HIPAA adherence serve different purposes, and compliance with one does not automatically ensure compliance with the other .

13A. NO GUARANTEE OF INCIDENT PREVENTION

Notwithstanding the Company’s implementation of industry-aligned security controls and frameworks, the Company does not guarantee the prevention of all cybersecurity incidents, unauthorized access events, system compromises, or data breaches.

Security services are designed to reduce risk and enhance resilience but do not eliminate the possibility of adverse events.

14. CLIENT RESPONSIBILITIES AND SHARED SECURITY MODEL

Security is a shared responsibility.

Clients remain responsible for:

  • maintaining their own internal security controls;
  • ensuring proper system configurations;
  • managing user access and credentials;
  • complying with applicable regulatory obligations.

The Company’s responsibilities are limited to those expressly defined in executed agreements.

15. CONTACT INFORMATION

For inquiries relating to security or compliance practices:

Health & IT
3919 Tampa Road, Oldsmar, FL 34677, USA
📧 [email protected]
📞 +1 (321) 233 1516

SECURITY AND COMPLIANCE