Multilayer Protections Ensure Data Security

FAIR Health is charged with protecting and de-identifying claims information for many of the nation’s largest health plans, and therefore is intensely focused on data privacy and security. We maintain administrative, procedural, technical and physical safeguards that comply with applicable law and exceed industry standards and best practices.

As a testament to our data security protocols, CMS has certified FAIR Health as a Qualified Entity (QE) eligible to receive Medicare claims data for all 50 states and Washington, DC. We also have achieved SOC 2 compliance, meeting the criteria for security, availability and confidentiality principles established by AICPA.* FAIR Health’s systems for processing and storing protected health information have earned HITRUST CSF* Certified Status by meeting key healthcare regulations and industry requirements for protecting and securing sensitive private healthcare information.

Our security architecture includes:

• Physical security. Access to our SOC 2- and HIPAA*-compliant data centers are controlled by 24-hour guards, electronic card access locks, biometric protocols and video surveillance. We maintain dual data centers to ensure continuous operation.
• Information security. FAIR Health’s data vault architecture isolates electronic protected health information (ePHI) from external (internet) access through actively managed, three-level-deep redundant firewalls; ingress-only security zoning; and redundant intrusion prevention devices, allowing access only via virtual private network (VPN) by select users’ dedicated, hardened access points. All employees are scrupulously trained in HIPAA and relevant security policies. In addition, access to data center tables, records and other files is restricted by segregation of duties and multiple authentication controls. Extensive logging and alerting mechanisms are employed to warn of suspicious data flow.
• Data encryption. FAIR Health applies full end-to-end at-rest and in-transit FIPS* encryption to protect ePHI.

* American Institute of Certified Public Accountants (AICPA); Health Information Trust Alliance Common Security Framework (HITRUST CSF); Health Insurance Portability and Accountability Act (HIPAA); Federal Information Processing Standard (FIPS).