Privacy & Security

Privacy & Security

Our approach to privacy and security? PHI is sacred.

Collective Medical takes HIPAA, HITECH, and all other relevant state and federal laws regarding patient health records very seriously. Technical, administrative and physical security are fundamental in delivering each of our products.

We recognize the trust, healthcare institutions place in us when patient data is sent, and consider the responsible stewardship over that data to be our single most important function, which is why we are  maintain a HITRUST CSF certification.

The HITRUST CSF is a healthcare oriented security framework that is now the industry benchmark that organizations required to safeguard PHI are measured against with regards to information protection.  The framework harmonizes the requirements of existing standards and regulations including HIPAA, HITECH, PCI, and COBIT: http://www.hitrustalliance.net/about/.

  • Information Security Policies

  • Laptop Security

  • Mobile Media Security

  • PHI Transmission Protection

  • Wireless Security

  • Malware Protection

  • Configuration Management

  • Vulnerability Management

  • Secure Disposal

  • External Breach Protection

With a rigorous and thorough recertification process every two-years, the HITRUST CSF Certified status assures Collective Medical Technologies’ clients that Collective Medical Technologies is meeting the health care industry’s highest standards in protecting health care information and managing risk.
We’ve briefly answered some of the most common Privacy & Security related questions that we hear daily in the FAQ below. For any additional or more detailed information, feel free to contact us.

Tell us about your security practices...

We are happy to respond in detail to specific security assessments or discussions with security and privacy officers from your organization. We pride ourselves on helping our clients feel completely confident in Collective Medical® before they begin sending Protected Health Information, and will ensure that we do whatever we can to earn that confidence with your organization. To name only a few of our security practices:

 

  • Comprehensive Intrusion Prevention and Detection

  • Highly restrictive physical and logical access to our systems

  • Strong encryption, password and user account controls

  • Strict change management and software code review and approval, and QA testing policies

  • Carefully designed, implemented and reviewed network security topologies and monitoring systems

  • Minimum necessary access

  • Adherence to the highest industry standards and best practices when governing company policies and procedures

Copies of the HITRUST CSF certification are available for review and may be provided upon request.

What physical safeguards are in place to protect data?

Our servers, networks, and databases are co-located in certified Data Centers with fully redundant systems and 24/7/365 security monitoring. Our Data Centers are certified in, or have been audited against the following:

  • SOC I, SOC II Type II and SOC III reporting

  • ISO/IEC 27000 Series

  • NIST 800-53

  • ITIL 3.0

  • HIPAA Privacy and Security & HITECH Rules

  • Gramm-Leach-Bliley Act (GLBA) Interagency Guidelines

Are you protected against recent security vulnerabilities?

We most certainly are. CMT is proudly protected against Shellshock, Stagefright, Logjam, Heartbleed, BEAST, POODLE, CVE-2014-0224, and many other known threats.

If you have additional questions about specific threats, encryption protocols, or other security standards, please see our HITRUST CSF certification or get in touch with us.

How have you determined HIPAA compliance?

As noted above, Collective Medical takes HIPAA, HITECH, and all other applicable state and federal laws regarding patient health records very seriously. Many healthcare institutions have reviewed our solutions, and all have agreed that our products’ fundamental concepts are HIPAA compliant.

The quick explanation is that once a provider or health plan establishes a treatment, payment or operations relationship with a patient—and that relationship can be verified through data including patient identifying information and visit information delivered to our databases—HIPAA allows our solutions to disclose a patient’s health information to the providers or organizations with whom the patient has a relationship for the purposes of treatment, payment, and healthcare operations.

What legal safeguards will be in place between our organization and CMT to protect patient data?

In addition to a software subscription and license agreement, CMT signs a Business Associate Agreement with all clients to provide standards that ensure your data is well protected before any patient data is exchanged.

How is data used and accessed by your products?

We provide clients with secure methods for sharing patient data per whatever method works best for them. Data can be delivered to our solutions by direct integration with a facility’s EHR, or via flat file upload to either our secure web application, or to our secured SFTP server. When data is received, it is analyzed and curated for display, and is generally accessed in two ways:

      • Notifications:Our products send notifications in real-time upon patient registration or discharge, per specified criteria set by the facility receiving the notification. Notifications may also be delivered to recipients per a delayed schedule set by the customer to meet their specific needs. These Notifications may be adapted to your organization’s workflows to deliver valuable information to the right person at the right time. Think of our Notifications as real-time, automated risk identification.
    • Via the EDIE® or PreManage® Web Applications:An organization’s users—these may be case managers, physicians, nurses, etc.—may access data beyond what is presented in the Notification discussed above within the EDIE® or PreManage® web applications. These web apps are hosted by CMT, contain extended clinical data for your patient population submitted by all points of care visited by a patient, and are where your users may contribute to a collaborative patient record. Included in these web apps are detailed historical visit information, Care Guidelines publisher, patient interaction notes, and follow-up history.

For additional information on the purposes and uses of data by our solutions, please see our EDIE® or PreManage® product pages.

What additional information about your privacy and security practices can you give us?

Upon request, CMT will gladly send additional documentation to answer other questions you may have. We will also be more than happy to set up a call to answer any privacy and security questions you would like to discuss. Contact us today for additional information.