Corporate Statements
Privacy
MedAllies takes the privacy of our vendor partners’ and clients’ data as an essential core principle. MedAllies protects the privacy and security of health information that is maintained or transmitted in accordance with applicable data protection laws including HIPAA and HITECH. We ensure compliance with our vendor partners and clients connected to our network via contractual requirements and additional certification requirements for vendor partners, which includes privacy clauses. MedAllies protects data throughout standardized operational processes for the management of our networks. All products include role-based access controls that limit access to intended use only for both our clients and partners, as well as the same for our employees’ administrative management of the networks.
MedAllies does not sell, rent, or mine any personal health information that is made available through any of our interoperable networks. MedAllies does not allow any of our connected vendor partners to sell, rent, or mine any personal health information that is made available through any of our interoperable networks and enforces this via contract management. MedAllies Privacy Policy is located on our website at https://www.medallies.com/privacy-policy-2/
The MedAllies Privacy program is overseen by our Chief Privacy Officer.
MedAllies Privacy, Security and Compliance are also overseen by the MedAllies Network Council, which is the governing body of the MedAllies’ Networks.
Security
MedAllies is HITRUST certified. HITRUST certification provides assurances to our partners, clients, and those organizations in which we are interoperable that our security and privacy controls are comprehensive, effective, and compliant with various regulations and frameworks. HITRUST Certification demonstrates MedAllies’ proactive approach to data protection and information risk mitigation. MedAllies undergoes a risk-based re-certification every two (2) years and is required to perform interim assessments to ensure ongoing maintenance. HITRUST certification signals to partners and clients that MedAllies meets best practices in HIPAA, privacy, and security compliance standards.
MedAllies maintains full accreditation as part of the Direct Trust Accreditation Program. MedAllies is triple accredited for our Health Information Service Provider (HISP), Certificate Authority (CA), and Registration Authority (RA) products. Direct Trust Accreditations recognize excellence in health data transactions and ensures compliance with industry-established standards, HIPAA/HITECH regulations, and the Direct Project. These Accreditations signal to partners and clients alike that MedAllies provides the highest standard of privacy, security, and trust-in-identity.
MedAllies uses multi-factor authentication and multiple layers of security to ensure client, server, data, and transmission security of all information. Our products implement encryption at rest and in transit.
We ensure compliance with our partners and clients connected to our network via contractual requirements and additional certification requirements for vendor partners, which includes security clauses. Vendor partner certification ensures technology connected to our network works in accordance with industry standards and vendors maintain proper version and change control.
The MedAllies Security program, includes our ongoing security certifications and accreditations, auditing and monitoring, and comprehensive testing including third party intrusion and penetration testing. The Security program is overseen by our Chief Information Security Officer (CISO).
The MedAllies Chief Technology Officer (CTO) oversees all product security design and architecture. MedAllies has a team of product-level security architects and engineers who are responsible for designing and managing product-based best practice security controls for on-premises and cloud products and services.
MedAllies has a Security Steering Committee (SSC) made up of key personnel from various business units, as well as executives, whose responsibilities include reviewing reports and updates from the support and information technology departments, assessing any technology changes or threats relevant to MedAllies, evaluating risks to the organization, driving policy, implementing recommendations, and ensuring compliance with security protocols. The SSC is chaired by the CISO.
MedAllies Privacy, Security and Compliance are also overseen by the MedAllies Network Council, which is the governing body of the MedAllies Networks.
Compliance
MedAllies has a comprehensive corporate compliance program and maintains membership in the Society of Corporate Compliance (SCC). Corporate compliance is a part of MedAllies’ corporate culture and initiation to a culture of compliance begins with the onboarding of new hires. Our Code of Conduct is a key component of our corporate compliance and ethics program. The Code sets guiding principles for how we work, interact with our clients and partners, and how we protect the company from harm. The Code of Conduct reaffirms our values and practices and how we approach business integrity.
MedAllies has a robust corporate compliance program based on the latest version of the Department of Justice’s Evaluation of Corporate Compliance programs. For more information: https://www.justice.gov
MedAllies has a strong governance program in place to oversee data processing activities and lifecycle management including data stewardship to assure cross functional data management.
MedAllies ensures internal controls and processes are efficient and effective through Business Process Management (BPM). BPM is led by our Director of Operational Excellence. BPM models, analyzes, and optimizes end-to-end business processes to meet strategic business goals. BPM also improves efficiency, reduces costs and errors, and supports digital transformation efforts. BPM optimizes business operations so that MedAllies delivers better products and services to our vendor partners and clients.
MedAllies Privacy, Security and Compliance are also overseen by the MedAllies Network Council, which is the governing body of the MedAllies Networks.
MedAllies has extensive ongoing role-based training for security, privacy and compliance. All employees are trained in the handling of sensitive patient health information. MedAllies uses a combination of in-house created and online training that meets industry, regulatory and state-specific requirements.