Effective Date: April 4, 2026
Last Updated: April 4, 2026
This HIPAA Privacy Notice explains how digiAURA (Digital Aura Marketing) handles protected health information (PHI) in the course of providing marketing and operations services to healthcare clients. digiAURA operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) when engaged by Covered Entities.
1. What This Notice Covers
This notice applies to digiAURA’s role as a Business Associate to healthcare providers, clinics, medical practices, and other HIPAA Covered Entities that engage our services. It does not apply to digiAURA’s general website visitors or non-healthcare clients.
As a Business Associate, we may receive, access, create, or transmit limited amounts of PHI solely as necessary to perform agreed-upon services on behalf of our healthcare clients.
2. How We Handle Protected Health Information
digiAURA does not require access to patient PHI to deliver the majority of our services. Where PHI is incidentally shared or necessary, we adhere to the following practices:
- We use PHI only for the purposes outlined in the applicable Business Associate Agreement (BAA)
- We do not sell, rent, or disclose PHI to any third party without written authorization from the Covered Entity
- We do not use PHI for our own marketing, analytics, or business development purposes
- We limit access to PHI to team members who require it to perform specific service functions
- We implement reasonable administrative, technical, and physical safeguards to protect any PHI in our possession
3. Business Associate Agreement (BAA)
Healthcare clients that may share PHI with digiAURA in the course of our engagement are required to execute a Business Associate Agreement prior to sharing any protected information. The BAA governs the permitted uses and disclosures of PHI, our obligations to safeguard it, and the procedures for breach notification.
If you are a healthcare provider engaging digiAURA’s services and have not yet executed a BAA, please contact us before sharing any patient information.
4. Minimum Necessary Standard
digiAURA follows the HIPAA minimum necessary standard. We request and use only the minimum amount of PHI required to perform a specific service function. We do not request access to full patient records, treatment histories, or billing data unless explicitly required and covered under a signed BAA.
5. Subcontractors and Third Parties
If digiAURA engages subcontractors or third-party tools that may have access to PHI in the course of delivering services, we ensure those parties execute appropriate Business Associate Agreements and maintain HIPAA-compliant safeguards. We do not transmit PHI through unsecured channels.
6. Breach Notification
In the event of a discovered breach of unsecured PHI, digiAURA will notify the affected Covered Entity without unreasonable delay and in accordance with the timeframes required under HIPAA’s Breach Notification Rule. Notification will include the nature of the breach, the PHI involved, steps taken to mitigate harm, and recommended actions.
7. Client Responsibilities
Healthcare clients engaging digiAURA are solely responsible for:
- Obtaining all necessary patient authorizations before sharing PHI with digiAURA
- Ensuring their own HIPAA compliance practices are in order
- Notifying digiAURA immediately if they become aware of any unauthorized disclosure involving our shared work
- Executing a BAA before transmitting any PHI to our team or systems
digiAURA is not liable for PHI shared without a valid BAA in place or shared in excess of what was agreed upon.
8. Data Security Practices
digiAURA maintains reasonable security practices to protect any client data in our systems, including:
- Encrypted file storage and transmission where applicable
- Access controls limiting PHI to authorized personnel only
- Regular review of third-party tools used in service delivery for compliance
- Secure deletion of PHI upon completion of the engagement or upon written request
9. Retention and Disposal
PHI is retained only for as long as necessary to fulfill the agreed service scope or as required by applicable law. Upon termination of a healthcare client engagement, digiAURA will return or securely destroy any PHI in its possession in accordance with the terms of the applicable BAA.
10. Limitations of Our Role
digiAURA is a marketing and operations agency — not a healthcare provider, clearinghouse, or health plan. We do not provide medical advice, handle patient billing, or manage electronic health records. Our HIPAA obligations are limited to our role as a Business Associate and are defined by each client’s BAA.
11. Contact Us
If you have questions about this HIPAA Privacy Notice, wish to execute a Business Associate Agreement, or need to report a potential breach, please contact us directly:
digiAURA / Digital Aura Marketing
digitalauramarketing.com
We take privacy seriously and will respond to all compliance-related inquiries promptly.