Hosting & Security
ConXus applications are delivered from PDHI servers using a software-as-a-service (SaaS) model. The ConXus Platform has achieved HITRUST Risk-based, 2-year Certification from the HITRUST Alliance’s CSF Assurance Program for data security and protection of PHI, meeting the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Reliable Performance, Maximum Availability
The ConXus Platform is hosted on Microsoft Azure, a comprehensive set of cloud services. Azure provides highly scalable, reliable, and secure hosting from multiple data centers across the United States. Site performance is monitored 24/7 from locations across the United States.
Azure is certified to the Health Information Trust Alliance Common Security Framework (HITRUST CSF). PDHI maximizes the security and privacy features of its application by utilizing only in scope Azure Services to build, deploy, and manage the ConXus Platform. Azure also complies with Service Organization Controls standards for operational security (SOC 2 and SOC 3).
Servers are protected by a managed firewall that regulates all data entering and leaving the network. Additional security is provided by an intrusion detection system that monitors both the network and servers to identify any patterns that could indicate unauthorized activity.
Personal health data is encrypted at rest and in transit, using secure sockets layer technology (HTTPS) and secure-FTP.
Access to ConXus applications for end users requires a username and password. Access to bulk PHI requires two-factor authentication. Encrypted session IDs are established for the duration of a sign-on. This session ID ends as soon as the user signs out. In addition, the session ID will automatically time out after a defined period (usually set at 30 minutes) if the user is not active on the site.
Federal privacy and security regulations from the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) created national standards to protect medical records and certain other types of health information (protected health information, or PHI).
To comply with HIPAA and HITECH regulations, PDHI enters into a License and Services Agreement and a Business Associate Agreement with each client that establishes the permitted and required uses and disclosures of PHI and its security, including:
- Use of PHI only as permitted by the contract and as allowed by law.
- Use of appropriate safeguards to protect PHI, especially electronic PHI.
- Reporting any disclosures not permitted by the contract or the applicable regulations and mitigation thereof.