Compliance

PDHI products and services comply with the following standards and laws concerning privacy, security, usability, delegation, and regulations.

HITRUST Certified

HITRUST CSF Certification

The ConXus Platform has earned HITRUST Common Security Framework (CSF) certification from the HITRUST Alliance’s CSF Assurance Program for data security and protection of protected health information (PHI).

The CSF Assurance Program provides healthcare organizations and their business associates with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The CSF includes federal and state regulations, standards, and frameworks such as HIPAA, NIST, ISO, and COBIT.

CSF certification designates that an organization meet all the certification requirements of the CSF, and it’s valid for 2 years from the certification date. CSF certification requires:

  1. Completion of an assessment questionnaire to identify security controls, resources, and tools utilized
  2. Submission of supporting documentation and evidence for each control
  3. Onsite testing and report preparation by an approved CSF assessor
  4. HITRUST review and validation

The benefits to clients and prospects of our platform’s HITRUST certification include:

  • Independent verification that we meet the healthcare industry’s highest standards in protecting healthcare information and mitigating this risk
  • Removal of an administrative burden and associated costs for organizations who conduct a formal vendor risk-management process
  • Significant reductions in time and effort should a client apply for HITRUST certification

SSAE 16 SOC 1 Type II and SOC 2 Audited Data Center

PDHI servers are hosted at an SSAE 16 SOC 1 type II and SOC 2 audited, carrier-class data center provided by LightEdge Solutions in Altoona, Iowa.

The controls addressed in SSAE 16 (Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization) are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities. A type II audit is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of at least 6 consecutive months.

The controls addressed in SOC (service organization controls) 2 bring confidentiality and security measures of the service organization in line with current security concerns worldwide. SOC 2 includes the Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP) Section 100. A SOC 2 audit is a report on the data-center facilities and the suitability of the design of controls to meet the criteria set forth in TSP Section 100 that have been placed in operation as of a specific date.

NCQA Certification

NCQA Certification

ConXus Profile (health risk assessment) and ConXus Steps (self-management tools) have received Wellness and Health Promotion (WHP) certification from the National Committee for Quality Assurance (NCQA).

Download NCQA Health Appraisal Certificate
Download NCQA Self-Management Tools Certificate

Health Plans

Health plans using ConXus modules receive automatic credit against Member Connections standards for health appraisals (MEM 1) and self-management tools (MEM 2) when undergoing NCQA health plan accreditation.

Wellness Companies

Wellness service providers using ConXus modules receive automatic credit for health appraisals (WHP 5) and self-management tools (WHP 7) when undergoing NCQA Wellness and Health Promotion accreditation.

FDR Medicare Compliance

PDHI qualifies as a first tier, downstream, or related entity (FDR) for clients operating as Medicare Advantage organizations.

To complete annual FDR attestation, PDHI complies with the following requirements:

  1. Distribution of our code of conduct within 90 days of hiring or contracting and annually thereafter
  2. Completion of CMS Medicare Parts C & D Fraud, Waste, and Abuse and General Compliance Training within 90 days of hiring or contracting and annually thereafter
  3. Review of federal-level exclusion lists (DHHS-OIG List of Excluded Individuals and Entities and GSA System for Award Management) prior to hiring or contracting with any individual or entity, and monthly thereafter to ensure that none are excluded from participating in federal healthcare programs

National CLAS Standards

National CLAS Standards

PDHI follows the National Culturally and Linguistically Appropriate Services (CLAS) Standards in Health and Health Care published by the Office of Minority Health, US Department of Health and Human Services.

The National CLAS Standards are intended to advance health equity, improve quality, and help eliminate healthcare disparities by providing a blueprint for individuals and health and healthcare organizations to implement culturally and linguistically appropriate services.

Text and images used in the PDHI health risk assessment and self-management tools are designed to be understandable by and respectful of all users, regardless of age, gender, education, and socioeconomic background.

US-EU Safe Harbor

PDHI complies with the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. PDHI has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view our certification page, please visit http://2016.export.gov/safeharbor/.