Multi-Layer Protections Ensure Data Security
FAIR Heath is charged with protecting and de-identifying claims information for many of the nation’s largest health plans, and therefore is intensely focused on data privacy and security. We maintain administrative, procedural, technical and physical safeguards that comply with applicable law and exceed industry standards and best practices.
As a testament to our data security protocols, CMS has certified FAIR Health as a Qualified Entity—one of only five organizations in the country eligible to receive Medicare claims for all 50 states and Washington, DC. We also hold SOC 2* certification, demonstrating compliance with the guidelines of the AICPA,* and HITRUST CSF* Certified Status
Our security architecture includes:
- Physical security. Access to our SOC 2 and HIPAA*-compliant data centers in New York and Chicago is controlled by 24-hour guards, electronic card access locks, biometric protocols and video surveillance. We maintain dual data centers to ensure continuous operation.
- Information security. FAIR Health’s data vault architecture isolates electronic protected health information (ePHI) from external (Internet) access through actively managed, three-level-deep redundant firewalls; ingress-only security zoning; and redundant intrusion prevention devices, allowing access only via virtual private network (VPN) by select users’ dedicated, hardened access points. All employees are scrupulously trained in HIPAA and relevant security policies. In addition, access to data center tables, records and other files is restricted by segregation of duties and multiple authentication controls. Extensive logging and alerting mechanisms are employed to warn of suspicious data flow.
- Data encryption. FAIR Health applies full end-to-end at-rest and in-transit FIPS* encryption to protect ePHI.
* Service Organization Controls 2 (SOC 2); American Institute of Certified Public Accountants (AICPA); Health Information Trust Alliance Common Security Framework (HITRUST CSF); Health Insurance Portability and Accountability Act (HIPAA); Federal Information Processing Standard (FIPS).