Responsible Information Management
We take the security of our data and each client’s information seriously. Having access to the right information is instrumental to serving our clients. At the same time, we have an obligation to safeguard our patients’ and business partners’ information.
Our goal is to ensure the right data is available to the right people at the right time, while preserving the confidentiality and integrity of that data. We safeguard and make only proper use of confidential information to ensure that company, employee, and patient privacy rights are protected; to comply with applicable privacy and data protection laws; and to guarantee the protection, security, and lawful use of personal data. We take responsibility for the information and technology we handle.
To ensure compliance with regulatory, contractual, and internal requirements, we’ve implemented an information security management program that is comprised of three core elements:
- Establish an information security program with a framework of standards for assessing risk and implementing appropriate controls. We maintain compliance with industry standards and best practices and conduct ongoing assessments to continually upgrade our security infrastructure. We consider these standards when choosing our controls: AICPA Service and Organizational Controls, SOC 2 Trust Services Criteria, HIPAA, HITECH, ISO 27001/27002 and CIS Critical Security Controls. Our comprehensive security policies and procedures are designed to support compliance with a variety of data protection standards, laws, and regulations and are also reviewed by third-party auditors.
- Establish appropriate training on our information security standards and security awareness opportunities for all staff. Compliance with our security policies and processes is mandatory for all employees and contractors. They must be well informed of their responsibilities as information owners, managers, users, and service providers. At onboarding and at least annually thereafter, all new employees and contractors are required to review and acknowledge their understanding of the information security policies contained in our Employee Handbook and to complete our security awareness training. We conduct quarterly phishing campaigns to further educate our workforce about the risks and threats from using technology.
- Establish procedures for operating the information security program, including monitoring and maintaining information systems and measuring the health of the program. We protect our data and technology to ensure that information is kept safe from theft, loss, misuse or disclosure. We have implemented reasonable precautions to protect against unauthorized access to our systems and to prevent data from being disclosed to unauthorized parties. Employees are provided with a list of standard operating procedures that address proper data handling methods, including how to share, collaborate, send, receive, store, or dispose of data. Our data retention policy and procedures ensure compliance with federal and state laws and our client MSAs.
We respect privacy by collecting, using, retaining, and/or disclosing personal data fairly, transparently, and securely. Personal information should be collected only for legitimate business purposes; shared only with those who are permitted access; protected in accordance with security policies; and retained only for as long as necessary. Third parties with access to personal information are contractually obligated to protect it in accordance with applicable data security standards.
We are SOC 2 Type 2 certified with a HIPAA attestation.
About our Corporate Governance
Holding ourselves accountable is part of our cultural beliefs. We commit to employing fair business practices, including accurate and truthful advertising, and to maintaining the highest standards of ethical conduct and social and environmental responsibility. We expect our employees and suppliers to be accountable for their actions.