We approached the creation of HealthCheck by Stratum to ensure that, from the beginning, we were following the standards we recommend to our customers and partners.
Our data is stored in data centers that meet some of the most stringent compliance standards in the world. These data centers meet ISO27018 standards for Cloud-based security, with the services we consume all meeting that same standard. The data, while Personal Healthcare Information (PHI), does not meet the standard for Healthcare Information Portability and Accountability Act (HIPAA), as it is not used for patient care or treatment. However, the HIPAA HITRUST standards are stringent enough that we implemented data guidelines that meet those standards.
The data stored is stored for fourteen (14) weeks, or 98 days. Organizations, if they chose, can retain that data up to one year on an enterprise plan, but the organization must provide written request with reasons cited in Federal, State, or County regulations for that extension. After 98 days, we anonymize the data so that no single defining characteristic can be associated with a single individual. Data storage mechanisms include the separation of demographic, PII, and PHI data. The keys we use are stored in Hardware Security Modules and encrypted using Industry-accepted standards. Each column of data is evaluated constantly for the classification type, and is tagged with the appropriate classification type accordingly per the bullet points below:
- Tier 1: Generally Available
- Tier 2: Confidential
- Tier 3: Confidential PII (with GDPR/CCPA)
- Tier 4: Confidential PHI
The database(s) we use are encrypted at rest and ALL communications between service components communicate using TLS 1.2 standards. Further, the database leverages column-level encryption for fields tagged as Tier 3/4. Finally, data is also masked, such that anyone other than an approved member of that data security role will see masked data.