Network Privacy & Security Summary

Privacy Rule

Collective is a “business associate” of its subscribers, as defined in the Privacy Rule. Collective uses and discloses PHI only (i) as the Privacy Rule permits or requires; or (ii) as the individual who is the subject of the PHI authorizes in writing.

“TPO” Framework

A subscriber to the Collective Network may access PHI via the Collective Network, and use and disclose that PHI, only to the extent that the subscriber (i) has a demonstrated relationship with the individual who is the subject of the PHI for treatment, payment, or healthcare operations purposes or (ii) is a public health agency using the PHI for a valid public health reporting purpose. In this way, the purposes for which PHI may generally be used and disclosed via the Collective Network are a subset of those that the Privacy Rule permits without any additional consent by the patient: specifically, the purposes of treatment, payment, health care operations, and certain public health activities, as those terms are used and defined in 45 C.F.R. §§ 160 and 164.

Sensitive Information

Certain subcategories of PHI may be lawfully disclosed only where the disclosing entity has obtained specific patient authorization to do so, even if the disclosure is for an otherwise permitted purpose under the Privacy Rule. This “Sensitive Information” includes, for example, information that originates from a substance use disorder treatment program that is covered by 42 CFR Part 2. Collective treats Sensitive Information in accordance with its Sensitive Information Policy, which establishes the exclusion of Sensitive Information from the Collective Network by default, but which nevertheless provides for the limited disclosure of certain Sensitive Information via the Collective Network where the disclosing subscriber has satisfied certain specific patient-consent requirements.

Contracts

All subscribers to the Collective Network sign a Master Subscription Agreement (MSA) and Business Associate Agreement (BAA) with Collective. These two documents include the specific terms and conditions (i) under which Collective and other Network participants may use and disclose the PHI submitted by the subscriber and (ii) under which the subscriber may use and disclose the PHI that it receives via the Collective Network. The data use and disclosure rights defined in the MSA and BAA track the requirements laid out in the Privacy Rule, including, for example, the “minimum necessary” standard, and are universal and reciprocal across the entire Collective Network, as applicable.

In compliance with the requirements of the Security Rule, Collective maintains robust administrative, physical, and technical safeguards designed to (i) ensure the confidentiality, integrity, and availability of PHI in the Collective Network; (ii) identify and protect against threats to the security or integrity of the PHI in the Collective Network; (iii) protect against impermissible uses or disclosures of PHI in the Collective Network; and (iv) ensure the security compliance of Collective’s own workforce. Furthermore, Collective and third parties regularly perform comprehensive risk analyses of Collective with respect to these safeguards.

Administrative Safeguards

The Security Rule defines administrative safeguards as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Collective’s security official has developed and regularly updates Collective’s comprehensive information security program (CISP) that is reviewed and supported by Collective’s executive leadership. Collective’s security official and information security team, as well as third-party assessors, test and/or assess all aspects of the CISP. Collective regularly updates the CISP and modifies its underlying safeguards in order to adapt to the current risk landscape. The CISP includes policies and procedures that dictate how Collective implements and adheres to information security requirements. Collective regularly trains its workforce and requires them to demonstrate their understanding of all applicable security policies and procedures.

Collective enters into a BAA with each of its subscribers and data partners, as applicable. In those BAAs, Collective provides each subscriber and data partner with “satisfactory assurances” regarding Collective’s appropriate safeguarding of electronic PHI, as required by the Security Rule.

Physical Safeguards

Physical safeguards are an important line of defense in the protection of PHI. The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

In order to define and implement these physical measures, policies, and procedures, Collective first identifies all potential points of physical access to electronic PHI (e.g., data centers, office facilities, etc.), evaluates the reasonable risks associated with each access point, then specifies the means by which those risks will be appropriately managed.

Collective hosts electronic PHI solely within the United States on infrastructure that is co-located in multiple, fully redundant data centers with 24/7/365 physical security monitoring and protection. These physical monitoring and protection measures include physical barriers, multi-factor authentication with biometrics, man-traps, cameras, and 24×7 staffing. The data centers are certified in, or have been audited against, the following standards:

• AICPA’s SOC 1 and SOC 2 Type 1 & 2
• ISO/IEC 27000 Series
• NIST 800-53
• FISMA Security Assessment Report
• HIPAA Privacy and Security & HITECH Rules
• Payment Card Industry Data Security Standards (PCI-DSS)

Technical Safeguards

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Collective takes a risk-based approach in determining which technologies, policies, and procedures to employ in the protection of electronic PHI. This strategy involves a combination of various technical controls designed to ensure a multi-layered defense against cybersecurity threats, also known as “defense in depth.”

In addition to compliance with its regulatory obligations, Collective draws from industry-leading information security standards to employ technical safeguards that cover the entire spectrum of applicable cybersecurity domains, including, user authorization and authentication, configuration management, network security, workstation security, transmission protection, vulnerability management, application security, logging, monitoring, etc. Collective provides its subscribers and data partners with details about Collective’s technical safeguards under each of these categories as appropriate.

Acting with integrity has been key to our success. Nothing is more important to us than maintaining the earned trust of the subscribers, partners, employees, and individuals we serve. If you have a legal or ethical concern about Collective’s privacy, security, or other practices, we invite you to promptly bring those concerns to our attention. The easiest way to contact us regarding these matters is to email our corporate compliance team at corporatecompliance@collectivemedical.com. If you’d prefer to submit your concerns anonymously, you may use the form below. Do not include any PHI in your email/message to us.