Privacy & Security
Privacy & Security
Our approach to privacy and security? PHI is sacred.
Collective Medical takes HIPAA, HITECH, and all other relevant state and federal laws regarding patient health records very seriously. Technical, administrative and physical security are fundamental in delivering each of our products.
We recognize the trust, healthcare institutions place in us when patient data is sent, and consider the responsible stewardship over that data to be our single most important function, which is why we are maintain a HITRUST CSF certification.
The HITRUST CSF is a healthcare oriented security framework that is now the industry benchmark that organizations required to safeguard PHI are measured against with regards to information protection. The framework harmonizes the requirements of existing standards and regulations including HIPAA, HITECH, PCI, and COBIT: http://www.hitrustalliance.net/about/.
Information Security Policies
Mobile Media Security
PHI Transmission Protection
External Breach Protection
With a rigorous and thorough recertification process every two-years, the HITRUST CSF Certified status assures Collective Medical Technologies’ clients that Collective Medical Technologies is meeting the health care industry’s highest standards in protecting health care information and managing risk.
We’ve briefly answered some of the most common Privacy & Security related questions that we hear daily in the FAQ below. For any additional or more detailed information, feel free to contact us.
We are happy to respond in detail to specific security assessments or discussions with security and privacy officers from your organization. We pride ourselves on helping our clients feel completely confident in Collective Medical® before they begin sending Protected Health Information, and will ensure that we do whatever we can to earn that confidence with your organization. To name only a few of our security practices:
Comprehensive Intrusion Prevention and Detection
Highly restrictive physical and logical access to our systems
Strong encryption, password and user account controls
Strict change management and software code review and approval, and QA testing policies
Carefully designed, implemented and reviewed network security topologies and monitoring systems
Minimum necessary access
Adherence to the highest industry standards and best practices when governing company policies and procedures
Copies of the HITRUST CSF certification are available for review and may be provided upon request.
Our servers, networks, and databases are co-located in certified Data Centers with fully redundant systems and 24/7/365 security monitoring. Our Data Centers are certified in, or have been audited against the following:
SOC I, SOC II Type II and SOC III reporting
ISO/IEC 27000 Series
HIPAA Privacy and Security & HITECH Rules
Gramm-Leach-Bliley Act (GLBA) Interagency Guidelines
We most certainly are. Collective is proudly protected against Shellshock, Stagefright, Logjam, Heartbleed, BEAST, POODLE, CVE-2014-0224, and many other known threats.
If you have additional questions about specific threats, encryption protocols, or other security standards, please see our HITRUST CSF certification or get in touch with us.
As noted above, Collective takes HIPAA, HITECH, and all other applicable state and federal laws regarding patient health records very seriously. Many healthcare institutions have reviewed our solutions, and all have agreed that our products’ fundamental concepts are HIPAA compliant.
The quick explanation is that once a provider or health plan establishes a treatment, payment or operations relationship with a patient—and that relationship can be verified through data including patient identifying information and visit information delivered to our databases—HIPAA allows our solutions to disclose a patient’s health information to the providers or organizations with whom the patient has a relationship for the purposes of treatment, payment, and healthcare operations.
In addition to a software subscription and license agreement, Collective signs a Business Associate Agreement with all clients to provide standards that ensure your data is well protected before any patient data is exchanged.
We provide clients with secure methods for sharing patient data per whatever method works best for them. Data can be delivered to our solutions by direct integration with a facility’s EHR, or via flat file upload to either our secure web application, or to our secured SFTP server. When data is received, it is analyzed and curated for display, and is generally accessed in two ways:
For additional information on the purposes and uses of data by our solutions, please see our Collective platform product pages.
Upon request, Collective will gladly send additional documentation to answer other questions you may have. We will also be more than happy to set up a call to answer any privacy and security questions you would like to discuss. Contact us today for additional information.