Information Security: Best Practices, working with hc1

How hc1 protects your data

As a HIPAA-regulated company, hc1 has a responsibility to protect the highly sensitive Protected Health Information (PHI) that our healthcare customers store in our system (“Customer Data”). Security is a priority in every system and service we deliver, and in all business processes we follow. 

This information security communication, and the hc1 Security Whitepaper, describes our approach to safeguarding Customer Data. This information security communication also guides our healthcare customers when transmitting Customer Data to the hc1 High-Value Care Platform® (the “hc1 Platform”).

All of hc1’s employees are expected to be familiar with HIPAA regulations and, per these regulations, receive regular education and reminders about security best practices and protecting Customer Data. All of hc1’s employees go through an annual third-party HIPAA training and certification program and must pass a test on the materials, whether they have access to PHI or not. Security information and updates are published to the team periodically throughout the year. Additionally, employees are instructed about how security affects their specific roles within the organization and the company as a whole.

hc1 employs a robust information security program and policies supporting the program. A listing of a few of the hc1 policies and procedures are available for review via the hc1 Security Whitepaper.

We have prepared this information security communication and the hc1 Security Whitepaper as a guide to your responsibilities to protect Customer Data before granting you access to the hc1 Platform.

Throughout this document, "hc1" will be referred to as "we," "us," and "our" and our healthcare customers referred to as “you," and "your."

Secure connectivity and encryption

We offer various secure transmission methods: SSL, API, and SSH (secure file transfer protocol servers).

The hc1 Platform provides full encryption of all Customer Data in motion and at rest, not just Customer Data designated as sensitive (such as PHI).  All Customer Data in transit is encrypted using SSL-TLS version 1.2. To encrypt all Customer Data at rest, we employ FIPS 140-2 compliant Amazon EBS encryption.

The hc1 Platform® is HITRUST® Certified

Another way hc1 protects your data includes a third-party certification of the hc1 Platform and the hc1 corporate headquarters in Indianapolis awarded by HITRUST.

The hc1 Platform earned the HITRUST Risk-based, 2-year (r2) Certified status, demonstrating that the hc1 Platform and the hc1 corporate headquarters have met key regulations and industry-defined requirements and are appropriately managing risk. This achievement places hc1 in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

How you can protect your data

Secure connectivity

If you submit a support inquiry to us, we assign a unique secure file transfer protocol server for you to share Customer Data with us for troubleshooting purposes. We also assign a unique secure file transfer protocol server to you to share Customer Data with us when you contract with us for professional services we perform on your behalf.

We provide these secure means to transmit Customer Data to you as you are obligated to maintain the safety, security, and integrity of Customer Data in your possession.

As described in our agreement with you, we have the right to monitor and revoke any activity when your access to the hc1 Platform may degrade the security of the hc1 Platform.

Lockout policy for inactive sessions

We maintain a policy to pause sessions and disconnect sessions after a period of session inactivity.  Our technical operations team configures each hc1 team member’s workstation/laptop to automatically time out after a period of inactivity.

We recommend all our healthcare customers adopt a similar policy and process as a further safeguard for users accessing the hc1 Platform. The hc1 Platform is configurable to support session time outs.  For example, the time out or lockout policy would pause sessions after 15 minutes of inactivity and disconnect sessions after 30 minutes of inactivity.

Strong passwords

How we use your data

We use Customer Data to provide services to you per your agreement with us. You may contact us if you have questions on how we maintain Customer Data. Our contact information is available by accessing our Privacy Policy.

If you suspect a Security Incident (as defined by HIPAA) has occurred, we are obligated to follow the notification process outlined in our Business Associate Agreement with you.

How you report suspected vulnerabilities or bugs to us

You may report suspected vulnerabilities or bugs to us by contacting hc1 support as follows:

Phone: 317.200.3720

email: hc1support@hc1.com

Support Form: hc1 Connect Support Form