Hosting & Security
ConXus applications are delivered from PDHI servers using a software-as-a-service (SaaS) model. The ConXus Platform has achieved HITRUST Common Security Framework (CSF) Certification from the HITRUST Alliance’s CSF Assurance Program for data security and protection of PHI, meeting the requirements of the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the US-EU Safe Harbor Framework.
Reliable Performance, Maximum Availability
PDHI operates a fully redundant hosting environment. Servers are hosted at a SSAE 16 SOC1 Type II and SOC 2 Audited, carrier-class data center provided by LightEdge Solutions in Altoona, Iowa. The data center is protected from power failure and network outages by extensive backup power and cooling systems, as well as network redundancy and diversity.
A warm standby hosting environment is maintained at LightEdge’s Kansas City site, for use in the event of a major disaster at the Altoona facility. Site performance is monitored 24/7 from locations across the United States.
Physical data-center security is provided 24/7 and includes guards, closed-circuit monitors, alarmed doors with secure card-key access, biometric scanner, and “man trap” restricted access to the data floor.
Servers are protected by a managed firewall that regulates all data entering the network. Additional security is provided by an intrusion detection system that detects and terminates any unauthorized activity.
Personal health data is encrypted at rest and in transit, using secure sockets layer technology (HTTPS) and secure-FTP.
Access to ConXus applications requires a username and password. Encrypted session IDs are established for the duration of a sign-on. This session ID ends as soon as the user signs out. In addition, the session ID will automatically time out after a defined period (usually set at 30 minutes) if the user is not active on the site.
Federal privacy and security regulations from the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) created national standards to protect medical records and certain other types of health information (protected health information, or PHI).
To comply with HIPAA and HITECH regulations, PDHI enters into a License and Services Agreement and a Business Associate Agreement with each client that establishes the permitted and required uses and disclosures of PHI and its security, including:
- Use of PHI only as permitted by the contract and as allowed by law.
- Use of appropriate safeguards to protect PHI, especially electronic PHI.
- Reporting any disclosures not permitted by the contract or the applicable regulations and mitigation thereof.