Documents & Certificates

Contents

[To download documents, please scroll to the bottom of this page]

  • SOC 2 Type II
  • Compliance Packet
  • HITRUST
  • OCR
  • Network Diagram
  • SDLC
  • Vendor Management
  • Document Available by Request
  • Document Available for Download

SOC 2 Type II

  • Our data center has completed a SOC 2 Type II certification.

 

Compliance Policy / Procedure Packet

ER Express has developed a robust set of policies and procedures to deliver ongoing compliance with the appropriate set of statutes, regulations, and best practices:

  • 1a.HIPAA-DataClassificationPolicy
  • 1b.HIPAA-DataDestructionPolicy
  • 1c.HIPAA-DataRetentionSchedule
  • 2.HIPAA-EncryptionPolicy
  • 3a.HIPAA-IncidentResponsePolicy
  • 3b.HIPAA-IncidentResponsePlan
  • 4.HIPAA-InformationHandlingPolicy
  • 5.HIPAA-InformationSecurityPolicy
  • 6.HIPAA-SanctionPolicy

 

HITRUST

  • We have completed the HITRUST self-assessment and have been evaluated by HITRUST, and achieved a 5- rating (on a 1 - 5+ scale),
  • The 5- rating equates to: 'Consistently produces and actives monitors status metrics for the information security program as well as the majority of the individual HITRUST critical control areas and the individual controls apply to the majority of the systems within the assessment scope.'

 

OCR

  • According to the HITRUST Alliance, regarding its relevance to OCR Audit protocol:
    “Implementation of the CSF as the basis for an organization’s information protection program and subsequent use of HITRUST CSF Validated or Certified Assessments has also been accepted by OCR as evidence of their compliance with the HIPAA Security Rule, assuming the assessment addresses the appropriate scope relevant to OCR’s audit or investigation. The HITRUST CSF and CSF Assurance Program have also been used in resolution agreements with OCR.”

(Source: http://hitrustalliance.net/frequently-asked/1/en/topic/how-does-a-csf-assessment-meet-the-hipaa-requirement-for-a-risk-analysis-and-can-it-be-used-to-support-an-ocr-audit

 

Network Diagram

  • ER Express' network lives in the Microsoft Azure cloud.  Our full-stack diagram is available for download.

 

Software development lifecycle

  • ER Express follows the standard SDLC.
  • SDLC is a structure followed by a development team within the software organization. It consists of a detailed plan describing how to develop, maintain and replace specific software. The life cycle defines a methodology for improving the quality of software and the overall development process."

Source: https://www.techopedia.com/definition/22193/software-development-life-cycle-sdlc

 

Vendor Management Policy

We require all of our vendors to adhere to the same set of compliance standards.  We ask vendors to sign our vendor management policy, which requires them to:

  1. Agree to follow ER Express security policies & procedures
  2. Sign an NDA
  3. Sign a BAA
  4. Ensure that the staff who work on ER Express projects have had background checks
  5. Ensure that the staff who work on ER Express projects have passed a recent drug screen

 

The following documents are available by request

  1. Cyber Liability

  2. General Liability

  3. Employee Compliance Training & Quiz Log

  4. Risk Management Plan

  5. HITRUST Letter

The following documents are available to download:

 

Have more questions? Submit a request