NACHC Summary of Data Security and Privacy Practices
Last updated: 11/29/23
NACHC employs an information technology (IT) team of experienced and appropriately credentialed personnel to monitor and maintain data security and privacy. The executive sponsor for NACHC data security and privacy is the COO. For selected security functions, NACHC partners with various information security vendors and subject matter experts. All NACHC staff and contractors are responsible for protecting the security and privacy of confidential data, systems and equipment. NACHC continues to expand workforce training content and tools to ensure data privacy and security.
For some clinical data projects, NACHC receives certain health data from health centers in accordance with a project agreement and a data use agreement (DUA). The health data consists of protected health information (PHI) from which certain identifiers (such as names, phone numbers, email addresses, Social Security numbers, account numbers, etc.) have been removed. This health data meets the definition of a limited dataset (LDS) under the Health Insurance Portability and Accountability Act (HIPAA). Even with certain identifiers removed, the information in an LDS is considered PHI under HIPAA. NACHC executes DUAs that outline NACHC’s responsibilities to protect health data, including prohibiting the use or disclosure of the health data except as permitted by the agreement or as permitted by law, requiring NACHC to use appropriate safeguards to protect the LDS, and requiring NACHC to report to the health center any unauthorized use or disclosure of which it becomes aware.
NACHC staff and contractors who handle health data are required to follow NACHC’s policies and procedures related to protecting the privacy and security of health data.
NACHC recognizes that compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff.
As a steward of health data from other organizations, as a recipient of limited data sets and de-identified data NACHC is not a covered entity however it aligns it’s policies with HIPAA, HITECH, and the data use agreements in place with data sharing partners. NACHC requires a data use agreement to be executed between any organization with whom health data is shared in order to clearly define the expectations of the data provider and recipient.
For security compliance, NACHC has completed three independent audits of its clinical data warehouse according to the well architected framework from AWS and industry security procedures. NACHC regularly tests and audits its systems to maintain a secure environment.
NACHC carries cybersecurity insurance to protect against the impacts of a cybersecurity event.
Multi-factor (MFA) authentication is managed by NACHC’s IT team. NACHC has implemented MFA across platforms and systems. MFA is in place to access systems and cloud applications.
Disaster Recovery and Back-Up
Disaster recovery is managed by NACHC’s IT team. NACHC has developed a disaster recovery plan that is compliant with industry best practices. NACHC relies on its Infrastructure as a Service (IaaS) providers and Software as a Service (SaaS) providers for high-availability, ongoing backups, and recovery capabilities.
Incident Management and Breach Notification
The Director of Information Services oversees incident management within the IT department at NACHC. The organization has implemented a robust incident response plan to handle cybersecurity breaches and incidents. NACHC’s servers and computers have specialized detection software tools to identify and report breaches in real time. As an extra layer of security against breaches, NACHC also utilizes Microsoft Defender for Endpoint. When a security incident is a reportable breach, NACHC will notify affected partners of the security incident and remediation efforts. NACHC developed a breach notification-procedure based on industry best practices. NACHC delivered a required training on breach procedures to all staff. Every new NACHC employee must complete this training as part of onboarding.
Vulnerability assessment is the responsibility of NACHC’s security IT vendor. All applicable systems are assessed for vulnerabilities under a strict monthly, quarterly, and annual schedule, and upon completion of each assessment, recommendations are implemented prior to the subsequent assessment, which verifies that those changes were made.
NACHC performs auditing of critical internal and cloud systems as part of the vulnerability assessment. All system audit functions are enabled and audit information is reported to the IT team. Multiple tools log all user activity and performance within AWS. Thresholds for alarms are configured to identify suboptimal performance and notify NACHC in real time for remediation.
Encryption and Transmission
NACHC protects health data with encryption in transit and at rest and provides administrative controls to enforce organization-wide protection such as SAML SSO, enforced MFA, and SCIM.