Protecting PHI and All Your Most Sensitive Data
We frequently mention that security is in our DNA, and we mean it.
Because we place security at the forefront of everything we do, we’re always seeking out ways to protect more of your sensitive data, compliantly.
Today, we’re excited to announce two recent independent assurance reports we received at Basis Theory: SOC2 Type1+HIPAA and ISO 27001 certification. Read on for more information about these certifications and what this means for your data.
HIPAA Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires organizations handling PHI to adopt national standards for electronic health care transactions, code sets, and security. Through additional provisions - the Privacy Rule in December 2000 and the Security Rule in February 2003 - additional protection for individually identifiable health information came into effect, as well.
To receive and maintain HIPAA compliance, organizations must have both physical and technical safeguards in place when hosting sensitive patient data.
Basis Theory has such safeguards in place, which includes the following:
- Administrative safeguards: Covered entities (CEs) and business associates (BAs) must implement policies and procedures that ensure the privacy and security of PHI. This includes conducting risk assessments, training workforce members on security policies and procedures, and designating a security official to oversee compliance.
- Technical safeguards: CEs and BAs must implement technical measures to protect electronic PHI (ePHI) from unauthorized access such as monitoring, access and provisioning controls, encryption, and logging and audit capabilities.
- Organizational requirements: CEs and BAs must have contracts or other arrangements in place with their business associates that require them to comply with HIPAA data security requirements.
- Breach notification: CEs and BAs must report breaches of unsecured PHI to affected individuals, the Department of Health and Human Services, and, in some cases, the media.
- Risk analysis and management: CEs and BAs must conduct ongoing risk analysis and risk management to identify and mitigate potential threats to PHI. Examples include Data Criticality Analysis, Business Impact Analysis,
- Security Incident Procedures: CEs and BAs must be able to identify and respond to suspected or known security incidents and mitigate, to reasonable extent, the harmful effect of said security incidents.
- Contingency Planning: CEs and BAs must have Business and Disaster Recovery Plans in place which are tested and periodically reviewed.
To maintain compliance, HIPAA also requires organizations to follow other technical policies to cover integrity controls and network security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud.
By becoming HIPAA compliant, Basis Theory has met and will continue to maintain these standards.
What does this mean for you?
Basis Theory provides the technical safeguards and access controls needed to protect, enforce, and restrict access to PHI. Organizations that use our infrastructure not only remove PHI from their system but also eliminate the complexities, costs, and distractions that come with building and maintaining their own HIPAA-compliant environment.
With Basis Theory, these organizations may collect and secure any PHI data in our vault: medical records, patient names, account numbers, beneficiaries, social security numbers, and more.
Users of the Basis Theory platform can feel confident knowing that any PHI that has been tokenized and de-identified meets the standards set by HIPAA, and will not be “cracked” or re-identified.
ISO 27001 Certification
While security architecture is paramount in protecting data, it’s important that security organizations implement, maintain, and continuously improve a strong information security management system (ISMS).
To achieve ISO 27001 compliance, organizations go through a three-stage auditing process covering various organizational areas of the business: leadership, planning, support, operation, and improvement, to name a few.
For Basis Theory to become ISO 27001 certified, we were required to:
- Systematically examine our information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a comprehensive suite of security controls and other forms of risk treatment - such as risk avoidance or risk transfer - to address the risks deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet our organization's information security needs on an ongoing basis.
- Meeting Annex A security control requirements for Information Security Organization, Human Resources, Asset Management, Access Control, Cryptography, Physical and Environmental, Operations, Communication, SDLC, Suppliers Relationships, Incident Management, Business Continuity and Disaster Recovery, and Compliance.
What does this mean for you?
Our organizational standards and policies meet or exceed the standards required to achieve ISO 27001 compliance. We have not only the technical safeguards in place to protect the sensitive data we store in our vault, but the organizational policies, processes, and plans, as well.
In short, this means the Basis Theory is a certified world-class data vault.
Putting Your Data First
We know that it’s not enough for an organization that holds sensitive data to merely claim they are secure; third-party certifications hold significantly more weight in the matter. At Basis Theory, we built a secure system to house all your most sensitive data by following cloud native security best practices, ongoing network monitoring, maintaining compliance, and more.
And we work to meet or exceed the standards set in the levels of compliance we’ve achieved and continue to maintain.
Learn more about our security practices and all the compliance measures Basis Theory follows to keep your data safe.