Scott Ruthe, vice president of network and security at CIOX Health, answers a few questions on the importance of securing protected health information (PHI) during the release of information (ROI) process.
Q: Tell us a little about CIOX Health
A: CIOX Health, a new company with access across all health information pathways, is transforming the way health information is managed. We work as your clinical information intermediary to help all parties excel in the management and exchange of critical health information. With strong relationships and specialized expertise, we deliver the highest level of quality and process optimization to our partners nationwide. Our service offerings include release of information, coding, clinical research, and oncology data services, as well as audit management technology.
Q: Tell us a little about CIOX Health’s commitment to securing PHI.
A: CIOX Health has made significant investments from both a capital and operational standpoint in our security systems because we have a full understanding that security of our client’s PHI is paramount. Release of information is an important part of our business model, and making sure that we hold that information as securely as possible, and deliver it reliably and securely to our clients, that is of utmost importance to us.
Q: How does CIOX Health ensure the security of PHI?
A: CIOX Health uses both logical and physical security controls to make sure we are providing the highest level of security possible for PHI. From a logical standpoint, we use best of breed security systems and applications such as firewalls, user access controls and monitors, secure event management tools, encryption and disaster recovery. From a physical standpoint, we utilize secure badge access to all doors, restricted access to sensitive areas, such as our print and mail center, monthly user access monitors to see who has been accessing specific areas, as well as having 30 cameras installed throughout the ROI distribution facility.
At CIOX Health, our security controls are based on HIPAA rules and regulations. These rules and regulations are the minimum standards for the framework of our policies and procedures. We always try to go above that minimum standard. So our team is constantly reviewing our systems, achieving certifications and completing training courses to ensure that we can provide the best of security and privacy for our clients’ PHI.
Q: What types of testing of your processes does CIOX Health conduct?
A: CIOX Health has a fully-vetted disaster recovery plan in place with the recovery site located over 800 miles from our primary data center. We test that disaster recovery plan twice a year to ensure we can recover our systems in the event of a disaster.
We also utilize the SSAE 16 Type 2 SOC 1 audit report and HITRUST certification, third-party audits of CIOX Health’s service controls and objectives regarding our security, operations and financial systems. These audit reports are important because it is not just CIOX Health saying these are the security controls we’re going to follow. It is an outside third party coming in reviewing, testing and validating that yes, you have adequate controls and that CIOX Health is following those controls. That should give our clients a level of comfort that it’s not just CIOX Health saying we’re secure.
CIOX Health performs third-party audits not only to validate controls and systems for us, but to also help identify areas where we may need improvement. We do these external audits and utilize those reports to develop remediation plans and to make our environment even more secure and stronger for our clients.