Security & Compliance

All healthcare-facing VAs complete HIPAA training before any client placement. Training covers the Privacy Rule, Security Rule, Breach Notification Rule, and the specific administrative, physical, and technical safeguards required for handling Protected Health Information (PHI).

Every healthcare engagement includes a signed Business Associate Agreement (BAA) between The Human Capital and the covered entity. Our VAs never access, transmit, or store PHI without explicit client authorization and within systems that meet HIPAA technical safeguards.

Healthcare VAs work within your HIPAA-compliant practice management systems (e.g., Kareo, Athenahealth, EHR platforms). They do not transfer patient data to third-party systems without authorization. Access logs are maintained and available to the covered entity on request.

For UK and European clients, all THC engagements include a Data Processing Agreement (DPA) that meets Article 28 GDPR requirements. Our VAs operate as data processors on behalf of the client (the data controller), with processing activities strictly limited to the documented scope of work.

UK GDPR compliance follows ICO guidance for data processors. THC VAs do not process UK personal data outside of the systems and purposes defined in the DPA. Data subject access requests are managed in coordination with the client controller.

All communications involving personal data use encrypted channels. VAs are trained on data minimization principles, purpose limitation, and the rights of data subjects under GDPR Articles 15–22.

Every THC engagement begins with a signed Non-Disclosure Agreement before your first call. The NDA covers confidential business information, trade secrets, client data, financial information, and any other proprietary information shared during the engagement.

NDA enforcement is backed by the client's right to seek injunctive relief and liquidated damages in the event of a breach. THC maintains copies of all executed NDAs and can provide them on request.

Beyond the NDA, our ops manual includes internal confidentiality protocols for all VAs: no screenshots of client data, no third-party sharing of client information, and mandatory secure credential management using password managers (not personal email or plaintext storage).

Every VA placed by The Human Capital is verified through Checkr — the same background check platform used by Uber, Instacart, DoorDash, and Stripe. Checkr runs comprehensive checks including criminal record searches across relevant jurisdictions, SSN trace (for US-based VAs), sex offender registry, and global watchlist screening.

Background verification is conducted during the vetting process — before any VA is added to our qualified pool. No VA is placed with a client without a cleared Checkr report. This is non-negotiable regardless of how strong the candidate appears in other vetting stages.

Background check results are maintained on file by THC. Clients who require a copy of their VA's background check clearance for compliance purposes can request it. Re-verification is conducted annually for VAs who remain in active engagements.

All communication involving sensitive client data uses encrypted channels. THC uses Continia for encrypted document handling and secure file transfer. Standard communication channels (Slack, email, Zoom) are used for day-to-day coordination — sensitive data is never transmitted through unencrypted channels.

VAs are required to use business-grade password managers for all client credentials. Credential sharing with non-team members is prohibited. All client system access is documented and can be revoked immediately at engagement end.

Device security requirements include current operating systems, enabled firewalls, encrypted storage, and locked workstations when not in use. VAs working with healthcare or legal clients have additional endpoint security requirements.