PDHI products and services comply with the following standards and laws concerning privacy, security, usability, delegation, and regulations.
HITRUST CSF Certification
The ConXus Platform has earned HITRUST Common Security Framework (CSF) certification from the HITRUST Alliance’s CSF Assurance Program for data security and protection of protected health information (PHI). The CSF includes federal and state regulations, standards, and frameworks such as HIPAA, NIST, ISO, and COBIT.
The CSF Assurance Program provides healthcare organizations and their business associates with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. For non-healthcare organizations with active GRC programs (governance, risk, compliance under Sarbanes-Oxley and other state privacy regulations) HITRUST CSF is mapped to the NIST Cybersecurity Framework.
CSF certification designates that an organization meet all the certification requirements of the CSF, and it’s valid for 2 years from the certification date. CSF certification requires:
- Completion of an assessment questionnaire to identify security controls, resources, and tools utilized
- Submission of supporting documentation and evidence for each control
- Onsite testing and report preparation by an approved CSF assessor
- HITRUST review and validation
The benefits to clients and prospects of our platform’s HITRUST certification include:
- Independent verification that we meet the healthcare industry’s highest standards in protecting healthcare information and mitigating this risk
- Removal of an administrative burden and associated costs for organizations who conduct a formal vendor risk-management process
- Significant reductions in time and effort should a client apply for HITRUST certification
SSAE 16 SOC 1 Type II and SOC 2 Audited Data Center
PDHI servers are hosted at an SSAE 16 SOC 1 type II and SOC 2 audited, carrier-class data center provided by LightEdge Solutions in Altoona, Iowa.
The controls addressed in SSAE 16 (Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization) are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities. A type II audit is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of at least 6 consecutive months.
The controls addressed in SOC (service organization controls) 2 bring confidentiality and security measures of the service organization in line with current security concerns worldwide. SOC 2 includes the Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP) Section 100. A SOC 2 audit is a report on the data-center facilities and the suitability of the design of controls to meet the criteria set forth in TSP Section 100 that have been placed in operation as of a specific date.
ConXus Profile (health risk assessment) and ConXus Steps (self-management tools) have received Wellness and Health Promotion (WHP) certification from the National Committee for Quality Assurance (NCQA).
Health plans using ConXus modules receive automatic credit tools when undergoing NCQA Health Plan Accreditation for the following standards:
- 2017 MEM 1: Health Appraisals and MEM2: Self-Management
- 2018 PHM 4: Wellness and Prevention, Elements A-K
Wellness service providers using ConXus modules receive automatic credit for health appraisals (WHP 5) and self-management tools (WHP 7) when undergoing NCQA Wellness and Health Promotion Accreditation.
FDR Medicare Compliance
PDHI qualifies as a first tier, downstream, or related entity (FDR) for clients operating as Medicare Advantage organizations.
To complete annual FDR attestation, PDHI complies with the following requirements:
- Distribution of our code of conduct within 90 days of hiring or contracting and annually thereafter
- Completion of CMS Medicare Parts C & D Fraud, Waste, and Abuse and General Compliance Training within 90 days of hiring or contracting and annually thereafter
- Review of federal-level exclusion lists (DHHS-OIG List of Excluded Individuals and Entities and GSA System for Award Management) prior to hiring or contracting with any individual or entity, and monthly thereafter to ensure that none are excluded from participating in federal healthcare programs
National CLAS Standards
PDHI follows the National Culturally and Linguistically Appropriate Services (CLAS) Standards in Health and Health Care published by the Office of Minority Health, US Department of Health and Human Services.
The National CLAS Standards are intended to advance health equity, improve quality, and help eliminate healthcare disparities by providing a blueprint for individuals and health and healthcare organizations to implement culturally and linguistically appropriate services.
Text and images used in the PDHI health risk assessment and self-management tools are designed to be understandable by and respectful of all users, regardless of age, gender, education, and socioeconomic background.