MedAllies takes the privacy of our vendor partner’s and client’s data as an essential core principle. Medallies protects the privacy and security of health information that is maintained or transmitted in accordance with applicable data protection laws including HIPAA and HITECH. We ensure compliance with our vendor partners and clients connected to our network via contractual requirements and additional certification requirements for vendor partners, which includes privacy clauses. MedAllies protects data throughout operational processes with role-based access controls that limit access to only for its intended use.
MedAllies Privacy program is overseen by our Chief Privacy Officer.
MedAllies is HITRUST certified. HITRUST certification provides assurances to our partners, clients, and those organizations in which we are interoperable that our security and privacy controls are comprehensive, effective, and compliant with various regulations and frameworks. HITRUST Certification demonstrates MedAllies’ proactiveapproach to data protection and information risk mitigation. MedAllies undergoes a risk-based re-certification every two (2) years and is required to perform interim assessments to ensure ongoing maintenance. HITRUST certification signals to partners and clients that MedAllies meets best practices in HIPAA, privacy, and security compliance standards.
MedAllies maintains full accreditation as part of the Direct Trust Accreditation Program. MedAllies is triple accredited for our Health Information Service Provider (HISP), Certificate Authority (CA), and Registration Authority (RA) products. Direct Trust Accreditations recognize excellence in health data transactions and ensures compliance with industry-established standards, HIPAA/HITECH regulations, and the Direct Project. These Accreditations signal to partners and clients alike that MedAllies provides the highest standard of privacy, security, and trust-in-identity.
MedAllies uses multi-factor authentication and multiple layers of security to secure client, server, data, and transmission of all information. Our products implement encryption at rest and in transit.
We ensure compliance with our partners and clients connected to our network via contractual requirements and additional certification requirements for vendor partners, which includes security clauses. Vendor partner certification ensures technology connected to our network works in accordance with industry standards and vendors maintain proper version and change control.
The MedAllies Security program, includes our ongoing security certifications and accreditations, auditing and monitoring, and comprehensive testing including third party intrusion and penetration testing. The Security program is overseen by our Chief Information Security Officer (CISO).
The MedAllies Chief Technology Officer oversees all product security design and architecture. MedAllies has a team of product-level security architects and engineers who are responsible for designing and managing product-based best practice security controls for on-premises and cloud products and services.
MedAllies has a Security Steering Committee (SSC) made up of key personnel from various business units, as well as executives, whose responsibilities include reviewing reports and updates from the support and information technology departments, assessing any technology changes or threats relevant to MedAllies, evaluating risks to the organization, driving policy, implementing recommendations, and ensuring compliance with security protocols. The SSC is chaired by the CISO.
MedAllies has a comprehensive corporate compliance program and maintains membership in the Society of Corporate Compliance (SCC). Corporate compliance is a part of corporate culture and onboarding to a culture of compliance begins with onboarding of new hires. Our Code of Conduct is a key component of our corporate compliance and ethics program. The Code sets guiding principles for how we work, interact with our clients and partners, and how we protect the company from harm. The Code of Conduct reaffirms our values and practices and how we approach business integrity. Recently, our Chief Compliance Officer spoken at the National SCC Conference presenting a session titled, “How to Build an Efficient Compliance Program in a Small Organization.” In addition, our CCO has hosted SCC virtual meet-ups on various corporate compliance topics.
MedAllies has a strong governance program in place to oversee data processing activities and lifecycle management including data stewardship to assure cross functional data management.
MedAllies ensures internal controls and processes are efficient and effective through Business Process Management (BPM). BPM is led by our Director of Operational Excellence. BPM models, analyzes, and optimizes end-to-end business processes to meet strategic business goals. BPM also improves efficiency, reduces costs and errors, and supports digital transformation efforts. BPM optimizes business operations so that MedAllies delivers better products and services to our vendor partners and clients.
MedAllies is a Carequality Implementer. The Carequality Interoperability Framework includes multiple elements (legal, policy, technical, governance) which operationalize data sharing under an approved “Principles of Trust”.
MedAllies is a member of the CommonWell Health Alliance. CommonWell Health Alliance is a not-for-profit trade association of health care and technology organizations working together to create universal access to health data nationwide. CommonWell Health Alliance members represent a wide variety of health care organizations.
MedAllies has extensive ongoing roles-based training for security, privacy, and compliance. All employees are trained in the handling of sensitive patient health information. MedAllies uses a combination of in-house created and online training that meets industry, regulatory, and state-specific requirements.
HITRUST is supporting the security requirements of the Trusted Exchange Framework and Common Agreement (TEFCA) program. The TEFCA Recognized Coordinating Entity (RCE) – The Sequoia Project – has selected HITRUST and the HITRUST Risk-based, 2-year (r2) Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements for their Qualified Health Information Network (QHIN) designation. HITRUST is also available to support TEFCA Participants and Subparticipants in the security of TEFCA Information (TI) under the Framework Agreements.
ONC Health IT Certification
MedAllies DirectSolutions™ V3.4 is 2015 ONC Certified. The ONC Health IT Certification Program ensures the capability, functionality, and security requirements adopted by the U.S. Department of Health and Human Services (HHS).