Our approach to privacy and security?
PHI is sacred.
Collective Medical takes HIPAA, HITECH, and all other relevant state and federal laws regarding patient health records very seriously. Technical, administrative, and physical security are fundamental in delivering each of our products.
We recognize the trust healthcare institutions place in us when patient data is sent and consider the responsible stewardship over that data to be our single most important function, which is why we maintain a HITRUST CSF certification.
The HITRUST CSF is a healthcare oriented security framework now considered to be the industry benchmark organizations required to safeguard PHI are measured against with regards to information protection. This framework harmonizes the requirements of existing standards and regulations including HIPAA, HITECH, PCI, and COBIT:
- Malware Protection
- Configuration Management
- Vulnerability Management
- Secure Disposal
- External Breach Protection
- Information Security Policies
- Laptop Security
- Mobile Media Security
- PHI Transmission Protection
- Wireless Security
With a rigorous and thorough recertification process every two years, the HITRUST CSF Certified status assures Collective Medical’s clients that Collective is meeting the healthcare industry’s highest standards in protecting health care information and managing risk.
We’ve briefly answered some of the most common privacy & security related questions we hear in the FAQ below. For any additional or more detailed information, feel free to contact us.
Tell us about your security practices...
We are happy to respond in detail to specific security assessments or have discussions with security and privacy officers from your organization. We pride ourselves on helping our clients feel completely confident in Collective before they begin sending Protected Health Information and will ensure we do whatever we can to earn that confidence. To name a few of our security practices:
Comprehensive intrusion prevention and detection
Highly restrictive physical and logical access to our systems
Strong encryption, password, and user account controls
Strict change management and software code review/approval and rigorous QA testing policies
Carefully designed, implemented, and reviewed network security topologies and monitoring systems
Minimum necessary access
Adherence to the highest industry standards and best practices when governing company policies and procedures
Copies of the HITRUST CSF certification are available for review and may be provided upon request.
What physical safeguards are in place to protect data?
Our servers, networks, and databases are co-located in certified Data Centers with fully redundant systems and 24/7/365 security monitoring. Our Data Centers are certified in, or have been audited against the following:
- SOC I, SOC II Type II, and SOC III reporting
- ISO/IEC 27000 Series
- NIST 800-53
- ITIL 3.0
- HIPAA Privacy and Security & HITECH Rules
- Gramm-Leach-Bliley Act (GLBA) Interagency Guidelines
Are you protected against recent security vulnerabilities?
We most certainly are. Collective is proudly protected against Shellshock, Stagefright, Logjam, Heartbleed, BEAST, POODLE, CVE-2014-0224, and many other known threats.
If you have additional questions about specific threats, encryption protocols, or other security standards, please see our HITRUST CSF certification or get in touch with us.
How have you determined HIPAA compliance?
As noted above, Collective takes HIPAA, HITECH, and all other applicable state and federal laws regarding patient health records very seriously. Many healthcare institutions have reviewed our solutions and all have agreed that our products’ fundamental concepts are HIPAA compliant.
The quick explanation is that once a provider or health plan establishes a treatment, payment, or operations relationship with a patient—and once that relationship has been verified through data including patient identifying information and visit information delivered to our databases—HIPAA allows our solutions to disclose a patient’s health information to the providers or organizations with whom the patient has a relationship for the purposes of treatment, payment, and healthcare operations.
What legal safeguards will be in place between our organization and Collective to protect patient data?
In addition to a software subscription and license agreement, Collective signs a Business Associate Agreement with all clients to provide standards that ensure your data is well protected before any patient data is exchanged.
How is data used and accessed by your products?
We provide clients with secure methods for sharing patient data using whatever methods work best for them. Data can be delivered to our solutions by direct integration with a facility’s EHR or via flat file upload to either our secure web application or our secured SFTP server. When data is received, it is analyzed and curated for display and is generally accessed in two ways:
- Collective Notifications: Our products send notifications in real time upon patient registration or discharge, per specified criteria set by the facility receiving the notification. Notifications may also be delivered to recipients per a delayed schedule set by the customer to meet their specific needs. These Notifications may be adapted to your organization’s workflows to deliver valuable information to the right person at the right time. Think of Collective Notifications as real-time, automated risk identification.
- Via the Collective Platform: An organization’s users—case managers, physicians, nurses, etc.—may access data beyond what is presented in the notification discussed above by accessing the patient’s aggregate file on the Collective Platform. These patient overviews contain extended clinical data for your patient population submitted by all points of care visited by a patient and are where your users may contribute to collaborative patient records. These aggregate patient records include detailed historical encounter information, plans for future care, information about the patient’s care team, past security or safety concerns, attachments (e.g., POLST/Advanced Directives, pain contracts, x-rays, etc.), and more.
For additional information on the purposes and uses of data by our solutions, please see our Collective platform product pages.
What additional information about your privacy and security practices can you give us?
Upon request, Collective will gladly send additional documentation to answer other questions you may have. We will also be more than happy to set up a call to answer any privacy and security questions you would like to discuss. Contact us today for additional information.
How do I report a concern about Collective Medical?
We at Collective firmly believe that acting with integrity has been key to our success. Nothing is more important to us than maintaining the trust of our customers, partners, and employees. If anyone has reason to believe Collective is not acting in an ethical manner, it’s imperative they have a way to raise those concerns—preferably in a way that allows us to follow-up but anonymously if desired.
The easiest way to contact us regarding these matters is to email our corporate compliance team at firstname.lastname@example.org. This address submits your email to our Director of Information Security, Chief Information Security Officer, Chief Operations Officer, and Head of People / Human Resources for investigation.
If you’d prefer to submit your concerns anonymously, the following form will submit to the same group: